Python Forensics : A Workbench for Inventing and Sharing Digital Forensic Technology

__Python Forensics__ provides many never-before-published proven forensic modules, libraries, and solutions that can be used right out of the box. In addition, detailed instruction and documentation provided with the code samples will allow even novice Python programmers to add their own unique twists or use the models presented to build new solutions. Rapid development of new cybercrime investigation tools is an essential ingredient in virtually every case and environment. Whether you are performing post-mortem investigation, executing live triage, extracting evidence from mobile devices or cloud services, or you are collecting and processing evidence from a network, Python forensic implementations can fill in the gaps. Drawing upon years of practical experience and using numerous examples and illustrative code samples, author Chet Hosmer discusses how to: * Develop new forensic solutions independent of large vendor software release schedules * Participate in an open-source workbench that facilitates direct involvement in the design and implementation of new methods that augment or replace existing tools * Advance your career by creating new solutions along with the construction of cutting-edge automation solutions to solve old problems * Provides hands-on tools, code samples, and detailed instruction and documentation that can be put to use immediately * Discusses how to create a Python forensics workbench * Covers effective forensic searching and indexing using Python * Shows how to use Python to examine mobile device operating systems: iOS, Android, and Windows 8 * Presents complete coverage of how to use Python scripts for network investigation Front Cover Python Forensics: A Workbench for Inventing and Sharing Digital Forensic Technology Copyright Dedication Acknowledgments Endorsements Contents List of figures About the Author About the Technical Editor Foreword Preface Intended Audience Prerequisites Reading this Book Supported Platforms Download Software Comments, Questions, and Contributions Chapter 1: Why Python Forensics? Introduction Cybercrime investigation challenges How can the Python programming environment help meet these challenges? Global support for Python Open source and platform independence Lifecycle positioning Cost and barriers to entry Python and the Daubert evidence standard Organization of the book Chapter review Summary questions Additional Resources Chapter 2: Setting up a Python Forensics Environment Introduction Setting up a python forensics environment The right environment The Python Shell Choosing a python version Installing python on windows Python packages and modules The Python Standard Library What is included in the standard library? Built-in functions hex() and bin() range() Other built-in functions Built-in constants Built-in types Built-in exceptions File and directory access Data compression and archiving File formats Cryptographic services Operating system services Standard Library summary Third-party packages and modules The natural language toolkit [NLTK] Twisted matrix [TWISTED] Integrated development environments What are the options? IDLE WingIDE Python running on Ubuntu Linux Python on mobile devices iOS Python app Windows 8 phone A virtual machine Chapter review Summary questions Looking ahead Additional Resources Chapter 3: Our First Python Forensics App Introduction Naming conventions and other considerations Constants Local variable name Global variable name Functions name Object name Module Class names Our first application ``one-way file system hashing ́ ́ Background One-way hashing algorithms basic characteristics Popular cryptographic hash algorithms? What are the tradeoffs between one-way hashing algorithms? What are the best-use cases for one-way hashing algorithms in forensics? Fundamental requirements Design considerations Program structure Main function ParseCommandLine WalkPath function HashFile function CSVWriter (class) Logger Writing the code Code walk-through Examining main-code walk—through ParseCommandLine() ValiditingDirectoryWritable WalkPath HashFile CSVWriter Full code listing pfish.py Full code listing _pfish.py Results presentation Chapter review Summary questions Looking ahead Additional Resources Chapter 4: Forensic Searching and Indexing Using Python Introduction Keyword context search How can this be accomplished easily in Python? Fundamental requirements Design considerations Main function ParseCommandLine SearchWords function PrintBuffer functions logger Writing the code Code walk-through Examining Main-code walk—through Examining _p-search functions—code walk-through Examining ParseCommandLine Examining ValidateFileRead(theFile) Examining the SearchWords function Examining the PrintBuffer function Results presentation Indexing Coding isWordProbable P-search complete code listings p-search.py _p-search.py Chapter review Summary questions Additional Resources Chapter 5: Forensic Evidence Extraction (JPEG and TIFF) Introduction The Python Image Library Before diving straight in PIL test-before code Determining the available EXIF TAGS Determining the available EXIF GPSTAGS p-ImageEvidenceExtractor fundamental requirements Design considerations Code Walk-Through Main Program Class Logging cvsHandler Command line parser EXIF and GPS Handler Examining the code Main Program EXIF and GPS processing Logging Class Command line parser Comma separated value (CSV) Writer class Full code listings Program execution Chapter review Summary questions Additional Resources Chapter 6: Forensic Time Introduction Adding time to the equation The time module The Network Time Protocol Obtaining and installing the NTP Library ntplib World NTP Servers NTP Client Setup Script Chapter review Summary questions Additional Resources Chapter 7: Using Natural Language Tools in Forensics What is Natural Language Processing? Dialog-based systems Corpus Installing the Natural Language Toolkit and associated libraries Working with a corpus Experimenting with NLTK Creating a corpus from the Internet NLTKQuery application NLTKQuery.py _classNLTKQuery.py _NLTKQuery.py NLTKQuery example execution NLTK execution trace Chapter review Summary questions Additional Resources Chapter 8: Network Forensics: Part I Network investigation basics What are these sockets? The simplest network client server connect using sockets server.py code client.py code server.py and client.py program execution Captain Ramius: re-verify our range to target... one ping only wxPython ping.py guiPing.py code Ping Sweep execution Port scanning Examples of well-known ports Examples of registered ports Chapter review Summary questions Additional Resources Chapter 9: Network Forensics: Part II Introduction Packet sniffing Raw sockets in Python What is Promiscuous Mode or Monitor Mode? Setting Promiscuous Mode Ubuntu 12.04 LTS Example Raw sockets in Python under Linux Unpacking buffers Python Silent Network Mapping Tool (PSNMT) PSNMT source code psnmt.py source code decoder.py source code commandParser.py classLogging.py source code csvHandler.py source code Program execution and output Forensic log TCP capture example UDP capture example CSV file output example Chapter review Summary question/challenge Additional Resources Chapter 10: Multiprocessing for Forensics Introduction What is multiprocessing? Python multiprocessing support Simplest multiprocessing example Single core file search solution Multiprocessing file search solution Multiprocessing File Hash Single core solution Multi-core solution A Multi-core solution B Multiprocessing Hash Table generation Single core password generator code Multi-core password generator Multi-core password generator code Chapter review Summary question/challenge Additional Resources Chapter 11: Rainbow in the Cloud Introduction Putting the cloud to work Cloud options Creating rainbows in the cloud Single Core Rainbow Multi-Core Rainbow Password Generation Calculations Chapter review Summary question/challenge Additional Resources Chapter 12: Looking Ahead Introduction Where do we go from here? Conclusion Additional Resources Index

