Professional Documents
Culture Documents
Mastering Python Forensics: Master The Art of Digital Forensics and Analysis With Python First Published October 2015 Edition Uhrmann
Mastering Python Forensics: Master The Art of Digital Forensics and Analysis With Python First Published October 2015 Edition Uhrmann
https://textbookfull.com/product/python-digital-forensics-
cookbook-effective-python-recipes-for-digital-investigations-1st-
edition-preston-miller/
https://textbookfull.com/product/for500-1-windows-digital-
forensics-and-advanced-data-triage-for500-2-core-windows-
forensics-part-1-windows-registry-forensics-and-analysis-sans-
institute/
https://textbookfull.com/product/digital-forensics-with-kali-
linux-enhance-your-investigation-skills-by-performing-network-
and-memory-forensics-with-kali-linux-3rd-edition-parasram/
https://textbookfull.com/product/digital-forensics-1st-edition-
andre-arnes-editor/
Practical Mobile Forensics A hands on guide to
mastering mobile forensics for the iOS Android and the
Windows Phone platforms 3rd Edition Rohit Tamma
https://textbookfull.com/product/practical-mobile-forensics-a-
hands-on-guide-to-mastering-mobile-forensics-for-the-ios-android-
and-the-windows-phone-platforms-3rd-edition-rohit-tamma/
https://textbookfull.com/product/mastering-large-datasets-with-
python-parallelize-and-distribute-your-python-code-1st-edition-
john-t-wolohan/
https://textbookfull.com/product/cybercrime-and-digital-
forensics-an-introduction-thomas-j-holt/
https://textbookfull.com/product/a-python-data-analysts-toolkit-
learn-python-and-python-based-libraries-with-applications-in-
data-analysis-and-statistics-gayathri-rajagopalan/
Table of Contents
Mastering Python Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Setting Up the Lab and Introduction to Python ctypes
Setting up the Lab
Ubuntu
Python virtual environment (virtualenv)
Introduction to Python ctypes
Working with Dynamic Link Libraries
C data types
Defining Unions and Structures
Summary
2. Forensic Algorithms
Algorithms
MD5
SHA256
SSDEEP
Supporting the chain of custody
Creating hash sums of full disk images
Creating hash sums of directory trees
Real-world scenarios
Mobile Malware
NSRLquery
Downloading and installing nsrlsvr
Writing a client for nsrlsvr in Python
Summary
3. Using Python for Windows and Linux Forensics
Analyzing the Windows Event Log
The Windows Event Log
Interesting Events
Parsing the Event Log for IOC
The python-evtx parser
The plaso and log2timeline tools
Analyzing the Windows Registry
Windows Registry Structure
Parsing the Registry for IOC
Connected USB Devices
User histories
Startup programs
System Information
Shim Cache Parser
Implementing Linux specific checks
Checking the integrity of local user credentials
Analyzing file meta information
Understanding inode
Reading basic file metadata with Python
Evaluating POSIX ACLs with Python
Reading file capabilities with Python
Clustering file information
Creating histograms
Advanced histogram techniques
Summary
4. Using Python for Network Forensics
Using Dshell during an investigation
Using Scapy during an investigation
Summary
5. Using Python for Virtualization Forensics
Considering virtualization as a new attack surface
Virtualization as an additional layer of abstraction
Creation of rogue machines
Cloning of systems
Searching for misuse of virtual resources
Detecting rogue network interfaces
Detecting direct hardware access
Using virtualization as a source of evidence
Creating forensic copies of RAM content
Using snapshots as disk images
Capturing network traffic
Summary
6. Using Python for Mobile Forensics
The investigative model for smartphones
Android
Manual Examination
Automated Examination with the help of ADEL
Idea behind the system
Implementation and system workflow
Working with ADEL
Movement profiles
Apple iOS
Getting the Keychain from a jailbroken iDevice
Manual Examination with libimobiledevice
Summary
7. Using Python for Memory Forensics
Understanding Volatility basics
Using Volatility on Android
LiME and the recovery image
Volatility for Android
Reconstructing data for Android
Call history
Keyboard cache
Using Volatility on Linux
Memory acquisition
Volatility for Linux
Reconstructing data for Linux
Analyzing processes and modules
Analyzing networking information
Malware hunting with the help of YARA
Summary
Where to go from here
Index
Mastering Python Forensics
Mastering Python Forensics
Copyright © 2015 Packt Publishing
Every effort has been made in the preparation of this book to ensure
the accuracy of the information presented. However, the information
contained in this book is sold without warranty, either express or
implied. Neither the authors, nor Packt Publishing, and its dealers
and distributors will be held liable for any damages caused or
alleged to be caused directly or indirectly by this book.
