Index
A
- advanced data types
- Argparse
- argument_parser.py
- atomic commit scenario / SQLite WAL files
B
- bitcoin_address_lookup.py, final iteration
- about / Mastering our final iteration – bitcoin_address_lookup.py
- parseTransactions() function, enhancing / Enhancing the parseTransactions() function
- csvWriter() function, developing / Developing the csvWriter() function
- script, running / Running the script
- bitcoin_address_lookup.v1.py, first iteration
- about / Our first iteration – bitcoin_address_lookup.v1.py
- main() function, exploring / Exploring the main() function
- getAddress() function / Understanding the getAddress() function
- printTransactions() function, working with / Working with the printTransactions() function
- printHeader() helper function / The printHeader() helper function
- getInputs() helper function / The getInputs() helper function
- script, running / Running the script
- bitcoin_address_lookup.v2.py, second iteration
- about / Our second iteration – bitcoin_address_lookup.v2.py
- main() function, modifying / Modifying the main() function
- getAddress() function, improving / Improving the getAddress() function
- printTransactions() function, elaborating / Elaborating on the printTransactions() function
- script, running / Running the script
- built-in exceptions
- reference / Troubleshooting
C
- cellParser() function
- used, for processing cells / Processing cells with the cellParser() function
- challenges
- classes
- code, exploring
- about / Exploring the code
- screen captures / Capturing the screen
- clipboard captures / Capturing the clipboard
- keyboard event captures / Capturing the keyboard
- keylogger controllers / Keylogger controllers
- process creation capture / Capturing processes
- main() function / Understanding the main() function
- script execution / Running the script
- colorama module
- conditionals
- about / Conditionals
- createDictionary() function
- defining / Defining the createDictionary() function
- csv module
- csvWriter() function
- about / Understanding the csvWriter() function
- used, for writing output / Writing output with the csvWriter() function
- csv_writer.py script
D
- dashboardWriter() function
- databases
- about / An overview of databases
- challenge / Challenge
- databases, automating
- about / Further automating databases – file_lister_peewee.py
- Peewee setup / Peewee setup
- Jinja2 setup / Jinja2 setup
- main() function, updating / Updating the main() function
- initDB() function, adjusting / Adjusting the initDB() function
- getOrAddCustodian() function, modifying / Modifying the getOrAddCustodian() function
- ingestDirectory() function, improving / Improving the ingestDirectory() function
- formatTimestamp() function / A closer look at the formatTimestamp() function
- writeOutput() function, converting / Converting the writeOutput() function
- writeCSV() function, simplifying / Simplifying the writeCSV() function
- writeHTML() function, condensing / Condensing the writeHTML() function
- new and improved script, running / Running our new and improved script
- databases, manipulating manually with Python
- about / Manually manipulating databases with Python – file_lister.py
- main() function, building / Building the main() function
- database, initializing with initDB() function / Initializing the database with the initDB() function
- custodians, checking for with getOrAddCustodian() function / Checking for custodians with the getOrAddCustodian() function
- custodians, retrieving with getCustodian() function / Retrieving custodians with the getCustodian() function
- ingestDirectory() function / Understanding the ingestDirectory() function
- os.stat() method, exploring / Exploring the os.stat() method
- formatTimestamp() helper function, developing / Developing the formatTimestamp() helper function
- writeOutput() function, configuring / Configuring the writeOutput() function
- writeCSV() function, designing / Designing the writeCSV() function
- writeHTML() function, composing / Composing the writeHTML() function
- script, running / Running the script
- data type conversions
- about / Data type conversions
- Date Decoder GUI
- developing / Developing the Date Decoder GUI – date_decoder.py
- DateDecoder class setup / The DateDecoder class setup and __init__() method
- __init__() method / The DateDecoder class setup and __init__() method
- run() method, executing / Executing the run() method
- buildInputFrame() method, implementing / Implementing the buildInputFrame() method
- buildOutputFrame() method, creating / Creating the buildOutputFrame() method
- convert() method, building / Building the convert() method
- convert_unix_seconds() method, defining / Defining the convert_unix_seconds() method
- conversion, using convertWindowsFiletime_64() method / Conversion using the convertWindowsFiletime_64() method
- converting, with convertChromeTimestamps() method / Converting with the convertChromeTimestamps() method
- output method, designing / Designing the output method
- script, running / Running the script
- datetime objects
- about / Datetime objects
- date_decoder.py
- dictHelper() function
- writing / Writing the dictHelper() function
- pdb module / The Python debugger – pdb
- dictionaries
- about / Dictionaries
- docstrings / Getting started
E
- epoch
- about / What is epoch?
