Mastering Python Forensics电子书

Mastering Python Forensics

Table of Contents

Mastering Python Forensics

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Setting Up the Lab and Introduction to Python ctypes

Setting up the Lab

Ubuntu

Python virtual environment (virtualenv)

Introduction to Python ctypes

Working with Dynamic Link Libraries

C data types

Defining Unions and Structures

Summary

2. Forensic Algorithms

Algorithms

MD5

SHA256

SSDEEP

Supporting the chain of custody

Creating hash sums of full disk images

Creating hash sums of directory trees

Real-world scenarios

Mobile Malware

NSRLquery

Downloading and installing nsrlsvr

Writing a client for nsrlsvr in Python

Summary

3. Using Python for Windows and Linux Forensics

Analyzing the Windows Event Log

The Windows Event Log

Interesting Events

Parsing the Event Log for IOC

The python-evtx parser

The plaso and log2timeline tools

Analyzing the Windows Registry

Windows Registry Structure

Parsing the Registry for IOC

Connected USB Devices

User histories

Startup programs

System Information

Shim Cache Parser

Implementing Linux specific checks

Checking the integrity of local user credentials

Analyzing file meta information

Understanding inode

Reading basic file metadata with Python

Evaluating POSIX ACLs with Python

Reading file capabilities with Python

Clustering file information

Creating histograms

Advanced histogram techniques

Summary

4. Using Python for Network Forensics

Using Dshell during an investigation

Using Scapy during an investigation

Summary

5. Using Python for Virtualization Forensics

Considering virtualization as a new attack surface

Virtualization as an additional layer of abstraction

Creation of rogue machines

Cloning of systems

Searching for misuse of virtual resources

Detecting rogue network interfaces

Detecting direct hardware access

Using virtualization as a source of evidence

Creating forensic copies of RAM content

Using snapshots as disk images

Capturing network traffic

Summary

6. Using Python for Mobile Forensics

The investigative model for smartphones

Android

Manual Examination

Automated Examination with the help of ADEL

Idea behind the system

Implementation and system workflow

Working with ADEL

Movement profiles

Apple iOS

Getting the Keychain from a jailbroken iDevice

Manual Examination with libimobiledevice

Summary

7. Using Python for Memory Forensics

Understanding Volatility basics

Using Volatility on Android

LiME and the recovery image

Volatility for Android

Reconstructing data for Android

Call history

Keyboard cache

Using Volatility on Linux

Memory acquisition

Volatility for Linux

Reconstructing data for Linux

Analyzing processes and modules

Analyzing networking information

Malware hunting with the help of YARA

Summary

Where to go from here

Index