Book Image

Learning Python for Forensics

By : Chapin Bryce
Book Image

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Related Content you might be interested in

Current Title:

Small book image
Learning Python for Forensics
Chapin Bryce
May, 2016 | 488 pages
No titles found
Table of Contents (24 chapters)
Learning Python for Forensics
Learning Python for Forensics
Credits
Credits
About the Authors
About the Authors
Acknowledgments
Acknowledgments
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Now For Something Completely Different
Now For Something Completely Different
When to use Python?
Getting started
Standard data types
Data type conversions
Files
Variables
Understanding scripting flow logic
Functions
Summary
2
Python Fundamentals
Python Fundamentals
Advanced data types and functions
Libraries
Classes and object-oriented programming
Try and except
Creating our first script – unix_converter.py
User input
Forensic scripting best practices
Developing our first forensic script – usb_lookup.py
Troubleshooting
Challenge
Summary
3
Parsing Text Files
Parsing Text Files
Setup API
Introducing our script
Our first iteration – setupapi_parser.v1.py
Our second iteration – setupapi_parser.v2.py
Our final iteration – setupapi_parser.py
Additional challenges
Summary
4
Working with Serialized Data Structures
Working with Serialized Data Structures
Serialized data structures
A simple Bitcoin Web API
Our first iteration – bitcoin_address_lookup.v1.py
Our second iteration – bitcoin_address_lookup.v2.py
Mastering our final iteration – bitcoin_address_lookup.py
Summary
5
Databases in Python
Databases in Python
An overview of databases
Using SQLite3
Designing our script
Manually manipulating databases with Python – file_lister.py
Further automating databases – file_lister_peewee.py
Challenge
Summary
6
Extracting Artifacts from Binary Files
Extracting Artifacts from Binary Files
UserAssist
Working with the Registry module
Introducing the Struct module
Creating spreadsheets with the xlsxwriter module
The UserAssist framework
Running the UserAssist framework
Additional challenges
Summary
7
Fuzzy Hashing
Fuzzy Hashing
Background on hashing
Using SSDeep in Python – ssdeep_python.py
Additional challenges
Citations
Summary
8
The Media Age
The Media Age
Creating frameworks in Python
Introduction to EXIF metadata
Introduction to ID3 metadata
Introduction to Office metadata
Metadata_Parser framework overview
Parsing EXIF metadata – exif_parser.py
Parsing ID3 metdata – id3_parser.py
Parsing Office metadata – office_parser.py
Moving on to our writers
Framework summary
Additional challenges
Summary
9
Uncovering Time
Uncovering Time
About timestamps
Using a GUI
Developing the Date Decoder GUI – date_decoder.py
Additional challenges
Summary
10
Did Someone Say Keylogger?
Did Someone Say Keylogger?
A detailed look at keyloggers
Building a keylogger for Windows
Multiprocessing in Python – simple_multiprocessor.py
Running Python without a command window
Exploring the code
Citations
Additional challenges
Summary
11
Parsing Outlook PST Containers
Parsing Outlook PST Containers
The Personal Storage Table File Format
An introduction to libpff
Exploring PSTs – pst_indexer.py
Running the script
Additional challenges
Summary
12
Recovering Transient Database Records
Recovering Transient Database Records
SQLite WAL files
Regular expressions in Python
TQDM – a simpler progress bar
Parsing WAL files – wal_crawler.py
Executing wal_crawler.py
Challenge
Summary
13
Coming Full Circle
Coming Full Circle
Frameworks
Colorama
FIGlet
Exploring the framework – framework.py
Summary
Installing Python
Installing Python
Python for Windows
Python for OS X and Linux
Python Technical Details
Python Technical Details
The Python installation folder
Troubleshooting Exceptions
Troubleshooting Exceptions
AttributeError
ImportError
IndentationError
IOError
IndexError
KeyError
NameError
TypeError
ValueError
UnicodeEncodeError and UnicodeDecodeError
Index
Index

Chapter 1. Now For Something Completely Different

This book presents Python as a necessary tool to optimize digital forensic analysis—it is written from an examiner's perspective. In the first two chapters, we will introduce the basics of Python in preparation for the remainder of the book where we will develop scripts to accomplish forensic tasks. While focusing on the use of the language as a tool, we will also explore the advantages of Python and how it allows many individuals in the field to create solutions for a number of complex forensic challenges. Similar to Monty Python, Python's namesake, the next 12 chapters aim to present "something completely different".

In this fast-paced field, a scripting language provides flexible problem solving in an automated fashion, thus giving the examiner additional time to investigate other artifacts that may not have been analyzed as thoroughly due to time constraints. Python may not always be the correct tool to complete the task at hand, but it is certainly a resource to develop rapid and accurate solutions. This chapter outlines the basics of Python from "Hello World" to fundamental scripting operations.

In this chapter, we will cover the following topics:

  • An introduction to Python and healthy development practices

  • Basic programming concepts

  • Manipulating and storing objects in Python

  • Creating simple conditionals, loops, and functions

Previous Section
End of Section 1
Next Section