Learning python for forensics : learn the art of designing, developing, and deploying innovative forensic solutions through Python / Preston Miller, Chapin Bryce.

Format:

Book

Author/Creator:

Miller, Preston, author.

Bryce, Chapin, author.

Series:

Community experience distilled.

Community Experience Distilled

Language:

English

Subjects (All):

Data recovery (Computer science).

Python (Computer program language).

Physical Description:

1 online resource (489 pages).

Edition:

1st edition

Place of Publication:

Birmingham, [England] ; Mumbai, [India] : Packt Publishing, 2016.

System Details:

text file

Biography/History:

Bryce Chapin: Chapin Bryce is a senior consultant at a global firm that is a leader in digital forensics and incident response investigations. After graduating from Champlain College, with a bachelor's degree in computer and digital forensics, Chapin dove into the field of digital forensics and incident response joining the GIAC advisory board and earning four GIAC certifications: GCIH, GCFE, GCFA, and GNFA. As a member of multiple ongoing research and development projects, he has authored several books and articles in professional and academic publications, including Python Digital Forensics Cookbook (2018 Digital Forensics Book of the Year, Forensic 4Cast), Learning Python for Forensics First Edition, and Digital Forensic Magazine.

Summary:

Learn the art of designing, developing, and deploying innovative forensic solutions through Python About This Book This practical guide will help you solve forensic dilemmas through the development of Python scripts Analyze Python scripts to extract metadata and investigate forensic artifacts Master the skills of parsing complex data structures by taking advantage of Python libraries Who This Book Is For If you are a forensics student, hobbyist, or professional that is seeking to increase your understanding in forensics through the use of a programming language, then this book is for you. You are not required to have previous experience in programming to learn and master the content within this book. This material, created by forensic professionals, was written with a unique perspective and understanding of examiners who wish to learn programming What You Will Learn Discover how to perform Python script development Update yourself by learning the best practices in forensic programming Build scripts through an iterative design Explore the rapid development of specialized scripts Understand how to leverage forensic libraries developed by the community Design flexibly to accommodate present and future hurdles Conduct effective and efficient investigations through programmatic pre-analysis Discover how to transform raw data into customized reports and visualizations In Detail This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer. Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner. ...

Contents:

Cover

Copyright

Credits

About the Authors

Acknowledgments

About the Reviewer

www.PacktPub.com

Table of Contents

Preface

Chapter 1: Now For Something Completely Different

When to use Python?

Getting started

Standard data types

Strings and Unicode

Integers and floats

Booleans and None

Structured data types

Lists

Dictionaries

Sets and tuples

Data type conversions

Files

Variables

Understanding scripting flow logic

Conditionals

Loops

For

While

Functions

Summary

Chapter 2: Python Fundamentals

Advanced data types and functions

Iterators

Datetime objects

Libraries

Installing third-party libraries

Libraries in this book

Python packages

Classes and object-oriented programming

Try and except

Raise

Creating our first script - unix_converter.py

User input

Using the raw input method and the system module - user_input.py

Understanding Argparse - argument_parser.py

Forensic scripting best practices

Developing our first forensic script - usb_lookup.py

Understanding the main() function

Exploring the getRecord() function

Interpreting the searchKey() function

Running our first forensic script

Troubleshooting

Challenge

Chapter 3: Parsing Text Files

Setup API

Introducing our script

Overview

Our first iteration - setupapi_parser.v1.py

Designing the main() function

Crafting the parseSetupapi() function

Developing the printOutput() function

Running the script

Our second iteration - setupapi_parser.v2.py

Improving the main() function

Tuning the parseSetupapi() function

Modifying the printOutput() function

Our final iteration - setupapi_parser.py

Extending the main() function

Adding to the parseSetupapi() function.

Creating the parseDeviceInfo() function

Forming the prepUSBLookup() function

Constructing the getDeviceNames() function

Enhancing the printOutput() function

Additional challenges

Chapter 4: Working with Serialized Data Structures

Serialized data structures

A simple Bitcoin Web API

Our first iteration - bitcoin_address_lookup.v1.py

Exploring the main() function

Understanding the getAddress() function

Working with the printTransactions() function

The printHeader() helper function

The getInputs() helper function

Our second iteration - bitcoin_address_lookup.v2.py

Modifying the main() function

Improving the getAddress() function

Elaborating on the printTransactions() function

Mastering our final iteration - bitcoin_address_lookup.py

Enhancing the parseTransactions() function

Developing the csvWriter() function

Chapter 5: Databases in Python

An overview of databases

Using SQLite3

Using the Structured Query Language

Designing our script

Manually manipulating databases with Python - file_lister.py

Building the main() function

Initializing the database with the initDB() function

Checking for custodians with the getOrAddCustodian() function

Retrieving custodians with the getCustodian() function

Understanding the ingestDirectory() function

Exploring the os.stat() method

Developing the formatTimestamp() helper function

Configuring the writeOutput() function

Designing the writeCSV() function

Composing the writeHTML() function

Further automating databases - file_lister_peewee.py

Peewee setup

Jinja2 setup

Updating the main() function

Adjusting the initDB() function.

