An investigator performing an initial analysis of a memory image identified a suspicious URL while using the strings utility. A second investigator attempting to recreate the results cannot find the same URL when executing the command below. What could be the cause?
$ strings CASE-43110.mem > case-43110.strings.txt
The correct answer is that the URL is in little endian format. The strings utility by default only extracts ASCII text. To extract Unicode text, one would need to specify the text encoding format, such as little endian, using the -e l option.
Correct answer: D On Linux, the strings utility operates somewhat differently than Windows. By default, strings extracts only ASCII test. To tell strings to extract Unicode, you need to specify either little endian using -e l or big endian using -e b. Reference: 504.1 Incident Response and Cyber Investigations p. 84