Chapter 1, Essential Scripting and File Information Recipes, introduces you to the conventions and basic features of Python used throughout the book. By the end of the chapter, you will create a robust and useful data and metadata preservation script.
Chapter 2, Creating Artifact Report Recipes, demonstrates practical methods of creating reports with forensic artifacts. From spreadsheets to web-based dashboards, we show the flexibility and utility of various reporting formats.
Chapter 3, A Deep Dive into Mobile Forensic Recipes, features iTunes' backup processing, deleted SQLite database record recovery, and mapping Wi-Fi access point MAC addresses from Cellebrite XML reports.
Chapter 4, Extracting Embedded Metadata Recipes, exposes common file types containing embedded metadata and how to extract it. We also provide you with knowledge of how to integrate Python scripts with the popular forensic software, EnCase.
Chapter 5, Networking and Indicators of Compromise Recipes, focuses on network and web-based artifacts and how to extract more information from them. You will learn how to preserve data from websites, interact with processed IEF results, create hash sets for X-Ways, and identify bad domains or IP addresses.
Chapter 6, Reading Emails and Taking Names Recipes, explores the many file types for both individual e-mail messages and entire mailboxes, including Google Takeout MBox, and how to use Python for extraction and analysis.
Chapter 7, Log-Based Artifact Recipes, illustrates how to process artifacts from several log formats, such as IIS, and ingest them with Python info reports or other industry tools, such as Splunk. You will also learn how to develop and use Python recipes to parse files and create artifacts within Axiom.
Chapter 8, Working with Forensic Evidence Container Recipes, shows off the basic forensic libraries required to interact and process forensic evidence containers, including EWF and raw formats. You will learn how to access data from forensic containers, identify disk partition information, and iterate through filesystems.
Chapter 9, Exploring Windows Forensic Artifacts Recipes Part I, leverages the framework developed in Chapter 8, Working with Forensic Evidence Container Recipes, to process various Windows artifacts within forensic evidence containers. These artifacts include $I Recycle Bin files, various Registry artifacts, LNK files, and the Windows.edb index.
Chapter 10, Exploring Windows Forensic Artifacts Recipes Part II, continues to leverage the framework developed in Chapter 8, Working with Forensic Evidence Container Recipes, to process more Windows artifacts within forensic evidence containers. These artifacts include Prefetch files, Event logs, Index.dat, Volume Shadow Copies, and the Windows 10 SRUM database.