Modifying the getOrAddCustodian() function

Improving the ingestDirectory() function

A closer look at the formatTimestamp() function

Converting the writeOutput() function

Simplifying the writeCSV() function

Condensing the writeHTML() function

Running our new and improved script

Chapter 6: Extracting Artifacts from Binary Files

UserAssist

Understanding the ROT-13 substitution cipher - rot13.py

Evaluating code with timeit

Working with the Registry module

Introducing the Struct module

Creating spreadsheets with the xlsxwriter module

Adding data to a spreadsheet

Building a table

Creating charts with Python

The UserAssist framework

Developing our UserAssist logic processor - userassist.py

Evaluating the main() function

Defining the createDictionary() function

Extracting data with the parseValues() function

Processing strings with the getName() function

Writing Excel spreadsheets - xlsx_writer.py

Controlling output with the excelWriter() function

Summarizing data with the dashboardWriter() function

Writing artifacts in the userassistWriter() function

Defining the fileTime() function

Processing integers with the sortByCount() function

Processing DateTime objects with the sortByDate() function

Writing generic spreadsheets - csv_writer.py

Understanding the csvWriter() function

Running the UserAssist framework

Chapter 7: Fuzzy Hashing

Background on hashing

Hashing files in Python

Deep dive into rolling hashes

Implementing rolling hashes - hashing_example.py

Limitations of rolling hashes

Exploring fuzzy hashing - fuzzy_hasher.py

Starting with the main function

Working with files in the fileController() function

Working with directories in the directoryController() function.

Generating fuzzy hashes with the fuzzFile() function

Exploring the compareFuzzies() function

Creating reports with the writer() function

Running the first iteration

Using SSDeep in Python - ssdeep_python.py

Revisiting the main() function

The new fileController() function

Repurposing the directoryController() function

Demonstrating changes in the writer() function

Running the second iteration

Citations

Chapter 8: The Media Age

Creating frameworks in Python

Introduction to EXIF metadata

Introducing the Pillow module

Introduction to ID3 metadata

Introducing the Mutagen module

Introduction to Office metadata

Introducing the lxml module

Metadata_Parser framework overview

Our main framework controller - metadata_parser.py

Controlling our framework with the main() function

Parsing EXIF metadata - exif_parser.py

Understanding the exifParser() function

Developing the getTags() function

Adding the dmsToDecimal() function

Parsing ID3 metdata - id3_parser.py

Understanding the id3Parser() function

Revisiting the getTags() function

Parsing Office metadata - office_parser.py

Evaluating the officeParser() function

The getTags() function for the last time

Moving on to our writers

Writing spreadsheets - csv_writer.py

Plotting GPS data with Google Earth - kml_writer.py

Supporting our framework with processors

Creating framework-wide utility functions - utility.py

Framework summary

Chapter 9: Uncovering Time

About timestamps

What is epoch?

Using a GUI

Basics of Tkinter objects

Implementation of the Tkinter GUI

Using Frame objects

Using classes in Tkinter

Developing the Date Decoder GUI - date_decoder.py

The DateDecoder class setup and __init__() method.

Executing the run() method

Implementing the buildInputFrame() method

Creating the buildOutputFrame() method

Building the convert() method

Defining the convert_unix_seconds() method

Conversion using the convertWindowsFiletime_64() method

Converting with the convertChromeTimestamps() method

Designing the output method

Chapter 10: Did Someone Say Keylogger?

A detailed look at keyloggers

Hardware keyloggers

Software keyloggers

Detecting malicious processes

Building a keylogger for Windows

Using the Windows API

PyWin32

PyHooks

WMI

Monitoring keyboard events

Capturing screenshots

Capturing the clipboard

Monitoring processes

Multiprocessing in Python - simple_multiprocessor.py

Running Python without a command window

Exploring the code

Capturing the screen

Capturing the keyboard

Keylogger controllers

Capturing processes

Chapter 11: Parsing Outlook PST Containers

The Personal Storage Table File Format

An introduction to libpff

How to install libpff and pypff

Exploring PSTs - pst_indexer.py

An overview

Developing the main() function

Evaluating the makePath() helper function

Iteration with the folderTraverse() function

Identifying messages with the checkForMessages() function

Processing messages in the processMessage() function

Summarizing data in the folderReport() function

Understanding the wordStats() function

Creating the wordReport() function

Building the senderReport() function

Refining the heat map with the dateReport() function

Writing the HTMLReport() function

The HTML template

Additional challenges.

Summary.

Notes:

Includes index.

Description based on online resource; title from PDF title page (ebrary, viewed March 3, 2017).

ISBN:

9781783285242

1783285249

OCLC:

952413847