Python digital forensics cookbook : effective Python recipes for digital investigations

Over 60 recipes to help you learn digital forensics and leverage Python scripts to amplify your examinations About This Book - Develop code that extracts vital information from everyday forensic acquisitions. - Increase the quality and efficiency of your forensic analysis. - Leverage the latest resources and capabilities available to the forensic community. Who This Book Is For If you are a digital forensics examiner, cyber security specialist, or analyst at heart, understand the basics of Python, and want to take it to the next level, this is the book for you. Along the way, you will be introduced to a number of libraries suitable for parsing forensic artifacts. Readers will be able to use and build upon the scripts we develop to elevate their analysis. What You Will Learn - Understand how Python can enhance digital forensics and investigations - Learn to access the contents of, and process, forensic evidence containers - Explore malware through automated static analysis - Extract and review message contents from a variety of email formats - Add depth and context to discovered IP addresses and domains through various Application Program Interfaces (APIs) - Delve into mobile forensics and recover deleted messages from SQLite databases - Index large logs into a platform to better query and visualize datasets In Detail Technology plays an increasingly large role in our daily lives and shows no sign of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations. Throughout the Python Digital Forensics Cookbook, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools such as Axiom, Cellebrite, and EnCase. By the end of the book, you will have a sound understanding of Python and how you can use it to process artifacts in your investigations. Style and approach Our succinct recipes take a no-frills approach to solving common challenges faced in investigations. The code in this book covers a wide range of artifacts and data sources. These examples will help improve the accuracy and efficiency of your analysis-no matter the situation. Preface......Page 25 What this book covers......Page 26 What you need for this book......Page 28 Who this book is for......Page 29 Sections......Page 30 Getting ready......Page 31 How to do it.........Page 32 How it works.........Page 33 There's more.........Page 34 See also......Page 35 Conventions......Page 36 Reader feedback......Page 37 Customer support......Page 38 Downloading the example code......Page 39 Downloading the color images of this book......Page 40 Errata......Page 41 Piracy......Page 42 Questions......Page 43 Essential Scripting and File Information Recipes......Page 44 Introduction......Page 45 Handling arguments like an adult......Page 47 Getting started......Page 48 How to do it.........Page 49 How it works.........Page 50 There's more.........Page 53 Iterating over loose files......Page 54 Getting started......Page 55 How to do it.........Page 56 How it works.........Page 57 There's more.........Page 59 Recording file attributes......Page 60 Getting started......Page 61 How to do it.........Page 62 How it works.........Page 63 There's more.........Page 66 Copying files, attributes, and timestamps......Page 67 Getting started......Page 68 How to do it.........Page 69 How it works.........Page 70 There's more.........Page 73 Hashing files and data streams......Page 74 Getting started......Page 75 How to do it.........Page 76 How it works.........Page 77 There's more.........Page 80 Keeping track with a progress bar......Page 81 Getting started......Page 82 How to do it.........Page 83 How it works.........Page 84 There's more.........Page 86 Logging results......Page 87 Getting started......Page 88 How to do it.........Page 89 How it works.........Page 90 There’s more.........Page 92 Multiple hands make light work......Page 93 Getting started......Page 94 How to do it.........Page 95 How it works.........Page 96 There's more.........Page 98 Creating Artifact Report Recipes......Page 99 Introduction......Page 100 Using HTML templates......Page 102 Getting started......Page 103 How to do it.........Page 104 How it works.........Page 105 There's more.........Page 112 Creating a paper trail......Page 113 Getting started......Page 114 How to do it.........Page 115 How it works.........Page 116 There's more.........Page 120 Working with CSVs......Page 121 Getting started......Page 122 How to do it.........Page 123 How it works.........Page 124 There's more.........Page 128 Visualizing events with Excel......Page 129 Getting started......Page 130 How to do it.........Page 131 How it works.........Page 132 Auditing your work......Page 137 Getting started......Page 138 How to do it.........Page 139 How it works.........Page 140 There's more.........Page 142 A Deep Dive into Mobile Forensic Recipes......Page 143 Introduction......Page 144 Parsing PLIST files......Page 145 Getting started......Page 146 How to do it.........Page 147 How it works.........Page 148 There's more.........Page 150 Handling SQLite databases......Page 151 Getting started......Page 152 How to do it.........Page 153 How it works.........Page 154 Identifying gaps in SQLite databases......Page 158 Getting started......Page 160 How to do it.........Page 161 How it works.........Page 162 See also......Page 167 Processing iTunes backups......Page 168 Getting started......Page 169 How to do it.........Page 170 How it works.........Page 171 There's more.........Page 179 Putting Wi-Fi on the map......Page 180 Getting started......Page 181 How to do it.........Page 182 How it works.........Page 183 Digging deep to recover messages......Page 192 Getting started......Page 194 How to do it.........Page 195 How it works.........Page 196 There's more.........Page 203 Extracting Embedded Metadata Recipes......Page 204 Introduction......Page 205 Extracting audio and video metadata......Page 206 Getting started......Page 207 How to do it.........Page 208 How it works.........Page 209 There's more.........Page 213 The big picture......Page 214 Getting