Book Image

Python Digital Forensics Cookbook

By : Chapin Bryce, Preston Miller
Book Image

Python Digital Forensics Cookbook

By: Chapin Bryce, Preston Miller

Overview of this book

Technology plays an increasingly large role in our daily lives and shows no sign of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations. Throughout the Python Digital Forensics Cookbook, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools such as Axiom, Cellebrite, and EnCase. By the end of the book, you will have a sound understanding of Python and how you can use it to process artifacts in your investigations.

Related Content you might be interested in

Current Title:

Small book image
Python Digital Forensics Cookbook
Chapin Bryce | Preston Miller
Sep, 2017 | 412 pages
Small book image
Learning Python for Forensics.
Preston Miller | Chapin Bryce
Jan, 2019 | 476 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Table of Contents (11 chapters)
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Sections
Conventions
Reader feedback
Customer support
Free Chapter
1
Essential Scripting and File Information Recipes
Essential Scripting and File Information Recipes
Introduction
Handling arguments like an adult
Iterating over loose files
Recording file attributes
Copying files, attributes, and timestamps
Hashing files and data streams
Keeping track with a progress bar
Logging results
Multiple hands make light work
2
Creating Artifact Report Recipes
Creating Artifact Report Recipes
Introduction
Using HTML templates
Creating a paper trail
Working with CSVs
Visualizing events with Excel
Auditing your work
3
A Deep Dive into Mobile Forensic Recipes
A Deep Dive into Mobile Forensic Recipes
Introduction
Parsing PLIST files
Handling SQLite databases
Identifying gaps in SQLite databases
Processing iTunes backups
Putting Wi-Fi on the map
Digging deep to recover messages
4
Extracting Embedded Metadata Recipes
Extracting Embedded Metadata Recipes
Introduction
Extracting audio and video metadata
The big picture
Mining for PDF metadata
Reviewing executable metadata
Reading office document metadata
Integrating our metadata extractor with EnCase
5
Networking and Indicators of Compromise Recipes
Networking and Indicators of Compromise Recipes
Introduction
Getting a jump start with IEF
Coming into contact with IEF
Beautiful Soup
Going hunting for viruses
Gathering intel
Totally passive
6
Reading Emails and Taking Names Recipes
Reading Emails and Taking Names Recipes
Introduction
Parsing EML files
Viewing MSG files
Ordering Takeout
What’s in the box?!
Parsing PST and OST mailboxes
7
Log-Based Artifact Recipes
Log-Based Artifact Recipes
Introduction
About time
Parsing IIS web logs with RegEx
Going spelunking
Interpreting the daily.out log
Adding daily.out parsing to Axiom
Scanning for indicators with YARA
8
Working with Forensic Evidence Container Recipes
Working with Forensic Evidence Container Recipes
Introduction
Opening acquisitions
Gathering acquisition and media information
Iterating through files
Processing files within the container
Searching for hashes
9
Exploring Windows Forensic Artifacts Recipes - Part I
Exploring Windows Forensic Artifacts Recipes - Part I
Introduction
One man's trash is a forensic examiner's treasure
A sticky situation
Reading the registry
Gathering user activity
The missing link
Searching high and low
10
Exploring Windows Forensic Artifacts Recipes - Part II
Exploring Windows Forensic Artifacts Recipes - Part II
Introduction
Parsing prefetch files
A series of fortunate events
Indexing internet history
Shadow of a former self
Dissecting the SRUM database

Introduction

Digital forensics involves the identification and analysis of digital media to assist in legal, business, and other types of investigations. Oftentimes, results stemming from our analysis have a major impact on the direction of an investigation. With Moore’s law more or less holding true, the amount of data we are expected to review is steadily growing. Given this, it’s a foregone conclusion that an investigator must rely on some level of automation to effectively review evidence. Automation, much like a theory, must be thoroughly vetted and validated so as not to allow for falsely drawn conclusions. Unfortunately, investigators may use a tool to automate some process but not fully understand the tool, the underlying forensic artifact, or the output’s significance. This is where Python comes into play.

In Python Digital Forensics Cookbook, we develop and detail recipes covering a number of typical scenarios. The purpose is to not only demonstrate Python features and libraries for those learning the language but to also illustrate one of its great benefits: namely, a forced basic understanding of the artifact. Without this understanding, it is impossible to develop the code in the first place, thereby forcing you to understand the artifact at a deeper level. Add to that the relative ease of Python and the obvious benefits of automation, and it is easy to see why this language has been adapted so readily by the community.

One method of ensuring that investigators understand the product of our scripts is to provide meaningful documentation and explanation of the code. Hence the purpose of this book. The recipes demonstrated throughout show how to configure argument parsing that is both easy to develop and simple for the user to understand. To add to the script's documentation, we will cover techniques to effectively log the process that was taken and any errors encountered by the script.

Another unique feature of scripts designed for digital forensics is the interaction with files and their associated metadata. Forensic scripts and applications require the accurate retrieval and preservation of file attributes, including dates, permissions, and file hashes. This chapter will cover methods to extract and present this data to the examiner.

Interaction with the operating system and files found on attached volumes are at the core of any script designed for use in digital forensics. During analysis, we need to access and parse files with a wide variety of structures and formats. For this reason, it's important to accurately and properly handle and interact with files. The recipes presented in this chapter cover common libraries and techniques that will continue to be used throughout the book:

  • Parsing command-line arguments
  • Recursively iterating over files and folders
  • Recording and preserving file and folder metadata
  • Generating hash values of files and other content
  • Monitoring code with progress bars
  • Logging recipe execution information and errors
  • Improving performance with multiprocessing
Visit www.packtpub.com/books/content/support to download the code bundle for this chapter.
Previous Section
End of Section 2
Next Section