Professional Documents
Culture Documents
PDF Python Digital Forensics Cookbook Effective Python Recipes For Digital Investigations 1St Edition Preston Miller Ebook Full Chapter
PDF Python Digital Forensics Cookbook Effective Python Recipes For Digital Investigations 1St Edition Preston Miller Ebook Full Chapter
https://textbookfull.com/product/powershell-and-python-together-
targeting-digital-investigations-1st-edition-chet-hosmer/
https://textbookfull.com/product/mastering-python-forensics-
master-the-art-of-digital-forensics-and-analysis-with-python-
first-published-october-2015-edition-uhrmann/
https://textbookfull.com/product/guide-to-computer-forensics-and-
investigations-processing-digital-evidence-fifth-edition-nelson/
https://textbookfull.com/product/a-practical-guide-to-digital-
forensics-investigations-2nd-edition-darren-r-hayes/
Matplotlib for Python Developers Effective techniques
for data visualization with Python 2nd Edition Yim
https://textbookfull.com/product/matplotlib-for-python-
developers-effective-techniques-for-data-visualization-with-
python-2nd-edition-yim/
https://textbookfull.com/product/digital-forensics-and-
investigations-people-process-and-technologies-to-defend-the-
enterprise-1st-edition-jason-sachowski-author/
https://textbookfull.com/product/digital-forensics-1st-edition-
andre-arnes-editor/
https://textbookfull.com/product/think-dsp-digital-signal-
processing-in-python-1st-edition-allen-b-downey/
https://textbookfull.com/product/python-network-programming-
cookbook-kathiravelu/
Python Digital Forensics Cookbook
BIRMINGHAM - MUMBAI
Python Digital Forensics Cookbook
Every effort has been made in the preparation of this book to ensure the
accuracy of the information presented. However, the information contained in
this book is sold without warranty, either express or implied. Neither the
authors, nor Packt Publishing, and its dealers and distributors will be held
liable for any damages caused or alleged to be caused directly or indirectly by
this book.
ISBN 978-1-78398-746-7
www.packtpub.com
Credits
Authors
Copy Editor
Preston Miller
Stuti Srivastava
Chapin Bryce
Dr. Michael Spreitzenbarth's daily work deals with the security of mobile
systems, forensic analysis of smartphones and suspicious mobile applications,
as well as the investigation of security-related incidents within ICS
environments. At the same time he is working on the improvement of mobile
malware analysis techniques and research in the field of Android and iOS
forensics as well as mobile application testing.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.
com.
Did you know that Packt offers eBook versions of every book published, with
PDF and ePub files available? You can upgrade to the eBook version at www.Pa
cktPub.com and as a print book customer, you are entitled to a discount on the
eBook copy. Get in touch with us at service@packtpub.com for more details.
https://www.packtpub.com/mapt
Get the most in-demand software skills with Mapt. Mapt gives you full access
to all Packt books and video courses, as well as industry-leading tools to help
you plan your personal development and advance your career.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Customer Feedback
Thanks for purchasing this Packt book. At Packt, quality is at the heart of our
editorial process. To help us improve, please leave us an honest review on this
book's Amazon page at https://www.amazon.com/dp/1783987464.
If you'd like to join our team of regular reviewers, you can email us at
customerreviews@packtpub.com. We award our regular reviewers with free eBooks
Preston Miller
This book is dedicated to the love of my life and my best friend, Alexa.
Thank you for all of the love, support, and laughter.
Chapin Bryce
Table of Contents
Preface
What this book covers
What you need for this book
Who this book is for
Sections
Getting ready
How to do it…
How it works…
There's more…
See also
Conventions
Reader feedback
Customer support
Downloading the example code
Downloading the color images of this book
Errata
Piracy
Questions
1. Essential Scripting and File Information Recipes
Introduction
Handling arguments like an adult
Getting started
How to do it…
How it works…
There's more…
Iterating over loose files
Getting started
How to do it…
How it works…
There's more…
Recording file attributes
Getting started
How to do it…
How it works…
There's more…
Copying files, attributes, and timestamps
Getting started
How to do it…
How it works…
There's more…
Hashing files and data streams
Getting started
How to do it…
How it works…
There's more…
Keeping track with a progress bar
Getting started
How to do it…
How it works…
There's more…
Logging results
Getting started
How to do it…
How it works…
There’s more…
Multiple hands make light work
Getting started
How to do it…
How it works…
There's more…
2. Creating Artifact Report Recipes
Introduction
Using HTML templates
Getting started
How to do it...
How it works...
There's more...
Creating a paper trail
Getting started
How to do it...
How it works...
There's more...
Working with CSVs
Getting started
How to do it...
How it works...
There's more...
Visualizing events with Excel
Getting started
How to do it...
How it works...
Auditing your work
Getting started
How to do it...
How it works...
There's more...
3. A Deep Dive into Mobile Forensic Recipes
Introduction
Parsing PLIST files
Getting started
How to do it...
How it works...
There's more…
Handling SQLite databases
Getting started
How to do it...
How it works...