Livery Place
35 Livery Street
ISBN 978-1-78398-804-4
www.packtpub.com
Credits
Authors
Reviewers
Richard Marsden
Puneet Narula
Yves Vandermeer
Commissioning Editor
Kartikey Pandey
Acquisition Editor
Sonali Vernekar
Shweta Pant
Technical Editor
Pranil Pathare
Copy Editor
Vibha Shukla
Project Coordinator
Shipra Chawhan
Proofreader
Safis Editing
Indexer
Mariammal Chettiyar
Production Coordinator
Arvindkumar Gupta
Cover Work
Arvindkumar Gupta
About the Authors
Dr. Michael Spreitzenbarth holds a degree of doctor of
engineering in IT security from the University of Erlangen-
Nuremberg and is a CISSP as well as a GMOB. He has been an IT
security consultant at a worldwide operating CERT for more than
three years and has worked as a freelancer in the field of mobile
phone forensics, malware analysis, and IT security consultancy for
more than six years. Since the last four years, he has been giving
talks and lectures in the fields of forensics and mobile security at
various universities and in the private sector.
First of all, I would like to thank my wife, Daniela, for her moral
support and willingness to give up on some family time while I
was writing. I also would like to thank my coauthor and
colleague, Dr. Michael Spreitzenbarth, for talking me into writing
this book and handling a great deal of the organizational
overhead of such a project. Furthermore, the great people
working on all the open source software projects that we used
and mentioned in this book deserve credit. You are the guys who
keep the IT world spinning.
About the Reviewers
Richard Marsden has over twenty years of professional experience
in software development. After starting in the fields of geophysics
and oil exploration, he has spent the last twelve years running the
Winwaed Software Technology LLC, an independent software vendor.
Winwaed specializes in geospatial tools and applications, which
include web applications, and operates the http://www.mapping-
tools.com website for tools and add-ins for geospatial products, such
as Caliper's Maptitude and Microsoft's MapPoint.
He started his career in banking and finance and then moved to the
ever growing domain of data and analytics.
Did you know that Packt offers eBook versions of every book
published, with PDF and ePub files available? You can upgrade to the
eBook version at www.PacktPub.com and as a print book customer,
you are entitled to a discount on the eBook copy. Get in touch with
us at <service@packtpub.com> for more details.
https://www2.packtpub.com/books/subscription/packtlib
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Free access for Packt account
holders
If you have an account with Packt at www.PacktPub.com, you can
use this to access PacktLib today and view 9 entirely free books.
Simply use your login credentials for immediate access.
Preface
Today, information technology is a part of almost everything that
surrounds us. These are the systems that we wear and that support
us in building and running cities, companies, our personal online
shopping tours, and our friendships. These systems are attractive to
use—and abuse. Consequently, all criminal fields such as theft,
fraud, blackmailing, and so on expanded to the IT. Nowadays, this is
a multi-billion, criminal, global shadow industry.
Chapter 3, Using Python for Windows and Linux Forensics, is the first
step on your journey to understanding digital evidence. We will
provide examples to detect signs of compromise on Windows and
Linux systems. We will conclude the chapter with an example on
how to use machine learning algorithms in the forensic analysis.
Chapter 6, Using Python for Mobile Forensics, will give you an insight
on how to retrieve and analyze forensic data from mobile devices.
The examples will include analyzing Android devices as well as Apple
iOS devices.
To get the most out of this book, you should have decent skills in
Python and understand at least some inner workings of your forensic
targets. For example, some file system details.
