Python training for forensics is very interesting topic, taking into account all issues around professional digital forensic training. I'll put some articles about since it is intriguing and a challenge .
When you start to play to define tasks, scenarios and scripts to be used it becomes even more interesting. Basically most of the forensic work with python is done on UNIX based platforms and not so much on windows, but as usual because of some strange conditions we are bound to do a training which is based on windows platform.
My colleague Jakob Vukalović is developing full scale tools and scripts, some topics will be soon posted on his blog
So first issue is how to calculate hash on different files and evidence ?
For entry in the file system it is relatively easy traverse folders and run hash on it, but what about the E01 files and dd and other formats, some of them are easy, external tools can be used like FTKimager or python libraries to access it.
If we have e01 image and FTKimager simplest way is to do image mount and get the image as windows raw and hard disk in read only access mode.
When we have a raw device available can we use python to get check-sum as for raw devices on UNIX like machines ? Yes it is possible but a bit strange
On MS support forum you can find how to access raw devices and logical devices trough open/read/close paradigm. If we are going to access physical disk N device path is "\\.\PhysicalDriveN" and for logical drive X path is "\\.\X:" . So basic idea is to use same semantics as on other platforms, open device path in read-only and binary access mode, read data from file to buffer , update hash with buffer and do all that till EOF is reached, than print hash and close file. Strangely there is an error on reaching EOF on the reading raw physical disk "IOError: [Errno 13] Permission denied" which does not make much sense but kills the process, fortunately python has exception capabilities and this paradigm saves the day :)
Still this tweak does not sound right, since handling exception always mean something went wrong and that is a bad sing in forensic process.. but this is MS operating system and its semantics in working environment of scripting language which is not native to the that closed platform whatever we say.
#optimal size for buffer is 32K 32768 found it later in
#http://ojs.pythonpapers.org/index.php/tpp/article/viewFile/243/211
9.2.2017
There was a huge peak on this page in February 3, almost 70 visits mostly from Germany, very unusual.
It is worth of mentioning a new very interesting book by Chet Hosmer "Integrating Python with Leading Computer Forensics Platforms" I have not yet get a copy, but topics listed are very intriguing. I see one thing missing at first glance python and mobile forensic tool, but probably there are some copyright issues.
When you start to play to define tasks, scenarios and scripts to be used it becomes even more interesting. Basically most of the forensic work with python is done on UNIX based platforms and not so much on windows, but as usual because of some strange conditions we are bound to do a training which is based on windows platform.
My colleague Jakob Vukalović is developing full scale tools and scripts, some topics will be soon posted on his blog
So first issue is how to calculate hash on different files and evidence ?
For entry in the file system it is relatively easy traverse folders and run hash on it, but what about the E01 files and dd and other formats, some of them are easy, external tools can be used like FTKimager or python libraries to access it.
If we have e01 image and FTKimager simplest way is to do image mount and get the image as windows raw and hard disk in read only access mode.
When we have a raw device available can we use python to get check-sum as for raw devices on UNIX like machines ? Yes it is possible but a bit strange
On MS support forum you can find how to access raw devices and logical devices trough open/read/close paradigm. If we are going to access physical disk N device path is "\\.\PhysicalDriveN" and for logical drive X path is "\\.\X:" . So basic idea is to use same semantics as on other platforms, open device path in read-only and binary access mode, read data from file to buffer , update hash with buffer and do all that till EOF is reached, than print hash and close file. Strangely there is an error on reaching EOF on the reading raw physical disk "IOError: [Errno 13] Permission denied" which does not make much sense but kills the process, fortunately python has exception capabilities and this paradigm saves the day :)
Still this tweak does not sound right, since handling exception always mean something went wrong and that is a bad sing in forensic process.. but this is MS operating system and its semantics in working environment of scripting language which is not native to the that closed platform whatever we say.
#!/usr/bin/python
###################################################################
#code snippet to show how to calculate md5 on raw disk 2 on windows platform
#and how to handle IOError: [Errno 13] Permission denied
#'\\\\.\\PhysicalDrive2' how to code path to pyhsical drive 2
#'\\\\.\\X:' how to code path to logical drive X
#this is just a skeleton and must be much much improved for real usage :)
###################################################################
import os
import sys
import hashlib
#path to raw the device
p='\\\\.\\PhysicalDrive2'
#flags can be 'r' or 'rb' same behaviour
#open path p for reading
f=open(p,'r')
#initialise the hash module
h=hashlib.md5()
#set the size of read from file, performance varies on the size
#if size is not defined f.read try to load whole file and full memory and crash
s=4096
s=4096
#optimal size for buffer is 32K 32768 found it later in
#http://ojs.pythonpapers.org/index.php/tpp/article/viewFile/243/211
#reading loop, basically read chunk into rd, if exception it is EOF kink break loop
#also rd is than ""
while True:
try:
rd=f.read(s)
except IOError:
rd=""
h.update(rd)
if rd=="" :
break
#close raw device, good behavior
f.close()
#print hash
print h.hexdigest()
###################################################################
9.2.2017
There was a huge peak on this page in February 3, almost 70 visits mostly from Germany, very unusual.
It is worth of mentioning a new very interesting book by Chet Hosmer "Integrating Python with Leading Computer Forensics Platforms" I have not yet get a copy, but topics listed are very intriguing. I see one thing missing at first glance python and mobile forensic tool, but probably there are some copyright issues.
Such a great articles in my carrier, It's wonderful commands like easiest understand words of knowledge in information's.
ReplyDeletePython Training in Chennai