Mastering Python Forensics

Book Description

Master the art of digital forensics and analysis with Python

About This Book

• Learn to perform forensic analysis and investigations with the help of Python, and gain an advanced understanding of the various Python libraries and frameworks
• Analyze Python scripts to extract metadata and investigate forensic artifacts
• The writers, Dr. Michael Spreitzenbarth and Dr. Johann Uhrmann, have used their experience to craft this hands-on guide to using Python for forensic analysis and investigations

Who This Book Is For

If you are a network security professional or forensics analyst who wants to gain a deeper understanding of performing forensic analysis with Python, then this book is for you. Some Python experience would be helpful.

What You Will Learn

• Explore the forensic analysis of different platforms such as Windows, Android, and vSphere
• Semi-automatically reconstruct major parts of the system activity and time-line
• Leverage Python ctypes for protocol decoding
• Examine artifacts from mobile, Skype, and browsers
• Discover how to utilize Python to improve the focus of your analysis
• Investigate in volatile memory with the help of volatility on the Android and Linux platforms

In Detail

Digital forensic analysis is the process of examining and extracting data digitally and examining it. Python has the combination of power, expressiveness, and ease of use that makes it an essential complementary tool to the traditional, off-the-shelf digital forensic tools.

This book will teach you how to perform forensic analysis and investigations by exploring the capabilities of various Python libraries.

The book starts by explaining the building blocks of the Python programming language, especially ctypes in-depth, along with how to automate typical tasks in file system analysis, common correlation tasks to discover anomalies, as well as templates for investigations. Next, we’ll show you cryptographic algorithms that can be used during forensic investigations to check for known files or to compare suspicious files with online services such as VirusTotal or Mobile-Sandbox.

Moving on, you’ll learn how to sniff on the network, generate and analyze network flows, and perform log correlation with the help of Python scripts and tools. You’ll get to know about the concepts of virtualization and how virtualization influences IT forensics, and you’ll discover how to perform forensic analysis of a jailbroken/rooted mobile device that is based on iOS or Android.

Finally, the book teaches you how to analyze volatile memory and search for known malware samples based on YARA rules.

Style and approach

This easy-to-follow guide will demonstrate forensic analysis techniques by showing you how to solve real-word-scenarios step by step.

Table of Contents

Chapter 1: Setting Up the Lab and Introduction to Python ctypes
Chapter 2: Forensic Algorithms
Chapter 3: Using Python for Windows and Linux Forensics
Chapter 4: Using Python for Network Forensics
Chapter 5: Using Python for Virtualization Forensics
Chapter 6: Using Python for Mobile Forensics
Chapter 7: Using Python for Memory Forensics

中文：

书名：Mastering Python Forensics

掌握数字取证的艺术和使用Python进行分析

关于本书

• 学习如何在Python的帮助下执行取证分析和调查，并深入了解各种Python库和框架
• Analyze Python scripts to extract metadata and investigate forensic artifacts
• 作者Michael Spreitzenbarth博士和Johann Uhrmann博士利用他们的经验制作了这本使用Python进行法医分析和调查的动手指南

这本书是为谁写的

如果您是一名网络安全专业人员或法医分析师，想要更深入地了解如何使用Python执行取证分析，那么这本书是为您准备的。具备一定的Python经验会很有帮助。

你将学到什么

• 探索不同平台(如Windows、Android和vSphere)的取证分析
• 半自动重建系统活动和时间线的主要部分
• 利用Python ctype进行协议解码
• 检查来自移动设备、Skype和浏览器的人工制品
• 了解如何利用Python来提高分析的重点
• 借助Android和Linux平台上的易失性研究易失性内存

In Detail

数字取证分析是以数字方式检查和提取数据并对其进行检查的过程。Python具有强大的功能、表现力和易用性，这使其成为传统的现成数字取证工具的重要补充工具。

这本书将教你如何通过探索各种Python库的功能来执行取证分析和调查。

这本书首先解释了Python编程语言的构建块，特别是深入的ctype，以及如何自动化文件系统分析中的典型任务，发现异常的常见关联任务，以及用于调查的模板。接下来，我们将向您展示可在取证调查期间使用的加密算法，以检查已知文件或将可疑文件与VirusTotal或Mobile-Sandbox等在线服务进行比较。

接下来，您将学习如何在网络上进行嗅探、生成和分析网络流，并在Python脚本和工具的帮助下执行日志关联。您将了解虚拟化的概念以及虚拟化如何影响IT取证，您还将了解如何对基于iOS或Android的越狱/扎根移动设备执行取证分析。

最后，这本书教你如何分析易失性内存并根据Yara规则搜索已知恶意软件样本。

风格和方法

这本简单易懂的指南将通过向您展示如何一步一步地解决实际世界中的场景来演示法医分析技术。

目录表

第1章：设置实验室和Python ctype简介
Chapter 2: Forensic Algorithms
第3章：使用适用于Windows和Linux Forensics的Python
第4章：使用Python进行网络取证
第5章：使用Python进行虚拟化取证
第6章：使用Python进行移动取证
第7章：使用Python进行内存取证