- Excel spreadsheets, writing
- xlsx_writer.py / Writing Excel spreadsheets – xlsx_writer.py
- output, controlling with excelWriter() function / Controlling output with the excelWriter() function
- data, summarizing with dashboardWriter() function / Summarizing data with the dashboardWriter() function
- artifacts, writing in userassistWriter() function / Writing artifacts in the userassistWriter() function
- fileTime() function, defining / Defining the fileTime() function
- integers, processing with sortByCount() function / Processing integers with the sortByCount() function
- DateTime objects, processing with sortByDate() function / Processing DateTime objects with the sortByDate() function
- excelWriter() function
- exceptions, troubleshooting
- AttributeErrors / AttributeError
- ImportErrors / ImportError
- IndentationError / IndentationError
- IOError / IOError
- IndexError / IndexError
- KeyError / KeyError
- NameError / NameError
- TypeError / TypeError
- ValueError / ValueError
- UnicodeEncodeError / UnicodeEncodeError and UnicodeDecodeError
- UnicodeDecodeError / UnicodeEncodeError and UnicodeDecodeError
- EXIF metadata
- about / Introduction to EXIF metadata
- reference, for list of tags / Introduction to EXIF metadata
- Pillow module / Introducing the Pillow module
- EXIF metadata, parsing
- exif_parser plugin / Parsing EXIF metadata – exif_parser.py
- exifParser() function / Understanding the exifParser() function
- getTags() function, developing / Developing the getTags() function
- dmsToDecimal() function, adding / Adding the dmsToDecimal() function
- exif_parser plugin
F
- FIGlet
- files
- about / Files
- file signatures
- reference / Iterators
- fileTime() function
- about / Defining the fileTime() function
- file_lister.py / Manually manipulating databases with Python – file_lister.py
- file_lister_peewee.py / Further automating databases – file_lister_peewee.py
- floats
- about / Integers and floats, Booleans and None
- flow logic
- scripting / Understanding scripting flow logic
- conditionals / Conditionals
- loops / Loops
- Focus Count / UserAssist
- Focus time / UserAssist
- forensic scripting best practices
- for loop
- about / For
- frameParser() function
- developing / Developing the frameParser() function
- framework-wide utility functions
- framework.py
- exploring / Exploring the framework – framework.py
- Framework object, exploring / Exploring the Framework object
- Plugin object, exploring / Exploring the Plugin object
- Writer object, exploring / Exploring the Writer object
- csv_writer.py / Our Final CSV writer – csv_writer.py
- xlsx_writer.py function / The writer – xlsx_writer.py
- plugins, modifying / Changes made to plugins
- executing / Executing the framework
- additional challenges / Additional challenges
- Framework object
- exploring / Exploring the Framework object
- Framework __init__() constructor / Understanding the Framework __init__() constructor
- Framework run() method, creating / Creating the Framework run() method
- Framework _list_files() method, used for iterating through files / Iterating through files with the Framework _list_files() method
- Framework _run_plugins() method, developing / Developing the Framework _run_plugins() method
- frameworks
- creating, in Python / Creating frameworks in Python
- supporting, with processors / Supporting our framework with processors
- components / Frameworks
- structure, building / Building a framework structure to last
- data standardization / Data standardization
- forensic frameworks / Forensic frameworks
- functions
- fuzzy hashing
- about / Exploring fuzzy hashing – fuzzy_hasher.py
- main() function / Starting with the main function
- files, working in fileController() function / Working with files in the fileController() function
- directories, working with in directoryController() function / Working with directories in the directoryController() function
- fuzzy hashes, generating with fuzzFile() function / Generating fuzzy hashes with the fuzzFile() function
- compareFuzzies() function, exploring / Exploring the compareFuzzies() function
- reports, creating with writer() function / Creating reports with the writer() function
- first iteration, running / Running the first iteration
- fuzzy_hasher.py
G
- generic spreadsheets, writing
- getName() function
- Github
- GPS data
- plotting, with Google Earth / Plotting GPS data with Google Earth – kml_writer.py
- GUI
- using / Using a GUI
- Tkinter objects / Basics of Tkinter objects
H
- hardware keyloggers
- about / Hardware keyloggers
- hashing
- files, hashing in Python / Hashing files in Python
- rolling hashes / Deep dive into rolling hashes
- rolling hashes, implementing / Implementing rolling hashes – hashing_example.py
- rolling hashes, limitations / Limitations of rolling hashes
- fuzzy hashing / Exploring fuzzy hashing – fuzzy_hasher.py
- human-computer interaction (HCI) / Detecting malicious processes
I
- ID3 metadata