started......Page 215 How to do it.........Page 216 How it works.........Page 217 There's more.........Page 222 Mining for PDF metadata......Page 223 Getting started......Page 224 How to do it.........Page 225 How it works.........Page 226 There's more.........Page 230 Reviewing executable metadata......Page 231 Getting started......Page 232 How to do it.........Page 233 How it works.........Page 234 There's more.........Page 239 Reading office document metadata......Page 240 Getting started......Page 241 How to do it.........Page 242 How it works.........Page 243 Integrating our metadata extractor with EnCase......Page 246 Getting started......Page 247 How to do it.........Page 248 How it works.........Page 249 There's more.........Page 254 Networking and Indicators of Compromise Recipes......Page 255 Introduction......Page 256 Getting a jump start with IEF......Page 257 Getting started......Page 258 How to do it.........Page 259 How it works.........Page 260 Coming into contact with IEF......Page 264 Getting started......Page 265 How to do it.........Page 266 How it works.........Page 267 Beautiful Soup......Page 272 Getting started......Page 273 How to do it.........Page 274 How it works.........Page 275 There's more.........Page 282 Going hunting for viruses......Page 283 Getting started......Page 284 How to do it.........Page 285 How it works.........Page 286 Gathering intel......Page 291 Getting started......Page 292 How to do it.........Page 294 How it works.........Page 295 Totally passive......Page 302 Getting started......Page 303 How to do it.........Page 305 How it works.........Page 306 Reading Emails and Taking Names Recipes......Page 310 Introduction......Page 311 Parsing EML files......Page 312 Getting started......Page 313 How to do it.........Page 314 How it works.........Page 315 Viewing MSG files......Page 318 Getting started......Page 319 How to do it.........Page 320 How it works.........Page 321 There’s more.........Page 326 See also......Page 327 Ordering Takeout......Page 328 Getting started......Page 329 How to do it.........Page 330 How it works.........Page 331 There’s more.........Page 336 What’s in the box?!......Page 337 Getting started......Page 338 How to do it.........Page 339 How it works.........Page 340 Parsing PST and OST mailboxes......Page 347 Getting started......Page 348 How to do it.........Page 349 How it works.........Page 350 There’s more.........Page 355 See also......Page 356 Log-Based Artifact Recipes......Page 357 Introduction......Page 358 About time......Page 359 Getting started......Page 360 How to do it.........Page 361 How it works.........Page 362 There's more.........Page 366 Parsing IIS web logs with RegEx......Page 367 Getting started......Page 368 How to do it.........Page 369 How it works.........Page 370 There's more.........Page 375 Going spelunking......Page 376 Getting started......Page 377 How to do it.........Page 378 How it works.........Page 379 There's more.........Page 387 Interpreting the daily.out log......Page 388 Getting started......Page 389 How to do it.........Page 390 How it works.........Page 391 Adding daily.out parsing to Axiom......Page 397 Getting started......Page 398 How to do it.........Page 399 How it works.........Page 400 Scanning for indicators with YARA......Page 407 Getting started......Page 408 How to do it.........Page 409 How it works.........Page 410 Working with Forensic Evidence Container Recipes......Page 415 Introduction......Page 416 Opening acquisitions......Page 418 Getting started......Page 419 How to do it.........Page 421 How it works.........Page 422 Gathering acquisition and media information......Page 426 Getting started......Page 427 How to do it.........Page 428 How it works.........Page 429 Iterating through files......Page 433 Getting started......Page 434 How to do it.........Page 435 How it works.........Page 436 There's more.........Page 443 Processing files within the container......Page 444 Getting started......Page 445 How to do it.........Page 446 How it works.........Page 447 Searching for hashes......Page 453 Getting started......Page 454 How to do it.........Page 455 How it works.........Page 456 There's more.........Page 462 Exploring Windows Forensic Artifacts Recipes - Part I......Page 463 Introduction......Page 464 One man's trash is a forensic examiner's treasure......Page 465 Getting started......Page 466 How to do it.........Page 467 How it works.........Page 468 A sticky situation......Page 474 Getting started......Page 475 How to do it.........Page 476 How it works.........Page 477 Reading the registry......Page 482 Getting started......Page 483 How to do it.........Page 484 How it works.........Page 485 There's more.........Page 490 Gathering user activity......Page 491 Getting started......Page 492 How to do it.........Page 493 How it works.........Page 494 There's more.........Page 502 The missing link......Page 503 Getting started......Page 504 How to do it.........Page 505 How it works.........Page 506 There's more.........Page 509 Searching high and low......Page 510 Getting started......Page 511 How to do it.........Page 512 How it works.........Page 513 There's more.........Page 519 Exploring Windows Forensic Artifacts Recipes - Part II......Page 520 Introduction......Page 521 Parsing prefetch files......Page 522 Getting started......Page 523 How to do it.........Page 524 How it works.........Page 525 There's more.........Page 533 A series of fortunate events......Page 534 Getting started......Page 535 How to do it.........Page 536 How it works.........Page 537 There's more.........Page 543 Indexing internet history......Page 544 Getting started......Page 545 How to do it.........Page 546 How it works.........Page 547 There's more.........Page 553 Shadow of a former self......Page 554 Getting started......Page 555 How to do it.........Page 556 How it works.........Page 557 There's more.........Page 561 Dissecting the SRUM database......Page 562 Getting started......Page 563 How to do it.........Page 564 How it works.........Page 565 There's more.........Page 574 Conclusion......Page 575