Book Image

Learning Python for Forensics

By : Chapin Bryce
Book Image

Learning Python for Forensics

By: Chapin Bryce

Overview of this book

This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.

Related Content you might be interested in

Current Title:

Small book image
Learning Python for Forensics
Chapin Bryce
May, 2016 | 488 pages
No titles found
Table of Contents (24 chapters)
Learning Python for Forensics
Learning Python for Forensics
Credits
Credits
About the Authors
About the Authors
Acknowledgments
Acknowledgments
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Now For Something Completely Different
Now For Something Completely Different
When to use Python?
Getting started
Standard data types
Data type conversions
Files
Variables
Understanding scripting flow logic
Functions
Summary
2
Python Fundamentals
Python Fundamentals
Advanced data types and functions
Libraries
Classes and object-oriented programming
Try and except
Creating our first script – unix_converter.py
User input
Forensic scripting best practices
Developing our first forensic script – usb_lookup.py
Troubleshooting
Challenge
Summary
3
Parsing Text Files
Parsing Text Files
Setup API
Introducing our script
Our first iteration – setupapi_parser.v1.py
Our second iteration – setupapi_parser.v2.py
Our final iteration – setupapi_parser.py
Additional challenges
Summary
4
Working with Serialized Data Structures
Working with Serialized Data Structures
Serialized data structures
A simple Bitcoin Web API
Our first iteration – bitcoin_address_lookup.v1.py
Our second iteration – bitcoin_address_lookup.v2.py
Mastering our final iteration – bitcoin_address_lookup.py
Summary
5
Databases in Python
Databases in Python
An overview of databases
Using SQLite3
Designing our script
Manually manipulating databases with Python – file_lister.py
Further automating databases – file_lister_peewee.py
Challenge
Summary
6
Extracting Artifacts from Binary Files
Extracting Artifacts from Binary Files
UserAssist
Working with the Registry module
Introducing the Struct module
Creating spreadsheets with the xlsxwriter module
The UserAssist framework
Running the UserAssist framework
Additional challenges
Summary
7
Fuzzy Hashing
Fuzzy Hashing
Background on hashing
Using SSDeep in Python – ssdeep_python.py
Additional challenges
Citations
Summary
8
The Media Age
The Media Age
Creating frameworks in Python
Introduction to EXIF metadata
Introduction to ID3 metadata
Introduction to Office metadata
Metadata_Parser framework overview
Parsing EXIF metadata – exif_parser.py
Parsing ID3 metdata – id3_parser.py
Parsing Office metadata – office_parser.py
Moving on to our writers
Framework summary
Additional challenges
Summary
9
Uncovering Time
Uncovering Time
About timestamps
Using a GUI
Developing the Date Decoder GUI – date_decoder.py
Additional challenges
Summary
10
Did Someone Say Keylogger?
Did Someone Say Keylogger?
A detailed look at keyloggers
Building a keylogger for Windows
Multiprocessing in Python – simple_multiprocessor.py
Running Python without a command window
Exploring the code
Citations
Additional challenges
Summary
11
Parsing Outlook PST Containers
Parsing Outlook PST Containers
The Personal Storage Table File Format
An introduction to libpff
Exploring PSTs – pst_indexer.py
Running the script
Additional challenges
Summary
12
Recovering Transient Database Records
Recovering Transient Database Records
SQLite WAL files
Regular expressions in Python
TQDM – a simpler progress bar
Parsing WAL files – wal_crawler.py
Executing wal_crawler.py
Challenge
Summary
13
Coming Full Circle
Coming Full Circle
Frameworks
Colorama
FIGlet
Exploring the framework – framework.py
Summary
Installing Python
Installing Python
Python for Windows
Python for OS X and Linux
Python Technical Details
Python Technical Details
The Python installation folder
Troubleshooting Exceptions
Troubleshooting Exceptions
AttributeError
ImportError
IndentationError
IOError
IndexError
KeyError
NameError
TypeError
ValueError
UnicodeEncodeError and UnicodeDecodeError
Index
Index

Python for Windows

Python does not come installed by default on Windows machines. At the time of writing this, Python 2.7.11 is the most recent 2.X line and can be installed by downloading the python-2.7.11.msi file from https://www.python.org/downloads/. We recommend installing the 64-bit version if supported by your hardware.

After executing the Python installer, you can run Python by clicking on the python.exe file located in the C:\Python27 directory or from the command prompt at C:\Users\LPF>C:\Python27\python.exe. This path may vary depending on customizations during installation.

The third, and easiest, method to run Python is to just type python in the Command Prompt. To do this, we must add the location of the Python executable to our PATH variable. Python includes an automatic way of doing this, simply run the win_add2path.py script in the command prompt. After the script runs, close and open a new command prompt to load the new PATH variable before typing python.

C:\Users\LPF>C:\Python27\Tools\Scripts\win_add2path.py

You can also perform this manually by right-clicking My Computer, or This PC on Windows 8.1, and selecting Properties. On the left-hand side panel, select Advanced system settings followed by Environment Variables.

In the System variables box, select the Path variable and add the following (with the exception of the quotes) to the end ";C:\Python27;C:\Python27\Scripts". The Python27 directory contains the python executable, which we often invoke from the command line. The Scripts directory contains multiple scripts such as pip and easy_install, which make installing third-party modules a breeze. With this now complete, you have successfully installed Python.

If you did this incorrectly, you would receive the following error when typing python into the command prompt:

C:\Users\LPF>python
'python' is not recognized as an internal or external command,  operable program or batc
h file.

Make sure that you've closed and opened a new command prompt after updating the PATH variable. In addition, ensure that you've added the correct path information for the Python27 and Scripts folders as illustrated earlier.

Previous Section
End of Section
Next Section