Book Image

Python Digital Forensics Cookbook

By : Chapin Bryce, Preston Miller
Book Image

Python Digital Forensics Cookbook

By: Chapin Bryce, Preston Miller

Overview of this book

Technology plays an increasingly large role in our daily lives and shows no sign of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations. Throughout the Python Digital Forensics Cookbook, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools such as Axiom, Cellebrite, and EnCase. By the end of the book, you will have a sound understanding of Python and how you can use it to process artifacts in your investigations.

Related Content you might be interested in

Current Title:

Small book image
Python Digital Forensics Cookbook
Chapin Bryce | Preston Miller
Sep, 2017 | 412 pages
Small book image
Learning Python for Forensics.
Preston Miller | Chapin Bryce
Jan, 2019 | 476 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Table of Contents (11 chapters)
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Sections
Conventions
Reader feedback
Customer support
Free Chapter
1
Essential Scripting and File Information Recipes
Essential Scripting and File Information Recipes
Introduction
Handling arguments like an adult
Iterating over loose files
Recording file attributes
Copying files, attributes, and timestamps
Hashing files and data streams
Keeping track with a progress bar
Logging results
Multiple hands make light work
2
Creating Artifact Report Recipes
Creating Artifact Report Recipes
Introduction
Using HTML templates
Creating a paper trail
Working with CSVs
Visualizing events with Excel
Auditing your work
3
A Deep Dive into Mobile Forensic Recipes
A Deep Dive into Mobile Forensic Recipes
Introduction
Parsing PLIST files
Handling SQLite databases
Identifying gaps in SQLite databases
Processing iTunes backups
Putting Wi-Fi on the map
Digging deep to recover messages
4
Extracting Embedded Metadata Recipes
Extracting Embedded Metadata Recipes
Introduction
Extracting audio and video metadata
The big picture
Mining for PDF metadata
Reviewing executable metadata
Reading office document metadata
Integrating our metadata extractor with EnCase
5
Networking and Indicators of Compromise Recipes
Networking and Indicators of Compromise Recipes
Introduction
Getting a jump start with IEF
Coming into contact with IEF
Beautiful Soup
Going hunting for viruses
Gathering intel
Totally passive
6
Reading Emails and Taking Names Recipes
Reading Emails and Taking Names Recipes
Introduction
Parsing EML files
Viewing MSG files
Ordering Takeout
What’s in the box?!
Parsing PST and OST mailboxes
7
Log-Based Artifact Recipes
Log-Based Artifact Recipes
Introduction
About time
Parsing IIS web logs with RegEx
Going spelunking
Interpreting the daily.out log
Adding daily.out parsing to Axiom
Scanning for indicators with YARA
8
Working with Forensic Evidence Container Recipes
Working with Forensic Evidence Container Recipes
Introduction
Opening acquisitions
Gathering acquisition and media information
Iterating through files
Processing files within the container
Searching for hashes
9
Exploring Windows Forensic Artifacts Recipes - Part I
Exploring Windows Forensic Artifacts Recipes - Part I
Introduction
One man's trash is a forensic examiner's treasure
A sticky situation
Reading the registry
Gathering user activity
The missing link
Searching high and low
10
Exploring Windows Forensic Artifacts Recipes - Part II
Exploring Windows Forensic Artifacts Recipes - Part II
Introduction
Parsing prefetch files
A series of fortunate events
Indexing internet history
Shadow of a former self
Dissecting the SRUM database

Gathering user activity

Recipe Difficulty: Medium

Python Version: 2.7

Operating System: Linux

Windows stores a plethora of information about user activity, and like other registry hives, the NTUSER.DAT file is a great resource to be relied upon during an investigation. This hive lives within each user's profile and stores information and configurations as they relate to the specific user's on the system.

In this recipe, we cover multiple keys within NTUSER.DAT that throw light on the actions of a user on a system. This includes the prior searches run in Windows Explorer, paths typed into Explorer's navigation bar, and the recently used statements in the Windows run command. These artifacts better illustrate how the user interacted with the system and may give insight into what normal, or abnormal, usage of the system looked like for the user.

...
Previous Section
End of Section 6
Next Section