• TRAP - Tool for Regex Analysis with Perl
• TRAP::Compare
• StringsCompare

• TRAP: Version 0.2.1
• TRAP::Compare: Version 0.0.1
• StringsCompare: Version 0.0.1

A forensic tool to extract some informations from files.

I created this tool following an investigation of an infected backup file. This file was only part of a backup and it was necessary to identify the server to which this piece of backup corresponded. I finally found the server by analyzing the file, strings after strings. Some strings allowed the absolute identification of the server. I chose to create this tool in order to avoid long search to other people in a similar case.

It was also important to find out why the file was detected as infected. This tool will allow you to identify certain payloads or abnormal elements on a server.

I make this tool in perl because it is pre-integrated on all Linux systems and it is particularly optimized for regular expression.

This perl script compares TRAP reports by file name and saves and prints matches present in multiple files.

This bash script compares strings per file and saves and prints strings present in multiple files.

I put this script in the TRAP repository because the use case is the same as for TRAP and the results of the analyzes can be complementary. This script can take a long time to run.

• Perl (v5.26)
• Perl Standard Library
  • strict
  • JSON::PP
  • Text::CSV
  • Pod::Usage
  • Time::Piece
  • Getopt::Long
  • File::Basename
  • Term::ANSIColor
  • File::Map

git clone https://github.com/MauriceLambert/TRAP.git

use TRAP;
open my $report, ">>", "report.json";
my $csv = Text::CSV->new ( { binary => 1, sep_char => "," } );
my %files = (CSV => $csv, report => $report);
analysis "myfile.bak", \%files;

use TRAP::Compare;
my @directories = ("TRAP_*", "report_*");
my $reports = analysis \@directories;
report($reports);

perl TRAP.pm -h
perl TRAP.pm --help
perl TRAP.pm -t
./TRAP.pm --test --debug --no-color
perl TRAP.pm -c -d -f *.txt,*.bak,*.bin
./TRAP.pm --files *.txt,*.bak,*.bin

perl TRAP.pm -f "forensic_files*,other_files*"
perl TRAP/Compare.pm
perl TRAP/Compare.pm "custom_report_directories*" "second_report_directory*"

1. Run the TRAP script to extract informations
2. Compare report by filename using TRAP::Compare to extract the information present in several scanned files
3. During the analysis of the elements highlighted by TRAP::Compare then of the reports generated by TRAP, you can launch a more advanced recovery which will extract the character strings present in several files analyzed, with the StringsCompare.sh script. The goal is to highlight all the common elements.

perl TRAP.pm -f "/tmp/*.bak"
perl TRAP/Compare.pm
bash StringsCompare.sh /tmp/*.bak

• Documentation TRAP
• Documentation TRAP::Compare
• Github

Licensed under the GPL, version 3. (GPL-3.0 License)