- about / Introduction to ID3 metadata
- Mutagen module / Introducing the Mutagen module
- ID3 metdata, parsing
- about / Parsing ID3 metdata – id3_parser.py
- id3Parser() function / Understanding the id3Parser() function
- getTags() function / Revisiting the getTags() function
- id3_parser.py
- immutable / Sets and tuples
- installation
- Python for Windows / Python for Windows
- Python for OS X and Linux / Python for OS X and Linux
- integers
- about / Integers and floats, Booleans and None
- iterators
- about / Iterators
J
- json module
- reference / Serialized data structures
K
- keylogger, for Windows
- keyboard events, monitoring / Monitoring keyboard events
- screenshots, capturing / Capturing screenshots
- processes, monitoring / Monitoring processes
- keyloggers
- hardware keyloggers / Hardware keyloggers
L
- libewf
- reference link / Additional challenges
- libpff
- about / An introduction to libpff
- installing / How to install libpff and pypff
- libraries
- about / Libraries, Libraries in this book
- third-party libraries, installing / Installing third-party libraries
- Python packages / Python packages
- libtsk
- reference link / Additional challenges
- Linux
- Python, installing / Python for OS X and Linux
- lists
- about / Lists
- logging module
- loops
- lxml module
- reference / Introducing the lxml module
- about / Introducing the lxml module
M
- magic methods / Getting started
- main() function / Understanding the main() function
- Message Digest Algorithm 5 (MD5) / Hashing files in Python
- metadata_parser.py script
- Metadata_Parser framework
- overview / Metadata_Parser framework overview
- metadata_parser.py, main framework controller / Our main framework controller – metadata_parser.py
- controlling, with main() function / Controlling our framework with the main() function
- multiprocessing
- multiVarint() function
- used, for processing varints / Processing varints with the multiVarint() function
- Mutagen module
- about / Introducing the Mutagen module
- reference / Introducing the Mutagen module
O
- object-oriented programming (OOP) / Classes and object-oriented programming
- Office metadata
- about / Introduction to Office metadata
- lxml module / Introducing the lxml module
- Office metadata, parsing
- about / Parsing Office metadata – office_parser.py
- officeParser() function / Evaluating the officeParser() function
- getTags() function / The getTags() function for the last time
- office_parser.py
- Offline Storage Table (OST) / The Personal Storage Table File Format
- open source forensic frameworks
- volatility, reference link / Forensic frameworks
- Plaso, reference link / Forensic frameworks
- GRR (Google Rapid Response), reference link / Forensic frameworks
- OS X
- Python, installing / Python for OS X and Linux
P
- parse() method
- reference / About timestamps
- parseValues() function
- pdb module
- reference link / The Python debugger – pdb
- Personal Address Book (PAB) / The Personal Storage Table File Format
- Personal File Format (PFF) / The Personal Storage Table File Format
- personally identifiable information (PII) / Regular expressions in Python
- Personal Storage Table (PST)
- exploring / Exploring PSTs – pst_indexer.py
- Personal Storage Table File Format
- Pillow module
- about / Introducing the Pillow module
- pip
- reference / Installing third-party libraries
- Plugin object
- exploring / Exploring the Plugin object
- Plugin __init__() constructor / Understanding the Plugin __init__() constructor
- Plugin run() method, working with / Working with the Plugin run() method
- Plugin write() method, used for handling output / Handling output with the Plugin write() method
- Prefetch files
- reference link / Additional challenges
- processors directory
- pst_indexer.py
- exploring / Exploring PSTs – pst_indexer.py
- overview / An overview
- main() function, developing / Developing the main() function
- makePath() helper function, evaluating / Evaluating the makePath() helper function
- iteration, with folderTraverse() function / Iteration with the folderTraverse() function
- messages, identifying with checkForMessages() function / Identifying messages with the checkForMessages() function
- messages, processing in processMessage() function / Processing messages in the processMessage() function
- data, summarizing in folderReport() function / Summarizing data in the folderReport() function
- wordStats() function / Understanding the wordStats() function
- wordReport() function, creating / Creating the wordReport() function
- senderReport() function, building / Building the senderReport() function
- heat map, refining with dateReport() function / Refining the heat map with the dateReport() function
- HTMLReport() function, writing / Writing the HTMLReport() function
- HTML template / The HTML template
- script, running / Running the script
- pyHooks
- about / PyHooks
- pypff
- installing / How to install libpff and pypff
- Python
- about / When to use Python?
