O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Python Digital Forensics Cookbook

Book Description

Over 60 recipes to help you learn digital forensics and leverage Python scripts to amplify your examinations

About This Book

  • Develop code that extracts vital information from everyday forensic acquisitions.
  • Increase the quality and efficiency of your forensic analysis.
  • Leverage the latest resources and capabilities available to the forensic community.

Who This Book Is For

If you are a digital forensics examiner, cyber security specialist, or analyst at heart, understand the basics of Python, and want to take it to the next level, this is the book for you. Along the way, you will be introduced to a number of libraries suitable for parsing forensic artifacts. Readers will be able to use and build upon the scripts we develop to elevate their analysis.

What You Will Learn

  • Understand how Python can enhance digital forensics and investigations
  • Learn to access the contents of, and process, forensic evidence containers
  • Explore malware through automated static analysis
  • Extract and review message contents from a variety of email formats
  • Add depth and context to discovered IP addresses and domains through various Application Program Interfaces (APIs)
  • Delve into mobile forensics and recover deleted messages from SQLite databases
  • Index large logs into a platform to better query and visualize datasets

In Detail

Technology plays an increasingly large role in our daily lives and shows no sign of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets.

By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations. Throughout the Python Digital Forensics Cookbook, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools such as Axiom, Cellebrite, and EnCase.

By the end of the book, you will have a sound understanding of Python and how you can use it to process artifacts in your investigations.

Style and approach

Our succinct recipes take a no-frills approach to solving common challenges faced in investigations. The code in this book covers a wide range of artifacts and data sources. These examples will help improve the accuracy and efficiency of your analysis—no matter the situation.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Sections
      1. Getting ready
      2. How to do it…
      3. How it works…
      4. There's more…
      5. See also
    5. Conventions
    6. Reader feedback
    7. Customer support
      1. Downloading the example code
      2. Downloading the color images of this book
      3. Errata
      4. Piracy
      5. Questions
  2. Essential Scripting and File Information Recipes
    1. Introduction
    2. Handling arguments like an adult
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There's more…
    3. Iterating over loose files
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There's more…
    4. Recording file attributes
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There's more…
    5. Copying files, attributes, and timestamps
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There's more…
    6. Hashing files and data streams
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There's more…
    7. Keeping track with a progress bar
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There's more…
    8. Logging results
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There’s more…
    9. Multiple hands make light work
      1. Getting started
      2. How to do it…
      3. How it works…
      4. There's more…
  3. Creating Artifact Report Recipes
    1. Introduction
    2. Using HTML templates
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    3. Creating a paper trail
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    4. Working with CSVs
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    5. Visualizing events with Excel
      1. Getting started
      2. How to do it...
      3. How it works...
    6. Auditing your work
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
  4. A Deep Dive into Mobile Forensic Recipes
    1. Introduction
    2. Parsing PLIST files
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more…
    3. Handling SQLite databases
      1. Getting started
      2. How to do it...
      3. How it works...
    4. Identifying gaps in SQLite databases
      1. Getting started
      2. How to do it...
      3. How it works...
      4. See also
    5. Processing iTunes backups
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    6. Putting Wi-Fi on the map
      1. Getting started
      2. How to do it...
      3. How it works...
    7. Digging deep to recover messages
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more…
  5. Extracting Embedded Metadata Recipes
    1. Introduction
    2. Extracting audio and video metadata
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    3. The big picture
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    4. Mining for PDF metadata
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    5. Reviewing executable metadata
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    6. Reading office document metadata
      1. Getting started
      2. How to do it...
      3. How it works...
    7. Integrating our metadata extractor with EnCase
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
  6. Networking and Indicators of Compromise Recipes
    1. Introduction
    2. Getting a jump start with IEF
      1. Getting started
      2. How to do it...
      3. How it works...
    3. Coming into contact with IEF
      1. Getting started
      2. How to do it...
      3. How it works...
    4. Beautiful Soup
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    5. Going hunting for viruses
      1. Getting started
      2. How to do it...
      3. How it works...
    6. Gathering intel
      1. Getting started
      2. How to do it...
      3. How it works...
    7. Totally passive
      1. Getting started
      2. How to do it...
      3. How it works...
  7. Reading Emails and Taking Names Recipes
    1. Introduction
    2. Parsing EML files
      1. Getting started
      2. How to do it...
      3. How it works...
    3. Viewing MSG files
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There’s more...
      5. See also
    4. Ordering Takeout
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There’s more...
    5. What’s in the box?!
      1. Getting started
      2. How to do it...
      3. How it works...
    6. Parsing PST and OST mailboxes
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There’s more...
      5. See also
  8. Log-Based Artifact Recipes
    1. Introduction
    2. About time
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    3. Parsing IIS web logs with RegEx
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    4. Going spelunking
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    5. Interpreting the daily.out log
      1. Getting started
      2. How to do it...
      3. How it works...
    6. Adding daily.out parsing to Axiom
      1. Getting started
      2. How to do it...
      3. How it works...
    7. Scanning for indicators with YARA
      1. Getting started
      2. How to do it...
      3. How it works...
  9. Working with Forensic Evidence Container Recipes
    1. Introduction
    2. Opening acquisitions
      1. Getting started
      2. How to do it...
      3. How it works...
    3. Gathering acquisition and media information
      1. Getting started
      2. How to do it...
      3. How it works...
    4. Iterating through files
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    5. Processing files within the container
      1. Getting started
      2. How to do it...
      3. How it works...
    6. Searching for hashes
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
  10. Exploring Windows Forensic Artifacts Recipes - Part I
    1. Introduction
    2. One man's trash is a forensic examiner's treasure
      1. Getting started
      2. How to do it...
      3. How it works...
    3. A sticky situation
      1. Getting started
      2. How to do it...
      3. How it works...
    4. Reading the registry
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    5. Gathering user activity
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    6. The missing link
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    7. Searching high and low
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
  11. Exploring Windows Forensic Artifacts Recipes - Part II
    1. Introduction
    2. Parsing prefetch files
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    3. A series of fortunate events
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    4. Indexing internet history
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    5. Shadow of a former self
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
    6. Dissecting the SRUM database
      1. Getting started
      2. How to do it...
      3. How it works...
      4. There's more...
      5. Conclusion