Book Image

Learning Python for Forensics

By : Chapin Bryce
Book Image

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Related Content you might be interested in

Current Title:

Small book image
Learning Python for Forensics
Chapin Bryce
May, 2016 | 488 pages
No titles found
Table of Contents (24 chapters)
Learning Python for Forensics
Learning Python for Forensics
Credits
Credits
About the Authors
About the Authors
Acknowledgments
Acknowledgments
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Now For Something Completely Different
Now For Something Completely Different
When to use Python?
Getting started
Standard data types
Data type conversions
Files
Variables
Understanding scripting flow logic
Functions
Summary
2
Python Fundamentals
Python Fundamentals
Advanced data types and functions
Libraries
Classes and object-oriented programming
Try and except
Creating our first script – unix_converter.py
User input
Forensic scripting best practices
Developing our first forensic script – usb_lookup.py
Troubleshooting
Challenge
Summary
3
Parsing Text Files
Parsing Text Files
Setup API
Introducing our script
Our first iteration – setupapi_parser.v1.py
Our second iteration – setupapi_parser.v2.py
Our final iteration – setupapi_parser.py
Additional challenges
Summary
4
Working with Serialized Data Structures
Working with Serialized Data Structures
Serialized data structures
A simple Bitcoin Web API
Our first iteration – bitcoin_address_lookup.v1.py
Our second iteration – bitcoin_address_lookup.v2.py
Mastering our final iteration – bitcoin_address_lookup.py
Summary
5
Databases in Python
Databases in Python
An overview of databases
Using SQLite3
Designing our script
Manually manipulating databases with Python – file_lister.py
Further automating databases – file_lister_peewee.py
Challenge
Summary
6
Extracting Artifacts from Binary Files
Extracting Artifacts from Binary Files
UserAssist
Working with the Registry module
Introducing the Struct module
Creating spreadsheets with the xlsxwriter module
The UserAssist framework
Running the UserAssist framework
Additional challenges
Summary
7
Fuzzy Hashing
Fuzzy Hashing
Background on hashing
Using SSDeep in Python – ssdeep_python.py
Additional challenges
Citations
Summary
8
The Media Age
The Media Age
Creating frameworks in Python
Introduction to EXIF metadata
Introduction to ID3 metadata
Introduction to Office metadata
Metadata_Parser framework overview
Parsing EXIF metadata – exif_parser.py
Parsing ID3 metdata – id3_parser.py
Parsing Office metadata – office_parser.py
Moving on to our writers
Framework summary
Additional challenges
Summary
9
Uncovering Time
Uncovering Time
About timestamps
Using a GUI
Developing the Date Decoder GUI – date_decoder.py
Additional challenges
Summary
10
Did Someone Say Keylogger?
Did Someone Say Keylogger?
A detailed look at keyloggers
Building a keylogger for Windows
Multiprocessing in Python – simple_multiprocessor.py
Running Python without a command window
Exploring the code
Citations
Additional challenges
Summary
11
Parsing Outlook PST Containers
Parsing Outlook PST Containers
The Personal Storage Table File Format
An introduction to libpff
Exploring PSTs – pst_indexer.py
Running the script
Additional challenges
Summary
12
Recovering Transient Database Records
Recovering Transient Database Records
SQLite WAL files
Regular expressions in Python
TQDM – a simpler progress bar
Parsing WAL files – wal_crawler.py
Executing wal_crawler.py
Challenge
Summary
13
Coming Full Circle
Coming Full Circle
Frameworks
Colorama
FIGlet
Exploring the framework – framework.py
Summary
Installing Python
Installing Python
Python for Windows
Python for OS X and Linux
Python Technical Details
Python Technical Details
The Python installation folder
Troubleshooting Exceptions
Troubleshooting Exceptions
AttributeError
ImportError
IndentationError
IOError
IndexError
KeyError
NameError
TypeError
ValueError
UnicodeEncodeError and UnicodeDecodeError
Index
Index

Forensic scripting best practices

Forensic best practices play a big part in what we do and, traditionally, refer to handling or acquiring evidence. However, we've designated some forensic best practices of our own when it comes to programming, as follows:

  • Do not modify original data you're working with and to that effect

  • Work on copies of the original data

  • Comment code

  • Validate your program's results

  • Maintain extensive logging

  • Return output in an easy-to-analyze or understand format

The golden rule of forensics: do not modify the original data. Always work on a forensic copy or through a write-blocker. However, this may not be an option for other disciplines such as for incident responders where the parameters and scope varies.

In these cases, it is important to consider what the code does and how it might interact with the system at runtime. What kind of footprint does the code leave behind? Could it inadvertently destroy artifacts or references to them? Has the program been validated in similar...

Previous Section
End of Section 8
Next Section