Learning Python for Forensics

Learning Python for Forensics

By : Chapin Bryce

Buy this Book

Learning Python for Forensics

By: Chapin Bryce

Buy this Book

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Learning Python for Forensics

Credits

About the Authors

Acknowledgments

About the Reviewer

www.PacktPub.com

Preface

Free Chapter

Now For Something Completely Different

When to use Python?

Getting started

Standard data types

Data type conversions

Files

Variables

Understanding scripting flow logic

Functions

Summary

Python Fundamentals

Advanced data types and functions

Libraries

Classes and object-oriented programming

Try and except

Creating our first script – unix_converter.py

User input

Forensic scripting best practices

Developing our first forensic script – usb_lookup.py

Troubleshooting

Challenge

Summary

Parsing Text Files

Setup API

Introducing our script

Our first iteration – setupapi_parser.v1.py

Our second iteration – setupapi_parser.v2.py

Our final iteration – setupapi_parser.py

Additional challenges

Summary

Working with Serialized Data Structures

Serialized data structures

A simple Bitcoin Web API

Our first iteration – bitcoin_address_lookup.v1.py

Our second iteration – bitcoin_address_lookup.v2.py

Mastering our final iteration – bitcoin_address_lookup.py

Summary

Databases in Python

An overview of databases

Using SQLite3

Designing our script

Manually manipulating databases with Python – file_lister.py

Further automating databases – file_lister_peewee.py

Challenge

Summary

Extracting Artifacts from Binary Files

UserAssist

Working with the Registry module

Introducing the Struct module

Creating spreadsheets with the xlsxwriter module

The UserAssist framework

Running the UserAssist framework

Additional challenges

Summary

Fuzzy Hashing

Background on hashing

Using SSDeep in Python – ssdeep_python.py

Additional challenges

Citations

Summary

The Media Age

Creating frameworks in Python

Introduction to EXIF metadata

Introduction to ID3 metadata

Introduction to Office metadata

Metadata_Parser framework overview

Parsing EXIF metadata – exif_parser.py

Parsing ID3 metdata – id3_parser.py

Parsing Office metadata – office_parser.py

Moving on to our writers

Framework summary

Additional challenges

Summary

Uncovering Time

About timestamps

Using a GUI

Developing the Date Decoder GUI – date_decoder.py

Additional challenges

Summary

Did Someone Say Keylogger?

A detailed look at keyloggers

Building a keylogger for Windows

Multiprocessing in Python – simple_multiprocessor.py

Running Python without a command window

Exploring the code

Citations

Additional challenges

Summary

Parsing Outlook PST Containers

The Personal Storage Table File Format

An introduction to libpff

Exploring PSTs – pst_indexer.py

Running the script

Additional challenges

Summary

Recovering Transient Database Records

SQLite WAL files

Regular expressions in Python

TQDM – a simpler progress bar

Parsing WAL files – wal_crawler.py

Executing wal_crawler.py

Challenge

Summary

Coming Full Circle

Frameworks

Colorama

FIGlet

Exploring the framework – framework.py

Summary

Installing Python

Python for Windows

Python for OS X and Linux

Python Technical Details

The Python installation folder

Troubleshooting Exceptions

IOError

UnicodeEncodeError and UnicodeDecodeError

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Chapter 12. Recovering Transient Database Records

In this chapter, we will revisit SQLite databases and examine a type of "journaling" file called a Write Ahead Log (WAL). Parsing a WAL file, due to the complexity of the underlying structure, makes this a more difficult task than our previous encounter with SQLite databases. There are no existing modules we can leverage to directly interact with the WAL file in the same way we used sqlite3 or peewee with SQLite databases. Instead, we will rely on the struct library and our ability to understand binary files.

Once we have successfully parsed the WAL file, we will leverage the re regular expression library in Python to identify potentially relevant forensic artifacts. Lastly, we will briefly introduce another method of creating progress bars using the third-party tqdm library. In a few lines of code, we will have a functioning progress bar that can provide feedback of program execution to the user.

The WAL file can contain data that is no longer...

Learning Python for Forensics

By : Chapin Bryce

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

Related Content you might be interested in

Current Title:

Learning Python for Forensics

Chapter 12. Recovering Transient Database Records