Conventions
In this book, you will find a number of text styles that distinguish
between different kinds of information. Here are some examples of
these styles and an explanation of their meaning.
def multi_hash(filename):
"""Calculates the md5 and sha256 hashes
of the specified file and returns a list
containing the hash sums as hex strings."""
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/ev
ents/event"><System><Provider Name="Microsoft-
Windows-Security-Auditing" Guid="54849625-5478-
4994-a5ba-3e3b0328c30d"></Provider>
<EventID Qualifiers="">4724</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
New terms and important words are shown in bold. Words that
you see on the screen, for example, in menus or dialog boxes,
appear in the text like this: "When asked to Select System Logs,
ensure that all log types are selected."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what
you think about this book—what you liked or disliked. Reader
feedback is important for us as it helps us develop titles that you will
really get the most out of.
If there is a topic that you have expertise in and you are interested
in either writing or contributing to a book, see our author guide at
www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a
number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our
content, mistakes do happen. If you find a mistake in one of our
books—maybe a mistake in the text or the code—we would be
grateful if you could report this to us. By doing so, you can save
other readers from frustration and help us improve subsequent
versions of this book. If you find any errata, please report them by
visiting http://www.packtpub.com/submit-errata, selecting your
book, clicking on the Errata Submission Form link, and entering
the details of your errata. Once your errata are verified, your
submission will be accepted and the errata will be uploaded to our
website or added to any list of existing errata under the Errata
section of that title.
Questions
If you have a problem with any aspect of this book, you can contact
us at <questions@packtpub.com>, and we will do our best to address
the problem.
Chapter 1. Setting Up the Lab
and Introduction to Python
ctypes
Cyber Security and Digital Forensics are two topics of increasing
importance. Digital forensics especially, is getting more and more
important, not only during law enforcement investigations, but also
in the field of incident response. During all of the previously
mentioned investigations, it's fundamental to get to know the root
cause of a security breach, malfunction of a system, or a crime.
Digital forensics plays a major role in overcoming these challenges.
In this book, we will teach you how to build your own lab and
perform profound digital forensic investigations, which originate from
a large range of platforms and systems, with the help of Python. We
will start with common Windows and Linux desktop machines, then
move forward to cloud and virtualization platforms, and end up with
mobile phones. We will not only show you how to examine the data
at rest or in transit, but also take a deeper look at the volatile
memory.
Ubuntu
To work in a similar lab environment, we suggest you to download a
copy of the latest Ubuntu LTS Desktop Distribution from
http://www.ubuntu.com/download/desktop/, preferably the 32-bit
version. The distribution provides a simple-to-use UI and already has
the Python 2.7.6 environment installed and preconfigured.
Throughout the book, we will use Python 2.7.x and not the newer
3.x versions. Several examples and case studies in this book will rely
on the tools or libraries that are already a part of the Ubuntu
distribution. When a chapter or section of the book requires a third-
party package or library, we will provide the additional information
on how to install it in the virtualenv (the setup of this environment
will be explained in the next section) or on Ubuntu in general.
To write your first Python script, you can use a simple editor such as
vi or a powerful but cluttered IDE such as eclipse. As a really
powerful alternative, we would suggest you to use atom, a very
clean but highly customizable editor that can be freely downloaded
from https://atom.io/.
Python virtual environment
(virtualenv)
According to the official Python documentation, Virtual Environment
is a tool to keep the dependencies required by different projects in
separate places by creating virtual Python environments for them. It
solves the "Project X depends on version 1.x, but Project Y needs
4.x" dilemma and keeps your global site-packages directory clean
and manageable.
We will now create a folder in the users' home directory for our
virtual Python environment. This directory will contain the
executable Python files and a copy of the pip library, which can be
used to install other packages in the environment. The name of the
virtual environment (in our case, it is called labenv) can be of your
choice. Our virtual lab environment can be created by executing the
following command:
Now, you can see that the command prompt starts with the name of
the virtual environment that we activated. From now on, any
package that you install using pip will be placed in the labenv
folder, isolated from the global Python installation in the underlying
Ubuntu.
