Learning Python for Forensics

Learning Python for Forensics

By : Chapin Bryce

Buy this Book

Learning Python for Forensics

By: Chapin Bryce

Buy this Book

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Learning Python for Forensics

Credits

About the Authors

Acknowledgments

About the Reviewer

www.PacktPub.com

Preface

Free Chapter

Now For Something Completely Different

When to use Python?

Getting started

Standard data types

Data type conversions

Files

Variables

Understanding scripting flow logic

Functions

Summary

Python Fundamentals

Advanced data types and functions

Libraries

Classes and object-oriented programming

Try and except

Creating our first script – unix_converter.py

User input

Forensic scripting best practices

Developing our first forensic script – usb_lookup.py

Troubleshooting

Challenge

Summary

Parsing Text Files

Setup API

Introducing our script

Our first iteration – setupapi_parser.v1.py

Our second iteration – setupapi_parser.v2.py

Our final iteration – setupapi_parser.py

Additional challenges

Summary

Working with Serialized Data Structures

Serialized data structures

A simple Bitcoin Web API

Our first iteration – bitcoin_address_lookup.v1.py

Our second iteration – bitcoin_address_lookup.v2.py

Mastering our final iteration – bitcoin_address_lookup.py

Summary

Databases in Python

An overview of databases

Using SQLite3

Designing our script

Manually manipulating databases with Python – file_lister.py

Further automating databases – file_lister_peewee.py

Challenge

Summary

Extracting Artifacts from Binary Files

UserAssist

Working with the Registry module

Introducing the Struct module

Creating spreadsheets with the xlsxwriter module

The UserAssist framework

Running the UserAssist framework

Additional challenges

Summary

Fuzzy Hashing

Background on hashing

Using SSDeep in Python – ssdeep_python.py

Additional challenges

Citations

Summary

The Media Age

Creating frameworks in Python

Introduction to EXIF metadata

Introduction to ID3 metadata

Introduction to Office metadata

Metadata_Parser framework overview

Parsing EXIF metadata – exif_parser.py

Parsing ID3 metdata – id3_parser.py

Parsing Office metadata – office_parser.py

Moving on to our writers

Framework summary

Additional challenges

Summary

Uncovering Time

About timestamps

Using a GUI

Developing the Date Decoder GUI – date_decoder.py

Additional challenges

Summary

Did Someone Say Keylogger?

A detailed look at keyloggers

Building a keylogger for Windows

Multiprocessing in Python – simple_multiprocessor.py

Running Python without a command window

Exploring the code

Citations

Additional challenges

Summary

Parsing Outlook PST Containers

The Personal Storage Table File Format

An introduction to libpff

Exploring PSTs – pst_indexer.py

Running the script

Additional challenges

Summary

Recovering Transient Database Records

SQLite WAL files

Regular expressions in Python

TQDM – a simpler progress bar

Parsing WAL files – wal_crawler.py

Executing wal_crawler.py

Challenge

Summary

Coming Full Circle

Frameworks

Colorama

FIGlet

Exploring the framework – framework.py

Summary

Installing Python

Python for Windows

Python for OS X and Linux

Python Technical Details

The Python installation folder

Troubleshooting Exceptions

IOError

UnicodeEncodeError and UnicodeDecodeError

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Chapter 13. Coming Full Circle

In this chapter, we will use the scripts we have built in the previous chapters to create a prototype forensic framework. This framework will take some input directory, such as the root folder of a mounted image, and run our plugins against the files to return a series of spreadsheet reports for each plugin.

Up to this point, we have developed standalone scripts in each chapter. By developing a framework, we will illustrate how we can bring these scripts together and execute them as one project.

In Chapter 8, The Media Age, we created a miniature framework for parsing various types of embedded metadata. We will borrow from that design and add object-oriented programming to it. Using classes will simplify our framework by creating an abstract object for plugins and writers.

Additionally, in our framework, we will showcase the use of a few external libraries that serve an aesthetic purpose rather than functional. These are colorama and FIGlet, which allow us to...

Learning Python for Forensics

By : Chapin Bryce

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

Related Content you might be interested in

Current Title:

Learning Python for Forensics

Chapter 13. Coming Full Circle