Book description
Learn the art of designing, developing, and deploying innovative forensic solutions through Python
About This Book
This practical guide will help you solve forensic dilemmas through the development of Python scripts
Analyze Python scripts to extract metadata and investigate forensic artifacts
Master the skills of parsing complex data structures by taking advantage of Python libraries
Who This Book Is For
If you are a forensics student, hobbyist, or professional that is seeking to increase your understanding in forensics through the use of a programming language, then this book is for you.
You are not required to have previous experience in programming to learn and master the content within this book. This material, created by forensic professionals, was written with a unique perspective and understanding of examiners who wish to learn programming
What You Will Learn
Discover how to perform Python script development
Update yourself by learning the best practices in forensic programming
Build scripts through an iterative design
Explore the rapid development of specialized scripts
Understand how to leverage forensic libraries developed by the community
Design flexibly to accommodate present and future hurdles
Conduct effective and efficient investigations through programmatic pre-analysis
Discover how to transform raw data into customized reports and visualizations
In Detail
This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer.
Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.
Style and approach
The book begins by instructing you on the basics of Python, followed by chapters that include scripts targeted for forensic casework. Each script is described step by step at an introductory level, providing gradual growth to demonstrate the available functionalities of Python.
Table of contents
-
Learning Python for Forensics
- Table of Contents
- Learning Python for Forensics
- Credits
- About the Authors
- Acknowledgments
- About the Reviewer
- www.PacktPub.com
- Preface
- 1. Now For Something Completely Different
- 2. Python Fundamentals
- 3. Parsing Text Files
- 4. Working with Serialized Data Structures
-
5. Databases in Python
- An overview of databases
- Using SQLite3
- Designing our script
-
Manually manipulating databases with Python – file_lister.py
- Building the main() function
- Initializing the database with the initDB() function
- Checking for custodians with the getOrAddCustodian() function
- Retrieving custodians with the getCustodian() function
- Understanding the ingestDirectory() function
- Developing the formatTimestamp() helper function
- Configuring the writeOutput() function
- Designing the writeCSV() function
- Composing the writeHTML() function
- Running the script
-
Further automating databases – file_lister_peewee.py
- Peewee setup
- Jinja2 setup
- Updating the main() function
- Adjusting the initDB() function
- Modifying the getOrAddCustodian() function
- Improving the ingestDirectory() function
- A closer look at the formatTimestamp() function
- Converting the writeOutput() function
- Simplifying the writeCSV() function
- Condensing the writeHTML() function
- Running our new and improved script
- Challenge
- Summary
-
6. Extracting Artifacts from Binary Files
- UserAssist
- Working with the Registry module
- Introducing the Struct module
- Creating spreadsheets with the xlsxwriter module
-
The UserAssist framework
- Developing our UserAssist logic processor – userassist.py
-
Writing Excel spreadsheets – xlsx_writer.py
- Controlling output with the excelWriter() function
- Summarizing data with the dashboardWriter() function
- Writing artifacts in the userassistWriter() function
- Defining the fileTime() function
- Processing integers with the sortByCount() function
- Processing DateTime objects with the sortByDate() function
- Writing generic spreadsheets – csv_writer.py
- Running the UserAssist framework
- Additional challenges
- Summary
-
7. Fuzzy Hashing
-
Background on hashing
- Hashing files in Python
- Deep dive into rolling hashes
- Exploring fuzzy hashing – fuzzy_hasher.py
- Starting with the main function
- Working with files in the fileController() function
- Working with directories in the directoryController() function
- Generating fuzzy hashes with the fuzzFile() function
- Exploring the compareFuzzies() function
- Creating reports with the writer() function
- Running the first iteration
- Using SSDeep in Python – ssdeep_python.py
- Additional challenges
- Citations
- Summary
-
Background on hashing
-
8. The Media Age
- Creating frameworks in Python
- Introduction to EXIF metadata
- Introduction to ID3 metadata
- Introduction to Office metadata
- Metadata_Parser framework overview
- Parsing EXIF metadata – exif_parser.py
- Parsing ID3 metdata – id3_parser.py
- Parsing Office metadata – office_parser.py
- Moving on to our writers
- Framework summary
- Additional challenges
- Summary
-
9. Uncovering Time
- About timestamps
- Using a GUI
-
Developing the Date Decoder GUI – date_decoder.py
- The DateDecoder class setup and __init__() method
- Executing the run() method
- Implementing the buildInputFrame() method
- Creating the buildOutputFrame() method
- Building the convert() method
- Defining the convert_unix_seconds() method
- Conversion using the convertWindowsFiletime_64() method
- Converting with the convertChromeTimestamps() method
- Designing the output method
- Running the script
- Additional challenges
- Summary
- 10. Did Someone Say Keylogger?
-
11. Parsing Outlook PST Containers
- The Personal Storage Table File Format
- An introduction to libpff
-
Exploring PSTs – pst_indexer.py
- An overview
- Developing the main() function
- Evaluating the makePath() helper function
- Iteration with the folderTraverse() function
- Identifying messages with the checkForMessages() function
- Processing messages in the processMessage() function
- Summarizing data in the folderReport() function
- Understanding the wordStats() function
- Creating the wordReport() function
- Building the senderReport() function
- Refining the heat map with the dateReport() function
- Writing the HTMLReport() function
- The HTML template
- Running the script
- Additional challenges
- Summary
-
12. Recovering Transient Database Records
- SQLite WAL files
- Regular expressions in Python
- TQDM – a simpler progress bar
-
Parsing WAL files – wal_crawler.py
- Understanding the main() function
- Developing the frameParser() function
- Processing cells with the cellParser() function
- Writing the dictHelper() function
- Processing varints with the singleVarint() function
- Processing varints with the multiVarint() function
- Converting serial types with the typeHelper() function
- Writing output with the csvWriter() function
- Using regular expression in the regularSearch() function
- Executing wal_crawler.py
- Challenge
- Summary
- 13. Coming Full Circle
- A. Installing Python
- B. Python Technical Details
- C. Troubleshooting Exceptions
- Index
Product information
- Title: Learning Python for Forensics
- Author(s):
- Release date: May 2016
- Publisher(s): Packt Publishing
- ISBN: 9781783285235
You might also like
book
Learning Python for Forensics - Second Edition
Design, develop, and deploy innovative forensic solutions using Python Key Features Discover how to develop Python …
book
Learning Python Networking - Second Edition
Achieve improved network programmability and automation by leveraging powerful network programming concepts, algorithms, and tools Key …
book
Advanced Python Programming
Create distributed applications with clever design patterns to solve complex problems Key Features Set up and …
book
Python Digital Forensics Cookbook
Over 60 recipes to help you learn digital forensics and leverage Python scripts to amplify your …