Book Image

Learning Python for Forensics - Second Edition

By : Preston Miller, Chapin Bryce
Book Image

Learning Python for Forensics - Second Edition

By: Preston Miller, Chapin Bryce

Overview of this book

Digital forensics plays an integral role in solving complex cybercrimes and helping organizations make sense of cybersecurity incidents. This second edition of Learning Python for Forensics illustrates how Python can be used to support these digital investigations and permits the examiner to automate the parsing of forensic artifacts to spend more time examining actionable data. The second edition of Learning Python for Forensics will illustrate how to develop Python scripts using an iterative design. Further, it demonstrates how to leverage the various built-in and community-sourced forensics scripts and libraries available for Python today. This book will help strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. By the end of this book, you will build a collection of Python scripts capable of investigating an array of forensic artifacts and master the skills of extracting metadata and parsing complex data structures into actionable reports. Most importantly, you will have developed a foundation upon which to build as you continue to learn Python and enhance your efficacy as an investigator.

Related Content you might be interested in

Current Title:

Small book image
Learning Python for Forensics - Second Edition
Preston Miller | Chapin Bryce
Jan, 2019 | 476 pages
Small book image
Python Digital Forensics Cookbook
Preston Miller | Chapin Bryce
Sep, 2017 | 412 pages
Table of Contents (15 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
Now for Something Completely Different
Now for Something Completely Different
When to use Python
Getting started
The omnipresent print() function
Standard data types
Data type conversions
Files
Variables
Understanding scripting flow logic
Functions
Summary
2
Python Fundamentals
Python Fundamentals
Advanced data types and functions
Libraries
Classes and object-oriented programming
Try and except
Creating our first script – unix_converter.py
User input
Forensic scripting best practices
Developing our first forensic script – usb_lookup.py
Troubleshooting
Challenge
Summary
3
Parsing Text Files
Parsing Text Files
Setup API
Introducing our script
Our first iteration – setupapi_parser_v1.py
Our second iteration – setupapi_parser_v2.py
Our final iteration – setupapi_parser.py
Challenge
Summary
4
Working with Serialized Data Structures
Working with Serialized Data Structures
Serialized data structures
A simple Bitcoin web API
Our first iteration – bitcoin_address_lookup.v1.py
Our second iteration – bitcoin_address_lookup.v2.py
Mastering our final iteration – bitcoin_address_lookup.py
Summary
5
Databases in Python
Databases in Python
An overview of databases
Designing our script
Manually manipulating databases with Python – file_lister.py
Automating databases further – file_lister_peewee.py
Challenge
Summary
6
Extracting Artifacts from Binary Files
Extracting Artifacts from Binary Files
UserAssist
Working with the yarp library
Introducing the struct module
Creating spreadsheets with the xlsxwriter module
The UserAssist framework
Running the UserAssist framework
Challenge
Summary
7
Fuzzy Hashing
Fuzzy Hashing
Background on hashing
Creating fuzzy hashes
Using ssdeep in Python – ssdeep_python.py
Additional challenges
References
Summary
8
The Media Age
The Media Age
Creating frameworks in Python
Introduction to EXIF metadata
Introduction to ID3 metadata
Introduction to Office metadata
The Metadata_Parser framework overview
Parsing EXIF metadata – exif_parser.py
Parsing ID3 metdata – id3_parser.py
Parsing Office metadata – office_parser.py
Moving on to our writers
Framework summary
Additional challenges
Summary
9
Uncovering Time
Uncovering Time
About timestamps
Using a GUI
Developing the date decoder GUI – date_decoder.py
Additional challenges
Summary
10
Rapidly Triaging Systems
Rapidly Triaging Systems
Understanding the value of system information
Rapidly triaging systems – pysysinfo.py
Executing pysysinfo.py
Challenges
Summary
11
Parsing Outlook PST Containers
Parsing Outlook PST Containers
The PST file format
An introduction to libpff
Exploring PSTs – pst_indexer.py
Running the script
Additional challenges
Summary
12
Recovering Transient Database Records
Recovering Transient Database Records
SQLite WAL files
Regular expressions in Python
TQDM – a simpler progress bar
Parsing WAL files – wal_crawler.py
Executing wal_crawler.py
Challenge
Summary
13
Coming Full Circle
Coming Full Circle
Frameworks
Colorama
FIGlet
Exploring the framework – framework.py
Additional challenges
14
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

UserAssist

The UserAssist artifact identifies graphical user interface (GUI) application execution on Windows machines. This artifact stores differing amounts of information depending on the version of Windows OS. To identify the data specific to certain applications, we have to decode the registry key name as it is stored as the ROT13-encoded path and name of the application. As an example, the UserAssist value data for Windows XP and Vista is 16 bytes in length, and it stores the following:

  • The last execution time in UTC (in FILETIME format)
  • Execution count
  • Session ID

The last execution time information is stored as a Windows FILETIME object. This is another common representation of time that differs from the UNIX timestamps we've seen in previous chapters. We will show how this timestamp can be interpreted within Python and displayed as human-readable, later in this...

Previous Section
End of Section 2
Next Section