Book Image

Python Digital Forensics Cookbook

By : Chapin Bryce, Preston Miller
Book Image

Python Digital Forensics Cookbook

By: Chapin Bryce, Preston Miller

Overview of this book

Technology plays an increasingly large role in our daily lives and shows no sign of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations. Throughout the Python Digital Forensics Cookbook, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools such as Axiom, Cellebrite, and EnCase. By the end of the book, you will have a sound understanding of Python and how you can use it to process artifacts in your investigations.

Related Content you might be interested in

Current Title:

Small book image
Python Digital Forensics Cookbook
Chapin Bryce | Preston Miller
Sep, 2017 | 412 pages
Small book image
Learning Python for Forensics.
Preston Miller | Chapin Bryce
Jan, 2019 | 476 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Table of Contents (11 chapters)
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Sections
Conventions
Reader feedback
Customer support
Free Chapter
1
Essential Scripting and File Information Recipes
Essential Scripting and File Information Recipes
Introduction
Handling arguments like an adult
Iterating over loose files
Recording file attributes
Copying files, attributes, and timestamps
Hashing files and data streams
Keeping track with a progress bar
Logging results
Multiple hands make light work
2
Creating Artifact Report Recipes
Creating Artifact Report Recipes
Introduction
Using HTML templates
Creating a paper trail
Working with CSVs
Visualizing events with Excel
Auditing your work
3
A Deep Dive into Mobile Forensic Recipes
A Deep Dive into Mobile Forensic Recipes
Introduction
Parsing PLIST files
Handling SQLite databases
Identifying gaps in SQLite databases
Processing iTunes backups
Putting Wi-Fi on the map
Digging deep to recover messages
4
Extracting Embedded Metadata Recipes
Extracting Embedded Metadata Recipes
Introduction
Extracting audio and video metadata
The big picture
Mining for PDF metadata
Reviewing executable metadata
Reading office document metadata
Integrating our metadata extractor with EnCase
5
Networking and Indicators of Compromise Recipes
Networking and Indicators of Compromise Recipes
Introduction
Getting a jump start with IEF
Coming into contact with IEF
Beautiful Soup
Going hunting for viruses
Gathering intel
Totally passive
6
Reading Emails and Taking Names Recipes
Reading Emails and Taking Names Recipes
Introduction
Parsing EML files
Viewing MSG files
Ordering Takeout
What’s in the box?!
Parsing PST and OST mailboxes
7
Log-Based Artifact Recipes
Log-Based Artifact Recipes
Introduction
About time
Parsing IIS web logs with RegEx
Going spelunking
Interpreting the daily.out log
Adding daily.out parsing to Axiom
Scanning for indicators with YARA
8
Working with Forensic Evidence Container Recipes
Working with Forensic Evidence Container Recipes
Introduction
Opening acquisitions
Gathering acquisition and media information
Iterating through files
Processing files within the container
Searching for hashes
9
Exploring Windows Forensic Artifacts Recipes - Part I
Exploring Windows Forensic Artifacts Recipes - Part I
Introduction
One man's trash is a forensic examiner's treasure
A sticky situation
Reading the registry
Gathering user activity
The missing link
Searching high and low
10
Exploring Windows Forensic Artifacts Recipes - Part II
Exploring Windows Forensic Artifacts Recipes - Part II
Introduction
Parsing prefetch files
A series of fortunate events
Indexing internet history
Shadow of a former self
Dissecting the SRUM database

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "We can gather the required information by calling the get_data() function."

A block of code is set as follows:

def hello_world():
   print(“Hello World!”)
hello_world()

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

def hello_world():
    print(“Hello World!”)
hello_world()

Any command-line input or output is written as follows:

# pip install tqdm==4.11.2

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Select System info from the Administration panel."

Warnings or important notes appear like this.
Tips and tricks appear like this.
Previous Section
Next Section