Chet Hosmer - Integrating Python with Leading Computer Forensics Platforms

First Edition

Chet Hosmer

Technical Editor

Gary Kessler

Syngress is an imprint of Elsevier

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

2017 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-809949-0

For information on all Syngress publications visit our website at https://www.elsevier.com/

Publisher: Todd Green

Acquisition Editor: Chris Katsaropoulos

Editorial Project Manager: Anna Valutkevich

Production Project Manager: Priya Kumaraguruparan

Cover Designer: Mark Rogers

Typeset by SPi Global, India

To our incredible granddaughter Zoey Marie.

Chet Hosmer is the founder of Python Forensics, Inc., a nonprofit organization focused on the collaborative development of open-source investigative technologies using the Python programming language. He serves as a visiting professor at Utica College in the Cybersecurity Graduate program where his research and teaching focus on advanced steganography/data hiding methods and related defenses. He is also an adjunct faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program where he is researching and working with the graduate students to advance the application Python to solve hard problems facing digital investigators.

Chet makes numerous appearances each year to discuss emerging cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, and ABC News Australia. He is also a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com, DFI News, and Wired Magazine.

Chet is the author of three recent Elsevier/Syngress Books: Python Passive Network Mapping : ISBN-13: 978-0128027219, Python Forensics : ISBN-13: 978-0124186767, and Data Hiding which is co/authored with Mike Raggo: ISBN-13: 978-1597497435. He delivers keynote and plenary talks on various cyber security-related topics around the world each year.

Chet Hosmer

Modern digital forensic investigation platforms have evolved from simple command line tools to complete enterprise and mobile device investigation systems. This evolvement has provided standardization for the acquisition and analysis of forensic evidence collected from a variety of computers, networks, mobile devices, the cloud, and even the entire enterprise. This evolution has resulted in a rich set of proven investigative processes and procedures and has led to the creation of training and certification programs that ensure the resulting captured evidence will stand up to the scrutiny of our justice system.

The next step in the evolution is twofold.

It has become difficult for the vendors of these platforms to keep up with the almost daily demand for new requirements based on the introduction of new devices, the manifestation of new threats or challenges, the need for needed cooperation between organizations using different toolsets, and of course the continuous demand for faster processing of evidence. The first step toward the future is for those investigating cybercrime to offer enhancements to these platforms ranging from simple automation to new approaches to analyzing the resulting data collected by these platforms.

Second, the need to apply a wide range of algorithms, analytics, and semantics to the evidence collected by these platforms has become paramount. Today, the great work done by these platforms can be characterized as: accurate data acquisition, preservation of the acquired data, format and organization of the data, and display of the results. The next logical step is to open up the access to that data in order to perform additional processing, analysis, and semantic analysis and to provide greater insight into the meaning of what has been collected, preserved, organized, and formatted.

The purpose of this book is to demonstrate how this can be accomplished by integrating the Python programming language with selected platforms. The Python language not only provides an on-ramp for those new to software development but also serves more advanced developers based upon the wide ranging support available within and for Python. This book shows how additional processing can be accomplished by way of example using four very different digital forensic platforms that all have recognized the importance of opening access to their platforms. In addition, the platforms were chosen due to the diversity of the integration method needed for each. The approaches shown here, however, should provide the underpinnings necessary to apply similar methods and approaches to integration for other popular forensic platforms.

For those purchasing the book, access to all the source code presented is available at:

www.Python-Forensics.org

I look forwarding to collaborating with each of you.

I would like to thank: