Python Forensics provides many never-before-published proven forensic modules, libraries, and solutions that can be used right out of the box. In addition, detailed instruction and documentation provided with the code samples will allow even novice Python programmers to add their own unique twists or use the models presented to build new solutions.
Rapid development of new cybercrime investigation tools is an essential ingredient in virtually every case and environment. Whether you are performing post-mortem investigation, executing live triage, extracting evidence from mobile devices or cloud services, or you are collecting and processing evidence from a network, Python forensic implementations can fill in the gaps.
Drawing upon years of practical experience and using numerous examples and illustrative code samples, author Chet Hosmer discusses how to:
Develop new forensic solutions independent of large vendor software release schedules Participate in an open-source workbench that facilitates direct involvement in the design and implementation of new methods that augment or replace existing tools Advance your career by creating new solutions along with the construction of cutting-edge automation solutions to solve old problems
Author(s): Chet Hosmer
Publisher: Syngress Publishing
Year: 2014
Language: English
Pages: 318
Front Cover
Python Forensics: A Workbench for Inventing and Sharing Digital Forensic Technology
Copyright
Dedication
Acknowledgments
Endorsements
Contents
List of figures
About the Author
About the Technical Editor
Foreword
Preface
Intended Audience
Prerequisites
Reading this Book
Supported Platforms
Download Software
Comments, Questions, and Contributions
Chapter 1: Why Python Forensics?
Introduction
Cybercrime investigation challenges
How can the Python programming environment help meet these challenges?
Global support for Python
Open source and platform independence
Lifecycle positioning
Cost and barriers to entry
Python and the Daubert evidence standard
Organization of the book
Chapter review
Summary questions
Additional Resources
Chapter 2: Setting up a Python Forensics Environment
Introduction
Setting up a python forensics environment
The right environment
The Python Shell
Choosing a python version
Installing python on windows
Python packages and modules
The Python Standard Library
What is included in the standard library?
Built-in functions
hex() and bin()
range()
Other built-in functions
Built-in constants
Built-in types
Built-in exceptions
File and directory access
Data compression and archiving
File formats
Cryptographic services
Operating system services
Standard Library summary
Third-party packages and modules
The natural language toolkit [NLTK]
Twisted matrix [TWISTED]
Integrated development environments
What are the options?
IDLE
WingIDE
Python running on Ubuntu Linux
Python on mobile devices
iOS Python app
Windows 8 phone
A virtual machine
Chapter review
Summary questions
Looking ahead
Additional Resources
Chapter 3: Our First Python Forensics App
Introduction
Naming conventions and other considerations
Constants
Local variable name
Global variable name
Functions name
Object name
Module
Class names
Our first application ``one-way file system hashing´´
Background
One-way hashing algorithms basic characteristics
Popular cryptographic hash algorithms?
What are the tradeoffs between one-way hashing algorithms?
What are the best-use cases for one-way hashing algorithms in forensics?
Fundamental requirements
Design considerations
Program structure
Main function
ParseCommandLine
WalkPath function
HashFile function
CSVWriter (class)
Logger
Writing the code
Code walk-through
Examining main-code walk—through
ParseCommandLine()
ValiditingDirectoryWritable
WalkPath
HashFile
CSVWriter
Full code listing pfish.py
Full code listing _pfish.py
Results presentation
Chapter review
Summary questions
Looking ahead
Additional Resources
Chapter 4: Forensic Searching and Indexing Using Python
Introduction
Keyword context search
How can this be accomplished easily in Python?
Fundamental requirements
Design considerations
Main function
ParseCommandLine
SearchWords function
PrintBuffer functions
logger
Writing the code
Code walk-through
Examining Main-code walk—through
Examining _p-search functions—code walk-through
Examining ParseCommandLine
Examining ValidateFileRead(theFile)
Examining the SearchWords function
Examining the PrintBuffer function
Results presentation
Indexing
Coding isWordProbable
P-search complete code listings
p-search.py
_p-search.py
Chapter review
Summary questions
Additional Resources
Chapter 5: Forensic Evidence Extraction (JPEG and TIFF)
Introduction
The Python Image Library
Before diving straight in
PIL test-before code
Determining the available EXIF TAGS
Determining the available EXIF GPSTAGS
p-ImageEvidenceExtractor fundamental requirements
Design considerations
Code Walk-Through
Main Program
Class Logging
cvsHandler
Command line parser
EXIF and GPS Handler
Examining the code
Main Program
EXIF and GPS processing
Logging Class
Command line parser
Comma separated value (CSV) Writer class
Full code listings
Program execution
Chapter review
Summary questions
Additional Resources
Chapter 6: Forensic Time
Introduction
Adding time to the equation
The time module
The Network Time Protocol
Obtaining and installing the NTP Library ntplib
World NTP Servers
NTP Client Setup Script
Chapter review
Summary questions
Additional Resources
Chapter 7: Using Natural Language Tools in Forensics
What is Natural Language Processing?
Dialog-based systems
Corpus
Installing the Natural Language Toolkit and associated libraries
Working with a corpus
Experimenting with NLTK
Creating a corpus from the Internet
NLTKQuery application
NLTKQuery.py
_classNLTKQuery.py
_NLTKQuery.py
NLTKQuery example execution
NLTK execution trace
Chapter review
Summary questions
Additional Resources
Chapter 8: Network Forensics: Part I
Network investigation basics
What are these sockets?
The simplest network client server connect using sockets
server.py code
client.py code
server.py and client.py program execution
Captain Ramius: re-verify our range to target... one ping only
wxPython
ping.py
guiPing.py code
Ping Sweep execution
Port scanning
Examples of well-known ports
Examples of registered ports
Chapter review
Summary questions
Additional Resources
Chapter 9: Network Forensics: Part II
Introduction
Packet sniffing
Raw sockets in Python
What is Promiscuous Mode or Monitor Mode?
Setting Promiscuous Mode Ubuntu 12.04 LTS Example
Raw sockets in Python under Linux
Unpacking buffers
Python Silent Network Mapping Tool (PSNMT)
PSNMT source code
psnmt.py source code
decoder.py source code
commandParser.py
classLogging.py source code
csvHandler.py source code
Program execution and output
Forensic log
TCP capture example
UDP capture example
CSV file output example
Chapter review
Summary question/challenge
Additional Resources
Chapter 10: Multiprocessing for Forensics
Introduction
What is multiprocessing?
Python multiprocessing support
Simplest multiprocessing example
Single core file search solution
Multiprocessing file search solution
Multiprocessing File Hash
Single core solution
Multi-core solution A
Multi-core solution B
Multiprocessing Hash Table generation
Single core password generator code
Multi-core password generator
Multi-core password generator code
Chapter review
Summary question/challenge
Additional Resources
Chapter 11: Rainbow in the Cloud
Introduction
Putting the cloud to work
Cloud options
Creating rainbows in the cloud
Single Core Rainbow
Multi-Core Rainbow
Password Generation Calculations
Chapter review
Summary question/challenge
Additional Resources
Chapter 12: Looking Ahead
Introduction
Where do we go from here?
Conclusion
Additional Resources
Index
