Python works perfectly in UNIX like environment, also very well in windows but when we start to tackle low level issues like accessing raw devices some troubles get to surface ...
It is not about python but about MS platform and it very non-posix behavior, worse of all lack of documentation about some system programming issues on the windows. All this issues makes very hard to achieve reliability required for forensic grade application, basically you can't trust code because it is not defined how it should work or how it is working this is why most of python forensic things and other serious forensic tool exists on UNIX.
Same problem can be defined for commercially available forensic applications, we only can trust their developers that code is right and doing right thing since we don't have access to it and don't have specification what it should do, especially if we are talking about some esoteric situation about complex registry interpretations etc ..
Let talk about simple task of erasing disk, on posix machine it is easy since all steps are defined and standardized.. on windows it is nightmare standard fileio calls are not working because of some obscure security mechanism which is not described well and semantics of operation can be found only trough scattered examples. Worst of it if example works on XP it will surely not work on newer platforms because of security straightening.
Since we are bound to use windows as platform implementation some examples are quite challenge
In more details whet we will play with in future
It is not about python but about MS platform and it very non-posix behavior, worse of all lack of documentation about some system programming issues on the windows. All this issues makes very hard to achieve reliability required for forensic grade application, basically you can't trust code because it is not defined how it should work or how it is working this is why most of python forensic things and other serious forensic tool exists on UNIX.
Same problem can be defined for commercially available forensic applications, we only can trust their developers that code is right and doing right thing since we don't have access to it and don't have specification what it should do, especially if we are talking about some esoteric situation about complex registry interpretations etc ..
Let talk about simple task of erasing disk, on posix machine it is easy since all steps are defined and standardized.. on windows it is nightmare standard fileio calls are not working because of some obscure security mechanism which is not described well and semantics of operation can be found only trough scattered examples. Worst of it if example works on XP it will surely not work on newer platforms because of security straightening.
Since we are bound to use windows as platform implementation some examples are quite challenge
- Forensically acceptable media erasing
- Hashing files, folders, raw devices
- Keyword search
- File indexing and using index structures for search
- Timeline analyses
- Interacting with other tools and programs
- Recycle bin recovery
- Windows registry file access
In more details whet we will play with in future
Excersice script task
|
Description
|
Version and type of OS
|
Get the type and vesrion of OS on your
living machine, trough python. Can be done trough from command line or from
application
|
OS module in python to retrive this
informations
|
Type command in cmd line of python and than
execute script
|
Interaction with live live program from
python interpreter
|
Call cmdline windows utilty from python and
filter out required data
|
Hashing
|
Create the script to hash files, folders and
raw devices on windows, also entropy is defined too
|
Hash files, folders and has for raw devices
and logical devices
|
Create the script to hash files, folders and
raw devices on windows, dicuss issues in various implementation solutions and
storing / reuing results
|
redirection of output / input
|
How to conncet two python scripts together
in pipe in command line
|
storing output data in cvs format
|
Hot to store results into other formats like
cvs, and log the events during execution
|
Keyword search
|
Do search for keyowrds in various files
Show results in hex and string mode
|
Grep, plain search in binary/ hex formatu
|
Introuction to regexp usage
|
storing results of search to list or
dictinary
|
How to store reuslts
|
Indexing
|
How to index file content
|
Indexing set of files and storing data for
usage
|
How to index file content and use reuslts
for search, hotw to store results
|
Using existing index from other python
programs / cmd line
|
|
Timeline
creation
|
|
log2timeline as application (?) probably not
because of sift WS
|
Create timeline from set of files based on
metadata values and analyze it (?)
Log2timeline as tool called from cmdline
|
Metadata EXIF / GPS handling
|
How to extract and anylze EXIF / GPS
metadata from pitcures by python script
|
Windows registry analyses access
|
How to acess data in registry files and
analyze it trough python
|
general access to registry files
|
How to acess regitry from command line
|
WIFI locations as example
|
How to extract WIFI location stored in
registry
|
Recyle bin access
|
How to access recyle bin windows folder and
recover data
|
Examining Metadata in PDFs and Microsoft
Documents
|
|
Investigating Skype Artifacts
|
|
Enumerating Browser Artifacts from Firefox
Databases
|
|
Examining Mobile Device Artifacts
|
|
drive cleaning
|
Cleaning the drive by means of external
program from pytohon command line
|
using drive cleanser as module or as
external tool
|
Cleaning the drive by means of external
program from pytohon command line
|
libwef compliation on windows
|
Compile / or just install libwef library
which allows to access images in e01 and other formats
|
detecting truecrypt volumes in DD or
forensic images
|
Comment script and how to reuse script or change it for your enviroment
|
No comments:
Post a Comment