Chet Hosmer
PowerShell and Python Together Targeting Digital Investigations
Chet Hosmer
Longs, SC, USA
Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the books product page, located at www.apress.com/9781484245033 . For more detailed information, please visit http://www.apress.com/source-code .
ISBN 978-1-4842-4503-3 e-ISBN 978-1-4842-4504-0
https://doi.org/10.1007/978-1-4842-4504-0
Chet Hosmer 2019
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.
Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
To the latest additionof our family Cousin Vinny one of the sweetest, very loving, and curious Yellow Labs ever, who constantly interrupts our daily lives in the most wonderful ways.
Introduction
The endeavor to integrate PowerShell and Python came about a couple of years ago. I was providing training for a large utility and began by teaching the members of the secure operations center, or SOC, on how to apply Python scripts during investigations and incident response. A few months later, they asked for similar training this time using PowerShell as the scripting engine for the SOC team. Based on this, I quickly realized that PowerShell was perfect for acquisition of information across the enterprise, and Python was good at performing analysis of data that had been acquired by other tools.
Now, of course, PowerShell advocates will say that PowerShell scripts can be developed to perform detailed analysis. Likewise, Python advocates will say Python scripts can be developed to perform very capable evidence acquisition. I agree with both advocates but only to a point. The real question is if we combine the best of both environments, does 1 + 1 = 2 or does 1 + 1 = 11? I believe that the answer falls somewhere in the middle.
Thus, the purpose of the book along with the research and experimentation that went into it was to build a model, in fact two models, to integrate and leverage the best capabilities of Python and PowerShell and apply the result to digital investigation . It is important to note that this is a work in progress. I believe that the continued development of advanced PowerShell and Python capabilities that leverage the models provided here has great potential and should be pursued.
Therefore, I encourage you to experiment with the models that I have presented here and use them to develop new solutions that are desperately needed to acquire and analyze evidence collected before, during, and after a cyber incident, a cyber breach, as well as physical or cybercrimes . I also encourage you to share your work and innovations with others in our field to benefit those that fight cybercrime every day.
Acknowledgments
Im deeply appreciative of Joe Giordano, the driving force behind cybersecurity research and development, and ultimately education for the past four decades. Your quiet, humble, and persistent work has and is making a true impact on the security of our nation.
I want to thank Scott vonFischer, Tony Ombrellaro, and Dave Bang for providing the catalyst for this book. Your forward thinking, ensuring that your teams learn and apply the latest scripting environments to solve challenging problems in forensics and incident response, has been a true inspiration.
To my students at Utica and Champlain colleges, who constantly surprise, challenge, and inspire me to find new ways to share my decades of experience in software and scripting development to tackle the challenges of cybercrime investigation.
To Dr. Gary Kessler for his tireless validation of my scripts and writing. He always delivers sound advice on how to make both better.
To the whole team at Apress, especially Rita Fernando and Laura Berendson, for your constant encouragement, dedication, and patience throughout this project.
To my wonderful wife Janet, who always provides me with insights and a point of view about a challenge that I never thought of. These insights often, if not always, lead to new solutions and approaches that constantly improve my work.
Table of Contents
About the Author and About the Technical Reviewer
About the Author
Chet Hosmer
is the founder of Python Forensics, Inc., a nonprofit organization focused on the collaborative development of open-source investigative technologies using Python and other popular scripting languages. Chet has been researching and developing technology and training surrounding forensics, digital investigation, and steganography for decades. He has made numerous appearances to discuss emerging cyber threats, including National Public Radios Kojo Nnamdi Show , ABCs Primetime Thursday , and ABC News (Australia). He has also been a frequent contributor to technical and news stories relating to cybersecurity and forensics with IEEE, The New York Times , The Washington Post , Government Computer News, Salon.com, and Wired magazine.
Chet is the author of Defending IoT Infrastructures with the Raspberry Pi (Apress, 2018), Passive Python Network Mapping (Syngress, 2015), Python Forensics (Syngress, 2014), and Integrating Python with Leading Computer Forensics Platforms (Syngress, 2016). He coauthored Data Hiding