- using / When to use Python?
- development life cycle / When to use Python?
- frameworks, creating / Creating frameworks in Python
- multiprocessing / Multiprocessing in Python – simple_multiprocessor.py
- running, without command window / Running Python without a command window
- large objects, manipulating / Manipulating large objects in Python
- regular expressions / Regular expressions in Python
- for Windows / Python for Windows
- for OS X / Python for OS X and Linux
- for Linux / Python for OS X and Linux
- Python installation folder
- about / The Python installation folder
- Doc folder / The Doc folder
- Lib folder / The Lib folder
- Scripts folder / The Scripts folder
- Python interpreter / The Python interpreter
- Python modules / Python modules
- Python interpreter / The Python interpreter
- Python modules / Python modules
- Python Package Index
- reference / Installing third-party libraries
- Python scripts
- developing / Getting started
- Python Virtual Machine (PVM) / Conditionals, The Python interpreter
- pywin32
- about / PyWin32
R
- Registry module
- working with / Working with the Registry module
- regularSearch() function
- regular expression, using / Using regular expression in the regularSearch() function
- rollback scenario / SQLite WAL files
- ROT-13
S
- script
- designing / Designing our script
- Secure Hash Algorithm (SHA) family / Hashing files in Python
- serialization
- about / Serialized data structures
- serialized data structures
- about / Serialized data structures
- challenge / Additional challenges
- sets
- about / Sets and tuples
- setup API
- about / Setup API
- setupapi.dev.log file
- about / Setup API
- setupapi_parser.py, final iteration
- about / Our final iteration – setupapi_parser.py
- main() function, extending / Extending the main() function
- parseSetupapi() function, adding to / Adding to the parseSetupapi() function
- parseDeviceInfo() function, creating / Creating the parseDeviceInfo() function
- prepUSBLookup() function, forming / Forming the prepUSBLookup() function
- getDeviceNames() function, constructing / Constructing the getDeviceNames() function
- printOutput() function, enhancing / Enhancing the printOutput() function
- script, running / Running the script
- setupapi_parser.py script
- about / Introducing our script
- overview / Overview
- setupapi_parser.v1.py, first iteration
- about / Our first iteration – setupapi_parser.v1.py
- main() function, designing / Designing the main() function
- parseSetupapi() function, crafting / Crafting the parseSetupapi() function
- printOutput() function, developing / Developing the printOutput() function
- script, running / Running the script
- setupapi_parser.v2.py, second iteration
- about / Our second iteration – setupapi_parser.v2.py
- main() function, improving / Improving the main() function
- parseSetupapi() function, tuning / Tuning the parseSetupapi() function
- printOutput() function, modifying / Modifying the printOutput() function
- script, running / Running the script
- simple Bitcoin Web API
- about / A simple Bitcoin Web API
- singleVarint() function
- used, for processing varints / Processing varints with the singleVarint() function
- software keyloggers
- processes listening to keystrokes, identifying / Detecting malicious processes
- sortByCount() function
- sortByDate() function
- spreadsheets
- writing / Writing spreadsheets – csv_writer.py
- spreadsheets, creating with xlsxwriter module
- about / Creating spreadsheets with the xlsxwriter module
- data, adding / Adding data to a spreadsheet
- table, building / Building a table
- charts, creating with Python / Creating charts with Python
- SQLite3
- about / Using SQLite3
- using / Using SQLite3
- Structured Query Language, using / Using the Structured Query Language
- URL / Using the Structured Query Language
- sqlite3 command-line tool
- SQLite WAL files
- about / SQLite WAL files
- reference link / SQLite WAL files, WAL format and technical specifications
- format / WAL format and technical specifications
- technical specifications / WAL format and technical specifications
- header / The WAL header
- frame / The WAL frame
- cell / The WAL cell and varints
- varints / The WAL cell and varints
- large objects, manipulating in Python / Manipulating large objects in Python
- SSDeep, using in Python
- about / Using SSDeep in Python – ssdeep_python.py
- main() function / Revisiting the main() function
- fileController() function / The new fileController() function
- directoryController() function, repurposing / Repurposing the directoryController() function
- changes, demonstrating in writer() function / Demonstrating changes in the writer() function
- second iteration, running / Running the second iteration
- ssdeep_python.py
- standard data types
- about / Standard data types
- strings / Strings and Unicode
- unicode / Strings and Unicode
- integers / Integers and floats
