strings
Find printable strings in binary files
TLDR
Print all strings in a binary
Limit results to strings at least n characters long
Prefix each result with its offset within the file
Prefix each result with its offset within the file in hexadecimal
SYNOPSIS
strings [options] [file...]
PARAMETERS
-a, --all
Scan the entire file, not just initialized data sections within object files.
-f, --print-file-name
Print the name of the file before each string found.
-n number, --bytes=number
Look for sequences of at least number printable characters (default is 4).
-o
Same as -t d. Print the offset of each string in the file in decimal.
-t format, --radix=format
Print the offset of each string in the specified format: o (octal), x (hexadecimal), or d (decimal).
-e encoding, --encoding=encoding
Select the character encoding. Common options include: s (7-bit ASCII), S (8-bit ASCII), b (16-bit big-endian Unicode), l (16-bit little-endian Unicode), B (32-bit big-endian Unicode), L (32-bit little-endian Unicode).
--help
Display a help message and exit.
--version
Display version information and exit.
DESCRIPTION
The strings Linux command is a utility designed to extract sequences of printable characters from binary files, such as executables, object files, core dumps, or raw data files. By default, it searches for sequences of at least four printable characters terminated by a newline or null character. It is an invaluable tool for reverse engineering, digital forensics, and debugging, as it can reveal embedded text messages, version numbers, configuration strings, URLs, or error messages that are otherwise hidden within non-textual data. For instance, one might use it to quickly identify copyright notices or internal command strings in an unfamiliar binary. strings can search across an entire file or limit its scan to specific initialized data sections of object files. It also supports various character encodings, including different byte orders for Unicode, making it versatile for inspecting diverse data types. While simple, its power lies in providing a quick glimpse into the human-readable content potentially contained within compiled code or arbitrary data streams, offering crucial clues without requiring complex disassemblers or debuggers.
CAVEATS
The output can be voluminous, often requiring piping to filtering commands like grep.
It may produce false positives by interpreting random byte sequences as valid strings.
It does not understand data structures or context, only raw byte patterns matching printable characters.
It might miss strings if they don't adhere to the specified length, encoding, or termination criteria.
COMMON USAGE EXAMPLES
1. Find all strings in a binary:
strings /bin/ls
2. Find strings of at least 8 characters:
strings -n 8 /usr/bin/firefox
3. Print filename and offset for each string in hex:
strings -f -t x /bin/bash
4. Search for 16-bit little-endian (UTF-16LE) strings in a core dump:
strings -e l core_dump.img
5. Filter strings from an entire file (including data sections):
strings -a /usr/lib/libc.so.6 | grep "GLIBC"
HISTORY
The strings command has been a standard utility in Unix-like operating systems for decades. It is typically part of the GNU Binutils package on Linux distributions, which provides a collection of binary tools. Its core functionality has remained consistent, focusing on its role as a fundamental tool for inspecting binary files for embedded text data, predating many specialized reverse engineering tools.