Python Forensics provides many never-before-published proven forensic modules, libraries, and solutions that can be used right out of the box. In addition, detailed instruction and documentation provided with the code samples will allow even novice Python programmers to add their own unique twists or use the models presented to build new solutions.

Rapid development of new cybercrime investigation tools is an essential ingredient in virtually every case and environment. Whether you are performing post-mortem investigation, executing live triage, extracting evidence from mobile devices or cloud services, or you are collecting and processing evidence from a network, Python forensic implementations can fill in the gaps.

Drawing upon years of practical experience and using numerous examples and illustrative code samples, author Chet Hosmer discusses how to:

• Develop new forensic solutions independent of large vendor software release schedules
• Participate in an open-source workbench that facilitates direct involvement in the design and implementation of new methods that augment or replace existing tools
• Advance your career by creating new solutions along with the construction of cutting-edge automation solutions to solve old problems

• Provides hands-on tools, code samples, and detailed instruction and documentation that can be put to use immediately
• Discusses how to create a Python forensics workbench
• Covers effective forensic searching and indexing using Python
• Shows how to use Python to examine mobile device operating systems: iOS, Android, and Windows 8
• Presents complete coverage of how to use Python scripts for network investigation

Providing many never-before-published proven forensic modules, libraries, and solutions that can be used right out of the box, this book offers hands-on tools, code samples, and detailed instruction and documentation that can be put to use immediately -- Edited summary from book