Book Image

Python Digital Forensics Cookbook

By : Chapin Bryce, Preston Miller
Book Image

Python Digital Forensics Cookbook

By: Chapin Bryce, Preston Miller

Overview of this book

Technology plays an increasingly large role in our daily lives and shows no sign of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations. Throughout the Python Digital Forensics Cookbook, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools such as Axiom, Cellebrite, and EnCase. By the end of the book, you will have a sound understanding of Python and how you can use it to process artifacts in your investigations.
Table of Contents (11 chapters)

Putting Wi-Fi on the map

Recipe Difficulty: Medium

Python Version: 3.5

Operating System: Any

Without a connection to the outside world, mobile devices are little more than an expensive paperweight. Fortunately, open Wi-Fi networks are everywhere, and sometimes a mobile device will connect to them automatically. On the iPhone, a list of Wi-Fi networks the device has connected to is stored in a binary PLIST named com.apple.wifi.plist. This PLIST records, among other things, the Wi-Fi SSID, BSSID, and connection time. In this recipe, we will show how to extract Wi-Fi details from a standard Cellebrite XML report or supply Wi-Fi MAC addresses in a newline-delimited file. As the Cellebrite report formats may evolve over time, we are basing our XML parsing on a report generated with UFED Physical Analyzer version 6.1.6.19.

WiGLE is an online searchable repository of, at the time of...