Python Digital Forensics Cookbook
Effective Python recipes for digital investigations
Preston Miller
Chapin Bryce
BIRMINGHAM - MUMBAI
Python Digital Forensics Cookbook
Copyright 2017 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: September 2017
Production reference: 1220917
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78398-746-7
www.packtpub.com
Credits
Authors Preston Miller Chapin Bryce | Copy Editor Stuti Srivastava |
Reviewer Dr. Michael Spreitzenbarth | Project Coordinator Virginia Dias |
Commissioning Editor Kartikey Pandey | Proofreader Safis Editing |
Acquisition Editor Rahul Nair | Indexer Aishwarya Gangawane |
Content Development Editor Sharon Raj | Graphics Kirk D'Penha |
Technical Editor Prashant Chaudhari | Production Coordinator Aparna Bhagat |
About the Authors
Preston Miller is a consultant at an internationally recognized risk management firm. He holds an undergraduate degree from Vassar College and a masters degree in Digital Forensics from Marshall University. While at Marshall, Preston unanimously received the prestigious J. Edgar Hoover Foundations Scientific Scholarship. He is a published author, recently of Learning Python for Forensics, an introductory Python Forensics textbook. Preston is also a member of the GIAC advisory board and holds multiple industry-recognized certifications in his field.
Chapin Bryce works as a consultant in digital forensics, focusing on litigation support, incident response, and intellectual property investigations. After studying computer and digital forensics at Champlain College, he joined a firm leading the field of digital forensics and investigations. In his downtime, Chapin enjoys working on side projects, hiking, and skiing (if the weather permits). As a member of multiple ongoing research and development projects, he has authored several articles in professional and academic publications.
About the Reviewer
Dr. Michael Spreitzenbarth, a fter finishing his diploma thesis with the major topic of mobile phone forensics, worked as a freelancer in the IT security sector for several years . In 2013, he finished his PhD at the University of Erlangen-Nuremberg in the field of Android forensics and mobile malware analysis. Since then, he has been working as a team lead in an internationally operating CERT.
Dr. Michael Spreitzenbarth's daily work deals with the security of mobile systems, forensic analysis of smartphones and suspicious mobile applications, as well as the investigation of security-related incidents within ICS environments. At the same time he is working on the improvement of mobile malware analysis techniques and research in the field of Android and iOS forensics as well as mobile application testing.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.com .
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.
At www.PacktPub.com , you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www.packtpub.com/mapt
Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.
Why subscribe?
- Fully searchable across every book published by Packt
- Copy and paste, print, and bookmark content
- On demand and accessible via a web browser
Customer Feedback
Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1783987464 .
If you'd like to join our team of regular reviewers, you can email us at customerreviews@packtpub.com. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!
To my mother, Mary, whose love, courage, and guidance have had an indelible impact on me.
I love you very much.
Preston Miller
This book is dedicated to the love of my life and my best friend, Alexa.
Thank you for all of the love, support, and laughter.
Chapin Bryce
Table of Contents
Preface
At the outset of this book, we strove to demonstrate a nearly endless corpus of use cases for Python in todays digital investigations. Technology plays an increasingly large role in our daily life and shows no signs of stopping. Now, more than ever, it is paramount that an investigator develop programming expertise to work with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, efficiently extracting relevant information from large data sets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations.
Throughout the book, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn how to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools, such as Axiom, Cellebrite, and EnCase. By the end of the book, you will have a sound understanding of Python and will know how you can use it to process artifacts in your investigations.