- 488 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Learning Python for Forensics
About this book
Learn the art of designing, developing, and deploying innovative forensic solutions through Python
About This Book
- This practical guide will help you solve forensic dilemmas through the development of Python scripts
- Analyze Python scripts to extract metadata and investigate forensic artifacts
- Master the skills of parsing complex data structures by taking advantage of Python libraries
Who This Book Is For
If you are a forensics student, hobbyist, or professional that is seeking to increase your understanding in forensics through the use of a programming language, then this book is for you.
You are not required to have previous experience in programming to learn and master the content within this book. This material, created by forensic professionals, was written with a unique perspective and understanding of examiners who wish to learn programming
What You Will Learn
- Discover how to perform Python script development
- Update yourself by learning the best practices in forensic programming
- Build scripts through an iterative design
- Explore the rapid development of specialized scripts
- Understand how to leverage forensic libraries developed by the community
- Design flexibly to accommodate present and future hurdles
- Conduct effective and efficient investigations through programmatic pre-analysis
- Discover how to transform raw data into customized reports and visualizations
In Detail
This book will illustrate how and why you should learn Python to strengthen your analysis skills and efficiency as you creatively solve real-world problems through instruction-based tutorials. The tutorials use an interactive design, giving you experience of the development process so you gain a better understanding of what it means to be a forensic developer.
Each chapter walks you through a forensic artifact and one or more methods to analyze the evidence. It also provides reasons why one method may be advantageous over another. We cover common digital forensics and incident response scenarios, with scripts that can be used to tackle case work in the field. Using built-in and community-sourced libraries, you will improve your problem solving skills with the addition of the Python scripting language. In addition, we provide resources for further exploration of each script so you can understand what further purposes Python can serve. With this knowledge, you can rapidly develop and deploy solutions to identify critical information and fine-tune your skill set as an examiner.
Style and approach
The book begins by instructing you on the basics of Python, followed by chapters that include scripts targeted for forensic casework. Each script is described step by step at an introductory level, providing gradual growth to demonstrate the available functionalities of Python.
Tools to learn more effectively
Saving Books
Keyword Search
Annotating Text
Listen to it instead
Information
Learning Python for Forensics
Table of Contents
Learning Python for Forensics
Credits
About the Authors
Acknowledgments
About the Reviewer
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Downloading the color images of this book
Errata
Piracy
Questions
1. Now For Something Completely Different
When to use Python?
Getting started
Standard data types
Strings and Unicode
Integers and floats
Booleans and None
Structured data types
Lists
Dictionaries
Sets and tuples
Data type conversions
Files
Variables
Understanding scripting flow logic
Conditionals
Loops
For
While
Functions
Summary
2. Python Fundamentals
Advanced data types and functions
Iterators
Datetime objects
Libraries
Installing third-party libraries
Libraries in this book
Python packages
Classes and object-oriented programming
Try and except
Raise
Creating our first script β unix_converter.py
User input
Using the raw input method and the system module β user_input.py
Understanding Argparse β argument_parser.py
Forensic scripting best practices
Developing our first forensic script β usb_lookup.py
Understanding the main() function
Exploring the getRecord() function
Interpreting the searchKey() function
Running our first forensic script
Troubleshooting
Challenge
Summary
3. Parsing Text Files
Setup API
Introducing our script
Overview
Our first iteration β setupapi_parser.v1.py
Designing the main() function
Crafting the parseSetupapi() function
Developing the printOutput() function
Running the script
Our second iteration β setupapi_parser.v2.py
Improving the main() function
Tuning the parseSetupapi() function
Modifying the printOutput() function
Running the script
Our final iteration β setupapi_parser.py
Extending the main() function
Adding to the parseSetupapi() function
Creating the parseDeviceInfo() function
Forming the prepUSBLookup() function
Constructing the getDeviceNames() function
Enhancing the printOutput() function
Running the script
Additional challenges
Summary
4. Working with Serialized Data Structures
Serialized data structures
A simple Bitcoin Web API
Our first iteration β bitcoin_address_lookup.v1.py
Exploring the main() function
Understanding the getAddress() function
Working with the printTransactions() function
The printHeader() helper function
The getInputs() helper function
