Learning Python for Forensics

Learning Python for Forensics

By : Chapin Bryce

Buy this Book

Learning Python for Forensics

By: Chapin Bryce

Buy this Book

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Learning Python for Forensics

Credits

About the Authors

Acknowledgments

About the Reviewer

www.PacktPub.com

Preface

Free Chapter

Now For Something Completely Different

When to use Python?

Getting started

Standard data types

Data type conversions

Files

Variables

Understanding scripting flow logic

Functions

Summary

Python Fundamentals

Advanced data types and functions

Libraries

Classes and object-oriented programming

Try and except

Creating our first script – unix_converter.py

User input

Forensic scripting best practices

Developing our first forensic script – usb_lookup.py

Troubleshooting

Challenge

Summary

Parsing Text Files

Setup API

Introducing our script

Our first iteration – setupapi_parser.v1.py

Our second iteration – setupapi_parser.v2.py

Our final iteration – setupapi_parser.py

Additional challenges

Summary

Working with Serialized Data Structures

Serialized data structures

A simple Bitcoin Web API

Our first iteration – bitcoin_address_lookup.v1.py

Our second iteration – bitcoin_address_lookup.v2.py

Mastering our final iteration – bitcoin_address_lookup.py

Summary

Databases in Python

An overview of databases

Using SQLite3

Designing our script

Manually manipulating databases with Python – file_lister.py

Further automating databases – file_lister_peewee.py

Challenge

Summary

Extracting Artifacts from Binary Files

UserAssist

Working with the Registry module

Introducing the Struct module

Creating spreadsheets with the xlsxwriter module

The UserAssist framework

Running the UserAssist framework

Additional challenges

Summary

Fuzzy Hashing

Background on hashing

Using SSDeep in Python – ssdeep_python.py

Additional challenges

Citations

Summary

The Media Age

Creating frameworks in Python

Introduction to EXIF metadata

Introduction to ID3 metadata

Introduction to Office metadata

Metadata_Parser framework overview

Parsing EXIF metadata – exif_parser.py

Parsing ID3 metdata – id3_parser.py

Parsing Office metadata – office_parser.py

Moving on to our writers

Framework summary

Additional challenges

Summary

Uncovering Time

About timestamps

Using a GUI

Developing the Date Decoder GUI – date_decoder.py

Additional challenges

Summary

Did Someone Say Keylogger?

A detailed look at keyloggers

Building a keylogger for Windows

Multiprocessing in Python – simple_multiprocessor.py

Running Python without a command window

Exploring the code

Citations

Additional challenges

Summary

Parsing Outlook PST Containers

The Personal Storage Table File Format

An introduction to libpff

Exploring PSTs – pst_indexer.py

Running the script

Additional challenges

Summary

Recovering Transient Database Records

SQLite WAL files

Regular expressions in Python

TQDM – a simpler progress bar

Parsing WAL files – wal_crawler.py

Executing wal_crawler.py

Challenge

Summary

Coming Full Circle

Frameworks

Colorama

FIGlet

Exploring the framework – framework.py

Summary

Installing Python

Python for Windows

Python for OS X and Linux

Python Technical Details

The Python installation folder

Troubleshooting Exceptions

IOError

UnicodeEncodeError and UnicodeDecodeError

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Exploring the code

With all introductory concepts covered, let's begin discussing the script that we will develop in this chapter. As always, we begin by importing all necessary modules. We will not repeat the discussion of these modules as they have been covered previously. With these libraries, we will be able to successfully access all of the artifacts required for this collection. Lacking in this script are the author, date, version, and description attributes seen previously. In the case of a malicious script, we do not want to blatantly label it with our details. Let's at least make it a little harder for someone to figure out the culprit, shall we? Although, if you were particularly dastardly, you could label it with someone else's details. But you didn't get that idea from us.

001 import multiprocessing
002 import os
003 import sys
004 import time
005 
006 import pythoncom
007 import pyHook
008 
009 import win32con
010 import win32clipboard
011 import win32gui
012 import win32ui
013...

Learning Python for Forensics

By : Chapin Bryce

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

Related Content you might be interested in

Current Title:

Learning Python for Forensics

Exploring the code