Apple - Recover in-memory Pages data from failed hibernation wakeup
First try, IF known_string WAS stored in plain text (not the case)
I guess you could try using
grep -Ubo --binary-files=text "known_substring" sleepimage
From that, -U parameter specifies search on binary files, -b specifies that the offset in bytes to the matching part should be displayed and, lastly, -o specifies that only the matching part should be printed.
If that works, you would know the offset in bytes to get to that region, but I would not know exactly how to proceed there. Depending on the filetype, you could probably check for the filetype signature near that informed offset and try to isolate only the bytes that do make part of that file. For this, I guess you could either write a C program to do that, or maybe execute hexdump -s known_offset sleepimage and try getting only the bytes that relate to the file you need.
For instance, suppose I wanted to know something about Chrome:
$ sudo grep -Ubo --binary-files=text -i "chrome" sleepimage
3775011731:chrome
So I know I got an occurrence of chrome at the byte offset 3775011731. Hence I could:
$ sudo hexdump -s 3775011731 sleepimage | head -n 3
e1021b93 09 09 3c 73 74 72 69 6e 67 3e 2e 63 68 72 6f 6d
e1021ba3 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 3c 2f 73 74
e1021bb3 72 69 6e 67 3e 0a 09 09 3c 6b 65 79 3e 45 78 70
The tricky part would be to get only the bytes you want. If the filetype has a known header you could maybe subtract the header size in bytes from the hexdump offset, so you get the file "since the beginning". If the filetype has a known "EOF" signature, you could try searching for it too and hence get only the bytes up to that point.
What is your filetype? Do you think that some procedure like this could be used in your case? Note that I have never done this before, and I am basing myself on a lot of "guesses", but I suppose something like this has a little chance of working..
Second try, a slow method for parsing all bytes
The method before does not work because it also searches only for plain text, my bet. For this second text I created a simple C program containing:
#include <stdio.h>
int main () {
printf("assim");
return 0;
}
So I could search for "assim", which would be your known_string, in that text. In order to know what bytes to search for I did:
$ echo -n "assim" | hexdump
0000000 61 73 73 69 6d
0000005
Hence, I must find "61 73 73 69 6d". After compiling that simple C source into the program "tt", I did the following:
hexdump -v -e '/1 "%02X\n"' tt | # format output for hexdump of file tt
pcregrep -M --color -A 3 -B 3 "61\n73\n73\n69\n6D" # get 3 bytes A-fter and 3 bytes B-fore the occurence
Which returned to me:
If you did something like that, I guess you could get your data.. It would be kind of slow to parse 2~8GBs of bytes though...
Note that in this approach you must find the hexes in capital letter (write 6D instead of 6d on the last grep), not in under-case letters, and use \n instead of white-spaces (so you can use -A and -B for the grep). You could use grep -i so it became case-insensitive, but it would be a little slower. Hence, just use capitals if this is used.
Or, if you want a do-all automated "script":
FILENAME=tt # file to parse looking for string
BEFORE=3 # bytes before occurrence
AFER=3 # bytes after occurrence
KNOWNSTRING="assim" # string to search for
ks_bytes="$(echo -n "$KNOWNSTRING" | hexdump | head -n1 | cut -d " " -f2- | tr '[:lower:]' '[:upper:]' | sed -e 's/ *$//g' -e 's/ /\\n/g')"
hexdump -v -e '/1 "%02X\n"' $FILENAME | pcregrep -M --color -A $AFER -B $BEFORE $ks_bytes