- floats / Integers and floats
- Booleans / Booleans and None
- null type / Booleans and None
- strings
- about / Strings and Unicode
- struct module
- about / Introducing the Struct module
- reference / Introducing the Struct module
- structured data types
- about / Structured data types
- lists / Lists
- dictionaries / Dictionaries
- sets / Sets and tuples
- tuples / Sets and tuples
T
- timeit module
- about / Evaluating code with timeit
- reference / Evaluating code with timeit
- timestamps
- about / About timestamps
- Tkinter documentation
- reference / Basics of Tkinter objects
- Tkinter GUI
- implementing / Implementation of the Tkinter GUI
- Tkinter objects
- basics / Basics of Tkinter objects
- Frame objects, using / Using Frame objects
- classes, using / Using classes in Tkinter
- tqdm module
- using / TQDM – a simpler progress bar
- troubleshooting
- about / Troubleshooting
- try and except syntax
- about / Try and except
- raise() method / Raise
- tuples
- about / Sets and tuples
- typeHelper() function
- used, for converting serial types / Converting serial types with the typeHelper() function
U
- unicode
- about / Strings and Unicode
- unix_converter.py
- unix_converter.py script
- usb_lookup.py, forensic script
- developing / Developing our first forensic script – usb_lookup.py
- main() function / Understanding the main() function
- getRecord() function, exploring / Exploring the getRecord() function
- searchKey() function, interpreting / Interpreting the searchKey() function
- running / Running our first forensic script
- UserAssist
- about / UserAssist
- ROT-13 substitution cipher / Understanding the ROT-13 substitution cipher – rot13.py
- code, evaluating with timeit / Evaluating code with timeit
- userassist.py script
- UserAssist framework
- about / The UserAssist framework
- UserAssist logic processor, developing / Developing our UserAssist logic processor – userassist.py
- Excel spreadsheets, writing / Writing Excel spreadsheets – xlsx_writer.py
- generic spreadsheets, writing / Writing generic spreadsheets – csv_writer.py
- running / Running the UserAssist framework
- challenge / Additional challenges
- UserAssist logic processor, developing
- userassist.py script / Developing our UserAssist logic processor – userassist.py
- main() function, evaluating / Evaluating the main() function
- createDictionary() function, defining / Defining the createDictionary() function
- data, extracting with parseValues() function / Extracting data with the parseValues() function
- strings, processing with getName() function / Processing strings with the getName() function
- userassistWriter() function
- user input
- about / User input
- raw input method, using / Using the raw input method and the system module – user_input.py
- user_input.py, using / Using the raw input method and the system module – user_input.py
- argument_parser.py / Understanding Argparse – argument_parser.py
- utility.py
V
- variables
- about / Variables
- varints
- reference link / The WAL cell and varints
W
- WAL files
- reference link / SQLite WAL files, The WAL cell and varints
- wal_crawler.py, parsing / Parsing WAL files – wal_crawler.py
- wal_crawler.py
- parsing / Parsing WAL files – wal_crawler.py
- main() function / Understanding the main() function
- frameParser() function, developing / Developing the frameParser() function
- cellParser() function, used for processing cells / Processing cells with the cellParser() function
- dictHelper() function, writing / Writing the dictHelper() function
- singleVarint() function, used for processing varints / Processing varints with the singleVarint() function
- multiVarint() function, used for processing varints / Processing varints with the multiVarint() function
- typeHelper() function, used for converting serial types / Converting serial types with the typeHelper() function
- csvWriter() function, used for writing output / Writing output with the csvWriter() function
- regular expression, using in regularSearch() function / Using regular expression in the regularSearch() function
- executing / Executing wal_crawler.py
- while loop
- about / While
- Windows
- keylogger, building for / Building a keylogger for Windows
- Python, installing / Python for Windows
- Windows API
- WMI
- about / WMI
- Writer object
- exploring / Exploring the Writer object
- Writer __init__() constructor / Understanding the Writer __init__() constructor
- Writer run() method / Understanding the Writer run() method
- writers directory
- about / Moving on to our writers
- csv_Writer.py / Writing spreadsheets – csv_writer.py
- kml_Writer.py / Plotting GPS data with Google Earth – kml_writer.py
X
- xlsxwriter module
- about / Creating spreadsheets with the xlsxwriter module
- used, for creating spreadsheets / Creating spreadsheets with the xlsxwriter module
- xlsx_writer.py script
- xml module
- reference / Serialized data structures