Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Mastering Python Forensics
Table of Contents
Mastering Python Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Setting Up the Lab and Introduction to Python ctypes
Setting up the Lab
Ubuntu
Python virtual environment (virtualenv)
Introduction to Python ctypes
Working with Dynamic Link Libraries
C data types
Defining Unions and Structures
Summary
2. Forensic Algorithms
Algorithms
MD5
SHA256
SSDEEP
Supporting the chain of custody
Creating hash sums of full disk images
Creating hash sums of directory trees
Real-world scenarios
Mobile Malware
NSRLquery
Downloading and installing nsrlsvr
Writing a client for nsrlsvr in Python
Summary
3. Using Python for Windows and Linux Forensics
Analyzing the Windows Event Log
The Windows Event Log
Interesting Events
Parsing the Event Log for IOC
The python-evtx parser
The plaso and log2timeline tools
Analyzing the Windows Registry
Windows Registry Structure
Parsing the Registry for IOC
Connected USB Devices
User histories
Startup programs
System Information
Shim Cache Parser
Implementing Linux specific checks
Checking the integrity of local user credentials
Analyzing file meta information
Understanding inode
Reading basic file metadata with Python
Evaluating POSIX ACLs with Python
Reading file capabilities with Python
Clustering file information
Creating histograms
Advanced histogram techniques
Summary
4. Using Python for Network Forensics
Using Dshell during an investigation
Using Scapy during an investigation
Summary
5. Using Python for Virtualization Forensics
Considering virtualization as a new attack surface
Virtualization as an additional layer of abstraction
Creation of rogue machines
Cloning of systems
Searching for misuse of virtual resources
Detecting rogue network interfaces
Detecting direct hardware access
Using virtualization as a source of evidence
Creating forensic copies of RAM content
Using snapshots as disk images
Capturing network traffic
Summary
6. Using Python for Mobile Forensics
The investigative model for smartphones
Android
Manual Examination
Automated Examination with the help of ADEL
Idea behind the system
Implementation and system workflow
Working with ADEL
Movement profiles
Apple iOS
Getting the Keychain from a jailbroken iDevice
Manual Examination with libimobiledevice
Summary
7. Using Python for Memory Forensics
Understanding Volatility basics
Using Volatility on Android
LiME and the recovery image
Volatility for Android
Reconstructing data for Android
Call history
Keyboard cache
Using Volatility on Linux
Memory acquisition
Volatility for Linux
Reconstructing data for Linux
Analyzing processes and modules
Analyzing networking information
Malware hunting with the help of YARA
Summary
Where to go from here
Index
← Prev
Back
Next →
← Prev
Back
Next →