Language: Dutch
[Inhoud]
[Inhoud]
STUDIËN
IN
NEDERLANDSCHE
NAMENKUNDE
DOOR
JOHAN WINKLER.
HAARLEM
H. D. TJEENK WILLINK & ZOON
1900
[Inhoud]
Boeck, ey soo men di wil laecken,
Segg’ dat si yet beters maecken.
Laecken end maecken is groet verscil,
Dye nyet en can maecken magh swigen still.
Gysbert Japicx.
Bladz.
Inleiding
I. Spotnamen van steden en dorpen 3
II. Nederlandsche plaatsnamen in Frankrijk 91
III. Gentsche geslachtsnamen 136
IV. Helmondsche namen uit de middeleeuwen 171
V. Friesche namen 196
VI. De namen der ingezetenen van Leeuwarden ten
jare 1511 255
VII. De hel in Friesland 280
Register 293
[1]
[Inhoud]
INLEIDING.
Een zestal van die verhandelingen, uit den aard der zaak weinig
bekend, heb ik uitgekozen, en, ten deele aangevuld, vermeerderd,
verbeterd, hier opnieuw doen afdrukken. Een grooter opstel, over de
Spotnamen van steden en dorpen, het hoofdnummer van dezen
bundel, heb ik daarbij gevoegd. Dat verschijnt hier voor ’t eerst in ’t
licht.
Ik heb slechts hier en daar een greep kunnen doen in deze rijke stof,
die zoo ruimschoots voorhanden, en voor iedereen toegankelijk is;
slechts hier en daar een greep ter verklaring van sommige
namengroepen en namen.
Mogen de volgende studiën, die uit den aard der zaak slechts in zeer
beperkten en beknopten vorm sommige namengroepen behandelen,
den lezer welkom zijn, en zijne belangstelling opwekken! En mogen
velen, door de lezing en de beoefening dezer verhandelingen zich
aangespoord gevoelen om al mede aan dit onderwerp, aan de
Namenkunde, hunne krachten te wijden; en moge onze
vaderlandsche wetenschap daardoor grootelijks verrijkt en gebaat
worden!
Johan Winkler.
H a a r l e m , 1900. [3]
Deze oude spotnamen zijn voor een goed deel belangrijk in menig
opzicht. Velen daarvan zijn reeds zeer oud en dagteekenen uit de
middeleeuwen. Velen ook berusten op het eene of andere
geschiedkundige feit, anderen op het wapen dat eigen is aan stad of
dorp (K l o k k e d i e v e n van Franeker, B a l k e d i e v e n van ’t
Ameland, M o l l e n van Schermerhorn). Anderen weêr danken hun
ontstaan aan het eene of andere bijzondere voorval, waarbij door
den nabuur, den tegenstander, in ’t geven van den spotnaam, juist
de domme, de belachelijke zijde der zaak werd in ’t licht gesteld
(K a l f s c h i e t e r s van Delft, K e i s l e p e r s van Amersfoort,
M a n e b l u s s c h e r s van Mechelen, R o g s t e k e r s van Weert).
Weêr anderen zijn ontleend aan eenen bijzonderen tak van handel,
van nering of bedrijf, die in de eene stad bestond, in de andere niet;
G o r t b u i k e n of G o r t z a k k e n van Alkmaar—te Alkmaar
bestonden oudtijds vele grutterijen, en de Alkmaarsche gort was wijd
vermaard in den lande; B o t e r v r e t e r s van Diksmude en
K a a s m a k e r s van Belle—beide deze Vlaamsche plaatsen zijn
van ouds bekend om hare zuivelbereiding. Sommigen ook zijn
ontstaan door de eene of andere lekkernij, die in de eene of andere
stad bijzonder gemaakt en [7]door de inwoners bij voorkeur gegeten
of gedronken werd. (K o e k e t e r s van Amsterdam,
K l i e n r o g g e n van de Joure, D ú m k e f r e t t e r s van Sneek,
M o l b o o n e n van Groningen, R o o d b i e r d r i n k e r s van
Harelbeke.)