Identifying gaps in SQLite databases
Getting started
How to do it...
How it works...
See also
Processing iTunes backups
Getting started
How to do it...
How it works...
There's more...
Putting Wi-Fi on the map
Getting started
How to do it...
How it works...
Digging deep to recover messages
Getting started
How to do it...
How it works...
There's more…
4. Extracting Embedded Metadata Recipes
Introduction
Extracting audio and video metadata
Getting started
How to do it...
How it works...
There's more...
The big picture
Getting started
How to do it...
How it works...
There's more...
Mining for PDF metadata
Getting started
How to do it...
How it works...
There's more...
Reviewing executable metadata
Getting started
How to do it...
How it works...
There's more...
Reading office document metadata
Getting started
How to do it...
How it works...
Integrating our metadata extractor with EnCase
Getting started
How to do it...
How it works...
There's more...
5. Networking and Indicators of Compromise Recipes
Introduction
Getting a jump start with IEF
Getting started
How to do it...
How it works...
Coming into contact with IEF
Getting started
How to do it...
How it works...
Beautiful Soup
Getting started
How to do it...
How it works...
There's more...
Going hunting for viruses
Getting started
How to do it...
How it works...
Gathering intel
Getting started
How to do it...
How it works...
Totally passive
Getting started
How to do it...
How it works...
6. Reading Emails and Taking Names Recipes
Introduction
Parsing EML files
Getting started
How to do it...
How it works...
Viewing MSG files
Getting started
How to do it...
How it works...
There’s more...
See also
Ordering Takeout
Getting started
How to do it...
How it works...
There’s more...
What’s in the box?!
Getting started
How to do it...
How it works...
Parsing PST and OST mailboxes
Getting started
How to do it...
How it works...
There’s more...
See also
7. Log-Based Artifact Recipes
Introduction
About time
Getting started
How to do it...
How it works...
There's more...
Parsing IIS web logs with RegEx
Getting started
How to do it...
How it works...
There's more...
Going spelunking
Getting started
How to do it...
How it works...
There's more...
Interpreting the daily.out log
Getting started
How to do it...
How it works...
Adding daily.out parsing to Axiom
Getting started
How to do it...
How it works...
Scanning for indicators with YARA
Getting started
How to do it...
How it works...
8. Working with Forensic Evidence Container Recipes
Introduction
Opening acquisitions
Getting started
How to do it...
How it works...
Gathering acquisition and media information
Getting started
How to do it...
How it works...
Iterating through files
Getting started
How to do it...
How it works...
There's more...
Processing files within the container
Getting started
How to do it...
How it works...
Searching for hashes
Getting started
How to do it...
How it works...
There's more...
9. Exploring Windows Forensic Artifacts Recipes - Part I
Introduction
One man's trash is a forensic examiner's treasure
Getting started
How to do it...
How it works...
A sticky situation
Getting started
How to do it...
How it works...
Reading the registry
Getting started
How to do it...
How it works...
There's more...
Gathering user activity
Getting started
How to do it...
How it works...
There's more...
The missing link
Getting started
How to do it...
How it works...
There's more...
Searching high and low
Getting started
How to do it...
How it works...
There's more...
10. Exploring Windows Forensic Artifacts Recipes - Part II
Introduction
Parsing prefetch files
Getting started
How to do it...
How it works...
There's more...
A series of fortunate events
Getting started
How to do it...
How it works...
There's more...
Indexing internet history
Getting started
How to do it...
How it works...
There's more...
Shadow of a former self
Getting started
How to do it...
How it works...
There's more...
Dissecting the SRUM database
Getting started
How to do it...
How it works...
There's more...
Conclusion
Preface
At the outset of this book, we strove to demonstrate a nearly endless corpus of
use cases for Python in today’s digital investigations. Technology plays an
increasingly large role in our daily life and shows no signs of stopping. Now,
more than ever, it is paramount that an investigator develop programming
expertise to work with increasingly large datasets. By leveraging the Python
recipes explored throughout this book, we make the complex simple,
efficiently extracting relevant information from large data sets. You will
explore, develop, and deploy Python code and libraries to provide meaningful
results that can be immediately applied to your investigations.
Throughout the book, recipes include topics such as working with forensic
evidence containers, parsing mobile and desktop operating system artifacts,
extracting embedded metadata from documents and executables, and
identifying indicators of compromise. You will also learn how to integrate
scripts with Application Program Interfaces (APIs) such as VirusTotal and
PassiveTotal, and tools, such as Axiom, Cellebrite, and EnCase. By the end of
the book, you will have a sound understanding of Python and will know how
you can use it to process artifacts in your investigations.
What this book covers
Essential Scripting and File Information Recipes, introduces you to
Chapter 1,
the conventions and basic features of Python used throughout the book. By the
end of the chapter, you will create a robust and useful data and metadata
preservation script.
Reading Emails and Taking Names Recipes, explores the many file
Chapter 6,
types for both individual e-mail messages and entire mailboxes, including
Google Takeout MBox, and how to use Python for extraction and analysis.