Man Linux: Main Page and Category List


       lazarus - create structure from unstructured data


       lazarus  [ -1bBdhHtT ] [ -D directory ] [ -H directory ] [ -w directory


       lazarus tries to revive things that have died and gone into the  binary
       spirit world... deleted files, data in memory, swap, etc.

       Lazarus  reads  and  examines  data,  and  if  the  data passes certain
       criteria marks it as a known or unknown block of information and  saves
       it  in  a data directory.  Saved data blocks can be examined later with
       additional tools or via a browser if lazarus is run with the -h  (HTML)

       The  output  is  a  set  of  characters (or HTML color-coded chars, see that correspond to the type of blocks  that  lazarus  sees.
       In  addition  it  creates  files  that  contain the data in the $blocks
       directory (this value is modified with the -B flag or by  changing  the
       default   values   in,  the  lazarus  configuration  file.
       Consecutive blocks of the same character type means that it has seen  a
       run of blocks that it strings together and stuffs in the same $blocks/*
       output file.  The initial character of a run will always be  a  capital
       letter  (if  possible;  some  types  are denoted by punctuation marks),
       followup letters in the same run will be lowercase.  For  instance,  if
       it outputs "Cc", it means that the first block and second blocks of the
       data  found  are  suspected  to  be  C  programs.   A  "."   represents
       unrecognized binary blocks of data.

       To  make the output stay in semi-manageable size, it does a logarithmic
       compression of the output (base 2).  The first character represents one
       block or less of data, the 2nd from 0-2 blocks, the 3rd 0-4, the fourth
       0-8,  etc.   Blocks  are  typically,  but  not  always  (and  are  user
       definable) 1024 bytes.

        Typical output might look like:


       The  colors (corresponding to the netscape color scheme) and characters
       for recognized text and files are kept in the file, and are:

       type   value       color                 meaning
       t     777777       gray                  unresolved text
       f     ff0000       bright red (alarm)    sniffer stuff
       m     0066ff       blue                  mail
       q     6633ff       pale blue             mailq files
       s     6699ff       purply                emacs/lisp
       p     cc6666       greenish              program file
       c     336666       green                 C code
       h     ff99ff       light purple          HTML
       w     cc3333       reddish               password file
       l     cc9900       light brown           log file

       Binary files are represented by:

       type   value       color                 meaning
       o     bbbbbb       light grey            null block
       r     000000       black                 removed’d block
       x     000000       black                 binary exe
       e     d9d9i9       gold                  ELF
       i     238e68       greenish              JPG/GIF
       a     d19275       black                 cpio/tar/etc
       z     336633       greenish              compressed
       !     000000       black                 audio


       -1      process  byte-style,  one byte at a time, rather than one block
               of data at a time.  Not generally recommended,  perhaps  useful
               for looking at memory, etc.

       -b      don’t write unrecognized binary data blocks (writes by default)

       -B      don’t write ANY binary data blocks (writes by default)

       -d      turn debug on (not recommended ;-))

       -h      emit HTML code rather than ASCII text.   It  outputs  to  three
               files  -  the  data  file  ($ARGV[0])  + .html, .menu.html, and
               .frame.html.    You   generally   want   to   look    at    the
               $ARGV[0].frame.html file (with your browser) initially.

       -H directory
               save  the HTML frames code in this directory.  Only useful with
               -h flag.

       -D directory
               write the data blocks into this directory  name  (hey,  running
               out of letters here, cut me slack!)

       -t      don’t write unrecognized text data blocks (writes by default)

       -T      don’t write ANY text data blocks (writes by default)

       -w directory
               use  this  directory  to  write all the HTML code.  Meaningless
               unless used with -h!




       Distributed under the details found in the COPYRIGHT file found in  the
       root directory of The Coroner’s Toolkit.


       dan farmer