Book Image

Learning Python for Forensics

By : Chapin Bryce
Book Image

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Related Content you might be interested in

Current Title:

Small book image
Learning Python for Forensics
Chapin Bryce
May, 2016 | 488 pages
No titles found
Table of Contents (24 chapters)
Learning Python for Forensics
Learning Python for Forensics
Credits
Credits
About the Authors
About the Authors
Acknowledgments
Acknowledgments
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Now For Something Completely Different
Now For Something Completely Different
When to use Python?
Getting started
Standard data types
Data type conversions
Files
Variables
Understanding scripting flow logic
Functions
Summary
2
Python Fundamentals
Python Fundamentals
Advanced data types and functions
Libraries
Classes and object-oriented programming
Try and except
Creating our first script – unix_converter.py
User input
Forensic scripting best practices
Developing our first forensic script – usb_lookup.py
Troubleshooting
Challenge
Summary
3
Parsing Text Files
Parsing Text Files
Setup API
Introducing our script
Our first iteration – setupapi_parser.v1.py
Our second iteration – setupapi_parser.v2.py
Our final iteration – setupapi_parser.py
Additional challenges
Summary
4
Working with Serialized Data Structures
Working with Serialized Data Structures
Serialized data structures
A simple Bitcoin Web API
Our first iteration – bitcoin_address_lookup.v1.py
Our second iteration – bitcoin_address_lookup.v2.py
Mastering our final iteration – bitcoin_address_lookup.py
Summary
5
Databases in Python
Databases in Python
An overview of databases
Using SQLite3
Designing our script
Manually manipulating databases with Python – file_lister.py
Further automating databases – file_lister_peewee.py
Challenge
Summary
6
Extracting Artifacts from Binary Files
Extracting Artifacts from Binary Files
UserAssist
Working with the Registry module
Introducing the Struct module
Creating spreadsheets with the xlsxwriter module
The UserAssist framework
Running the UserAssist framework
Additional challenges
Summary
7
Fuzzy Hashing
Fuzzy Hashing
Background on hashing
Using SSDeep in Python – ssdeep_python.py
Additional challenges
Citations
Summary
8
The Media Age
The Media Age
Creating frameworks in Python
Introduction to EXIF metadata
Introduction to ID3 metadata
Introduction to Office metadata
Metadata_Parser framework overview
Parsing EXIF metadata – exif_parser.py
Parsing ID3 metdata – id3_parser.py
Parsing Office metadata – office_parser.py
Moving on to our writers
Framework summary
Additional challenges
Summary
9
Uncovering Time
Uncovering Time
About timestamps
Using a GUI
Developing the Date Decoder GUI – date_decoder.py
Additional challenges
Summary
10
Did Someone Say Keylogger?
Did Someone Say Keylogger?
A detailed look at keyloggers
Building a keylogger for Windows
Multiprocessing in Python – simple_multiprocessor.py
Running Python without a command window
Exploring the code
Citations
Additional challenges
Summary
11
Parsing Outlook PST Containers
Parsing Outlook PST Containers
The Personal Storage Table File Format
An introduction to libpff
Exploring PSTs – pst_indexer.py
Running the script
Additional challenges
Summary
12
Recovering Transient Database Records
Recovering Transient Database Records
SQLite WAL files
Regular expressions in Python
TQDM – a simpler progress bar
Parsing WAL files – wal_crawler.py
Executing wal_crawler.py
Challenge
Summary
13
Coming Full Circle
Coming Full Circle
Frameworks
Colorama
FIGlet
Exploring the framework – framework.py
Summary
Installing Python
Installing Python
Python for Windows
Python for OS X and Linux
Python Technical Details
Python Technical Details
The Python installation folder
Troubleshooting Exceptions
Troubleshooting Exceptions
AttributeError
ImportError
IndentationError
IOError
IndexError
KeyError
NameError
TypeError
ValueError
UnicodeEncodeError and UnicodeDecodeError
Index
Index

Chapter 7. Fuzzy Hashing

In modern computer forensics, we are tasked with examining massive datasets for evidence that supports or refutes an event. It is quite common to see a case that involves multiple devices or large amounts of data. With the sheer volume of data to evaluate, an examiner must sift out the information that is not relevant to the case and identify the data that is of interest. This process of identification takes a fair amount of time, even with current tools. In this chapter, we are going to explore Python solutions that can help us identify known files in a folder, or a mounted evidence container, in an automated manner.

Commonly, a white or black list can help us identify known files on a system through a matching hash value. If the hash value is a match, we can identify files as normal, malicious, or otherwise notable. But what if a file is not an exact match? This is an issue with the traditional cryptographic hashes we use in forensics to generate a unique hash based...

Previous Section
End of Section 1
Next Section