Running the script
Our second iteration β bitcoin_address_lookup.v2.py
Modifying the main() function
Improving the getAddress() function
Elaborating on the printTransactions() function
Running the script
Mastering our final iteration β bitcoin_address_lookup.py
Enhancing the parseTransactions() function
Developing the csvWriter() function
Running the script
Additional challenges
Summary
5. Databases in Python
An overview of databases
Using SQLite3
Using the Structured Query Language
Designing our script
Manually manipulating databases with Python β file_lister.py
Building the main() function
Initializing the database with the initDB() function
Checking for custodians with the getOrAddCustodian() function
Retrieving custodians with the getCustodian() function
Understanding the ingestDirectory() function
Exploring the os.stat() method
Developing the formatTimestamp() helper function
Configuring the writeOutput() function
Designing the writeCSV() function
Composing the writeHTML() function
Running the script
Further automating databases β file_lister_peewee.py
Peewee setup
Jinja2 setup
Updating the main() function
Adjusting the initDB() function
Modifying the getOrAddCustodian() function
Improving the ingestDirectory() function
A closer look at the formatTimestamp() function
Converting the writeOutput() function
Simplifying the writeCSV() function
Condensing the writeHTML() function
Running our new and improved script
Challenge
Summary
6. Extracting Artifacts from Binary Files
UserAssist
Understanding the ROT-13 substitution cipher β rot13.py
Evaluating code with timeit
Working with the Registry module
Introducing the Struct module
Creating spreadsheets with the xlsxwriter module
Adding data to a spreadsheet
Building a table
Creating charts with Python
The UserAssist framework
Developing our UserAssist logic processor β userassist.py
Evaluating the main() function
Defining the createDictionary() function
Extracting data with the parseValues() function
Processing strings with the getName() function
Writing Excel spreadsheets β xlsx_writer.py
Controlling output with the excelWriter() function
Summarizing data with the dashboardWriter() function
Writing artifacts in the userassistWriter() function
Defining the fileTime() function
Processing integers with the sortByCount() function
Processing DateTime objects with the sortByDate() function
Writing generic spreadsheets β csv_writer.py
Understanding the csvWriter() function
Running the UserAssist framework
Additional challenges
Summary
7. Fuzzy Hashing
Background on hashing
Hashing files in Python
Deep dive into rolling hashes
Implementing rolling hashes β hashing_example.py
Limitations of rolling hashes
Exploring fuzzy hashing β fuzzy_hasher.py
Starting with the main function
Working with files in the fileController() function
Working with directories in the directoryController() function
Generating fuzzy hashes with the fuzzFile() function
Exploring the compareFuzzies() function
Creating reports with the writer() function
Running the first iteration
Using SSDeep in Python β ssdeep_python.py
Revisiting the main() function
The new fileController() function
Repurposing the directoryController() function
Demonstrating changes in the writer() function
Running the second iteration
Additional challenges
Citations
Summary
8. The Media Age
Creating frameworks in Python
Introduction to EXIF metadata
Introducing the Pillow module
Introduction to ID3 metadata
Introducing the Mutagen module
Introduction to Office metadata
Introducing the lxml module
Metadata_Parser framework overview
Our main framework controller β metadata_parser.py
Controlling our framework with the main() function
Parsing EXIF metadata β exif_parser.py
Understanding the exifParser() function
Developing the getTags() function
Adding the dmsToDecimal() function
Parsing ID3 metdata β id3_parser.py
Understanding the id3Parser() function
Revisiting the getTags() function
Parsing Office metadata β office_parser.py
Evaluating the officeParser() function
The getTags() function for the last time
Moving on to our writers
Writing spreadsheets β csv_writer.py
Plotting GPS data with Google Earth β kml_writer.py
Supporting our framework with processors
Creating framework-wide utility functions β utility.py
Framework summary
Additional challenges
Summary
9. Uncovering Time
About timestamps
What is epoch?
Using a GUI
Basics of Tkinter objects
Implementation of the Tkinter GUI
Using Frame objects
Using classes in Tkinter
Developing the Date Decoder GUI β date_decoder.py
The DateDecoder class setup and __init__() method
Executing the run() method
Implementing the buildInputFrame() method
Creating the buildOutputFrame() method
Building the convert() method
Defining the convert_unix_seconds() method
Conversion usi...
Table of contents
- Learning Python for Forensics
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, weβve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere β even offline. Perfect for commutes or when youβre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Learning Python for Forensics by Preston Miller, Chapin Bryce in PDF and/or ePUB format, as well as other popular books in Computer Science & Programming in Python. We have over one million books available in our catalogue for you to explore.