Learning Python for Forensics

Learning Python for Forensics

By : Chapin Bryce

Buy this Book

Learning Python for Forensics

By: Chapin Bryce

Buy this Book

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Learning Python for Forensics

Credits

About the Authors

Acknowledgments

About the Reviewer

www.PacktPub.com

Preface

Free Chapter

Now For Something Completely Different

When to use Python?

Getting started

Standard data types

Data type conversions

Files

Variables

Understanding scripting flow logic

Functions

Summary

Python Fundamentals

Advanced data types and functions

Libraries

Classes and object-oriented programming

Try and except

Creating our first script – unix_converter.py

User input

Forensic scripting best practices

Developing our first forensic script – usb_lookup.py

Troubleshooting

Challenge

Summary

Parsing Text Files

Setup API

Introducing our script

Our first iteration – setupapi_parser.v1.py

Our second iteration – setupapi_parser.v2.py

Our final iteration – setupapi_parser.py

Additional challenges

Summary

Working with Serialized Data Structures

Serialized data structures

A simple Bitcoin Web API

Our first iteration – bitcoin_address_lookup.v1.py

Our second iteration – bitcoin_address_lookup.v2.py

Mastering our final iteration – bitcoin_address_lookup.py

Summary

Databases in Python

An overview of databases

Using SQLite3

Designing our script

Manually manipulating databases with Python – file_lister.py

Further automating databases – file_lister_peewee.py

Challenge

Summary

Extracting Artifacts from Binary Files

UserAssist

Working with the Registry module

Introducing the Struct module

Creating spreadsheets with the xlsxwriter module

The UserAssist framework

Running the UserAssist framework

Additional challenges

Summary

Fuzzy Hashing

Background on hashing

Using SSDeep in Python – ssdeep_python.py

Additional challenges

Citations

Summary

The Media Age

Creating frameworks in Python

Introduction to EXIF metadata

Introduction to ID3 metadata

Introduction to Office metadata

Metadata_Parser framework overview

Parsing EXIF metadata – exif_parser.py

Parsing ID3 metdata – id3_parser.py

Parsing Office metadata – office_parser.py

Moving on to our writers

Framework summary

Additional challenges

Summary

Uncovering Time

About timestamps

Using a GUI

Developing the Date Decoder GUI – date_decoder.py

Additional challenges

Summary

Did Someone Say Keylogger?

A detailed look at keyloggers

Building a keylogger for Windows

Multiprocessing in Python – simple_multiprocessor.py

Running Python without a command window

Exploring the code

Citations

Additional challenges

Summary

Parsing Outlook PST Containers

The Personal Storage Table File Format

An introduction to libpff

Exploring PSTs – pst_indexer.py

Running the script

Additional challenges

Summary

Recovering Transient Database Records

SQLite WAL files

Regular expressions in Python

TQDM – a simpler progress bar

Parsing WAL files – wal_crawler.py

Executing wal_crawler.py

Challenge

Summary

Coming Full Circle

Frameworks

Colorama

FIGlet

Exploring the framework – framework.py

Summary

Installing Python

Python for Windows

Python for OS X and Linux

Python Technical Details

The Python installation folder

Troubleshooting Exceptions

IOError

UnicodeEncodeError and UnicodeDecodeError

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Using SSDeep in Python – ssdeep_python.py

In this second example of fuzzy hashing, we are going to implement a similar script using the ssdeep (version 3.1.1) Python library. This allows us to leverage the ssdeep tool and the Spamsum algorithm that have been widely used and accepted in the fields of digital forensics and information security. This code will be the preferred method for fuzzy hashing in most scenarios as it is more efficient with resources and produces more accurate results. This tool has seen wide support in the community, and many ssdeep signatures are available online. For example, the website http://VirusTotal.com hosts hashes from ssdeep on their site under additional information for submitted files. This public information can be used to check for known malicious files that match or are similar to executable files on a host machine without the need to download the malicious files.

One weakness of ssdeep is that it does not provide information beyond the matching percentage...

Learning Python for Forensics

By : Chapin Bryce

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

Related Content you might be interested in

Current Title:

Learning Python for Forensics

Using SSDeep in Python – ssdeep_python.py