Book Image

Learning Python for Forensics

By : Chapin Bryce
Book Image

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Related Content you might be interested in

Current Title:

Small book image
Learning Python for Forensics
Chapin Bryce
May, 2016 | 488 pages
No titles found
Table of Contents (24 chapters)
Learning Python for Forensics
Learning Python for Forensics
Credits
Credits
About the Authors
About the Authors
Acknowledgments
Acknowledgments
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Now For Something Completely Different
Now For Something Completely Different
When to use Python?
Getting started
Standard data types
Data type conversions
Files
Variables
Understanding scripting flow logic
Functions
Summary
2
Python Fundamentals
Python Fundamentals
Advanced data types and functions
Libraries
Classes and object-oriented programming
Try and except
Creating our first script – unix_converter.py
User input
Forensic scripting best practices
Developing our first forensic script – usb_lookup.py
Troubleshooting
Challenge
Summary
3
Parsing Text Files
Parsing Text Files
Setup API
Introducing our script
Our first iteration – setupapi_parser.v1.py
Our second iteration – setupapi_parser.v2.py
Our final iteration – setupapi_parser.py
Additional challenges
Summary
4
Working with Serialized Data Structures
Working with Serialized Data Structures
Serialized data structures
A simple Bitcoin Web API
Our first iteration – bitcoin_address_lookup.v1.py
Our second iteration – bitcoin_address_lookup.v2.py
Mastering our final iteration – bitcoin_address_lookup.py
Summary
5
Databases in Python
Databases in Python
An overview of databases
Using SQLite3
Designing our script
Manually manipulating databases with Python – file_lister.py
Further automating databases – file_lister_peewee.py
Challenge
Summary
6
Extracting Artifacts from Binary Files
Extracting Artifacts from Binary Files
UserAssist
Working with the Registry module
Introducing the Struct module
Creating spreadsheets with the xlsxwriter module
The UserAssist framework
Running the UserAssist framework
Additional challenges
Summary
7
Fuzzy Hashing
Fuzzy Hashing
Background on hashing
Using SSDeep in Python – ssdeep_python.py
Additional challenges
Citations
Summary
8
The Media Age
The Media Age
Creating frameworks in Python
Introduction to EXIF metadata
Introduction to ID3 metadata
Introduction to Office metadata
Metadata_Parser framework overview
Parsing EXIF metadata – exif_parser.py
Parsing ID3 metdata – id3_parser.py
Parsing Office metadata – office_parser.py
Moving on to our writers
Framework summary
Additional challenges
Summary
9
Uncovering Time
Uncovering Time
About timestamps
Using a GUI
Developing the Date Decoder GUI – date_decoder.py
Additional challenges
Summary
10
Did Someone Say Keylogger?
Did Someone Say Keylogger?
A detailed look at keyloggers
Building a keylogger for Windows
Multiprocessing in Python – simple_multiprocessor.py
Running Python without a command window
Exploring the code
Citations
Additional challenges
Summary
11
Parsing Outlook PST Containers
Parsing Outlook PST Containers
The Personal Storage Table File Format
An introduction to libpff
Exploring PSTs – pst_indexer.py
Running the script
Additional challenges
Summary
12
Recovering Transient Database Records
Recovering Transient Database Records
SQLite WAL files
Regular expressions in Python
TQDM – a simpler progress bar
Parsing WAL files – wal_crawler.py
Executing wal_crawler.py
Challenge
Summary
13
Coming Full Circle
Coming Full Circle
Frameworks
Colorama
FIGlet
Exploring the framework – framework.py
Summary
Installing Python
Installing Python
Python for Windows
Python for OS X and Linux
Python Technical Details
Python Technical Details
The Python installation folder
Troubleshooting Exceptions
Troubleshooting Exceptions
AttributeError
ImportError
IndentationError
IOError
IndexError
KeyError
NameError
TypeError
ValueError
UnicodeEncodeError and UnicodeDecodeError
Index
Index

Variables

We can assign values to variables using the data types we just covered. By assigning values to variables we can refer to that value, which could be a large 100 element list, by its variable name. This not only saves the programmer from re-typing the value over and over again, but also helps enhance the readability of the code and allows us to change the values of a variable over time. Throughout the chapter, we have already assigned objects to variables using the "=" sign. Variable names can technically be anything, although we recommend the following guidelines:

  • Variable names should be short and descriptive of the stored content or purpose.

  • Begin with a letter or underscore.

  • Constant variables should be denoted by capitalized words.

  • Dynamic variables should be lowercase words separated by underscores.

  • Never be one of the following or any Python reserved name: input, output, tmp, temp, in, for, next, file, True, False, None, str, int, list, and so on.

  • Never include a space in a variable name. Python thinks two variables are being defined and will raise a syntax error. Use underscores to separate words.

Generally, programmers use memorable and descriptive names that indicate the data they hold. For example, in a script that prompts for the phone number of the user, the variable should be phone_number, which clearly indicates the purpose and contents of this variable. Another popular naming style is CamelCase where every word is capitalized. This naming convention is often used in conjunction with function and class names.

Variable assignment allows the value to be modified as the script runs. The general rule of thumb is to assign a value to a variable if it will be used again. Let's practice by creating variables and assigning them data types that we have just learned about. While this is simple, we recommend following along in the interactive prompt to get into the habit of assigning variables. In the following first example, we assign a string to a variable before printing the variable.

>>> hello_world = "Hello World!"
>>> print hello_world
Hello World!

The second example introduces some new operators. First, we assign the integer 5 to the variable our_number. Then we use the plus-gets (+=) as a built-in shorthand for our_number = our_number + 20. In addition to plus-gets, we have minus-gets (-=), multiply-gets (*=), and divide-gets (/=).

>>> our_number = 5
>>> our_number += 20
>>> print our_number
25

In the following code block we assign a series of variables before printing them. The data types used for our variables are string, integer, float, unicode, and Boolean, respectively.

>>> BOOK_TITLE = 'Learning Python for Forensics'
>>> edition = 1
>>> python_version = 2.7
>>> AUTHOR_NAMES = u'Preston Miller, Chapin Bryce'
>>> is_written_in_english = True
>>> print BOOK_TITLE
Learning Python for Forensics
>>> print AUTHOR_NAMES
Preston Miller, Chapin Bryce
>>> print edition
1
>>> print python_version
2.7
>>> print is_written_in_english
True

Notice the BOOK_TITLE and AUTHOR_NAMES variables. When a variable is static, or non-changing, throughout the execution of a script, it is referred to as a constant variable. Unlike other programming languages, there is not a built-in method for protecting constants from being overwritten, so we use naming conventions to assist in reminding us not to replace the value. While some variables, such as the edition of the book, language, or version of Python might change, the title and authors should be constants (we hope). If there is ever confusion when it comes to naming and styling conventions in Python try running the following statement in an interpreter.

>>>import this

As we saw previously, we can use the split() method on a string to convert it into a list. We can also convert a list into a string using the join method. This method follows a string containing the desired common denominator and the list as its only argument. In the following example, we take a list containing two strings and join them into one string where the elements are separated by a comma.

>>> print ', '.join(["This string is really long", " It should probably be on two lines."])
This string is really long, It should probably be on two lines.
Previous Section
End of Section 7
Next Section