From 6e0d612aff6e78bbc730cfb7afe0d8f80da7d8f3 Mon Sep 17 00:00:00 2001 From: Chapin Bryce Date: Mon, 27 May 2019 16:22:41 -0400 Subject: [PATCH] Init --- .gitignore | 2 + Outline.md | 111 ++++++++++++++++++ README.md | 5 + .../section_01_essentials/argparse_example.py | 63 ++++++++++ sections/section_01_essentials/csv_example.py | 36 ++++++ .../section_01_essentials/logging_example.py | 73 ++++++++++++ 6 files changed, 290 insertions(+) create mode 100644 .gitignore create mode 100644 Outline.md create mode 100644 README.md create mode 100644 sections/section_01_essentials/argparse_example.py create mode 100644 sections/section_01_essentials/csv_example.py create mode 100644 sections/section_01_essentials/logging_example.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..32bccd7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +venv3 +.vscode diff --git a/Outline.md b/Outline.md new file mode 100644 index 0000000..0a5a5cf --- /dev/null +++ b/Outline.md @@ -0,0 +1,111 @@ +# Outline + +Outline of chapters and sections of the book. For quick reference +on where to find the snippet you are looking for. Each snippet +should drop into another script without significant tweaking + +## Section 1 - Essential Script Snippets + +### Argparse + +Sample argparse usage and help information + +### Logging + +Setting up a basic logger with stdout and log file support. + +### + +### CSV writing + +For Python 2 and 3, also unicode csv. Drop into any + +### Parallel Processing + +Simple implementation of multithreading and multiprocessing + +- Show off calling volatility? + +## Section 2 - Registry Hives with YARP + +### Using yarp to open a single hive + +Opening a hive and confirming it's the one you want to view + +### Read key information/metadata + +- USB Devices + +### Read value information/metadata + +- USB Devices + +### YARP hive file + transaction logs/other registry fragments + +- Show how we can get more data with this method + +## Section 3 - Event Logs + +### Using python-evtx + +#### Opening evtx files + +- Counts/Metadata about EVTX container + +#### Parsing Logins (with types, levels, privs) + +#### Parsing Logouts (durations) + +#### Parsing Powershell decoding + +## Section 4 - Text logs + +### Handling IIS Logs + +### Handling Syslog + +### Adding in GeoIP + +## Section 5 - API calls & JSON data + +### VirusTotal + +### HybridAnalysis + +### Manipulating JSON + +- Lists of dictionaries + +## Section 6 - SQLite & macOS/mobile/browsers + +### macOS Activity + +- KnowledgeC + +### Andriod SMS + +### Google Chome History DB + +## Section 7 - Opening forensic images + +### LibEWF + +- Expose an E01 as a raw image + +### PyTSK + +#### Read data from a raw image + +- Read MBR/GPT + +#### Read data from a file + +- Hashing a file + +#### Iterate through folders + +- Generate a metadata rich file listing + +#### Perform targetted reads + +- Signature look ups diff --git a/README.md b/README.md new file mode 100644 index 0000000..5ff7984 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# Python Forensics Handbook + +A handy reference guide for building Python scripts to help out +Digital Forensic, Incident Response, and other Cyber Secutiry +tools. diff --git a/sections/section_01_essentials/argparse_example.py b/sections/section_01_essentials/argparse_example.py new file mode 100644 index 0000000..04a5a7e --- /dev/null +++ b/sections/section_01_essentials/argparse_example.py @@ -0,0 +1,63 @@ +import argparse +import os +from pathlib import PurePath + +""" +Copyright 2019 Chapin Bryce + +Permission is hereby granted, free of charge, to any person +obtaining a copy of this software and associated documentation +files (the "Software"), to deal in the Software without +restriction, including without limitation the rights to use, copy, +modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. +""" + +__author__ = 'Chapin Bryce' +__date__ = 20190527 +__license = 'MIT Copyright 2019 Chapin Bryce' +__desc__ = '''Sample script to accept command line arguments.''' +__docs__ = [ + 'https://docs.python.org/3/library/argparse.html', + 'https://docs.python.org/3/library/os.html', + 'https://docs.python.org/3/library/pathlib.html' +] + +# Only run if called directly (not imported) +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description='Sample Argparse', + formatter_class=argparse.ArgumentDefaultsHelpFormatter, + epilog=f"Built by {__author__}, v.{__date__}" + ) + parser.add_argument('INPUT_FILE', help="Input file to parse") + parser.add_argument('OUTPUT_FOLDER', + help="Folder to store output") + parser.add_argument('-l', '--log', help="Path to log file", + default=os.path.abspath(os.path.join( + PurePath(__file__).parent, + PurePath(__file__).name.rsplit('.', 1)[0] + '.log')) + ) + parser.add_argument('-v', '--verbose', action='store_true', + help='Include debug log messages') + + args = parser.parse_args() + + # Show arguments + print(f'Input file: {args.INPUT_FILE}') + print(f'Output folder: {args.OUTPUT_FOLDER}') + print(f'Log file: {args.log}') + print(f'Be verbose?: {args.verbose}') \ No newline at end of file diff --git a/sections/section_01_essentials/csv_example.py b/sections/section_01_essentials/csv_example.py new file mode 100644 index 0000000..5d48ade --- /dev/null +++ b/sections/section_01_essentials/csv_example.py @@ -0,0 +1,36 @@ +import csv +import os + +""" +Copyright 2019 Chapin Bryce + +Permission is hereby granted, free of charge, to any person +obtaining a copy of this software and associated documentation +files (the "Software"), to deal in the Software without +restriction, including without limitation the rights to use, copy, +modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. +""" + +__author__ = 'Chapin Bryce' +__date__ = 20190527 +__license = 'MIT Copyright 2019 Chapin Bryce' +__desc__ = '''Sample script to write to CSV files.''' +__docs__ = [ + 'https://docs.python.org/3/library/csv.html', + 'https://docs.python.org/3/library/os.html' +] + diff --git a/sections/section_01_essentials/logging_example.py b/sections/section_01_essentials/logging_example.py new file mode 100644 index 0000000..bf53c90 --- /dev/null +++ b/sections/section_01_essentials/logging_example.py @@ -0,0 +1,73 @@ +import logging +import sys + +""" +Copyright 2019 Chapin Bryce + +Permission is hereby granted, free of charge, to any person +obtaining a copy of this software and associated documentation +files (the "Software"), to deal in the Software without +restriction, including without limitation the rights to use, copy, +modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. +""" + +__author__ = 'Chapin Bryce' +__date__ = 20190527 +__license = 'MIT Copyright 2019 Chapin Bryce' +__desc__ = '''Sample script to display and write logging + messages.''' +__docs__ = [ + 'https://docs.python.org/3/library/logging.html', + 'https://docs.python.org/3/library/os.html' +] + +# Set logger object, uses module's name +logger = logging.getLogger(name=__name__) + +# Set default logger level to DEBUG. You can change this later +logger.setLevel(logging.DEBUG) + +# Logging formatter. Best to keep consistent for most usecases +log_format = logging.Formatter( + '%(asctime)s %(filename)s %(levelname)s %(module)s ' + '%(funcName)s %(lineno)d %(message)s') + +# Setup STDERR logging +stderr_handle = logging.StreamHandler(stream=sys.stderr) +stderr_handle.setLevel(logging.INFO) +stderr_handle.setFormatter(log_format) + +# Setup file loggings +file_handle = logging.FileHandler('sample.log', 'a') +file_handle.setLevel(logging.DEBUG) +file_handle.setFormatter(log_format) + +# Add handles +logger.addHandler(stderr_handle) +logger.addHandler(file_handle) + +# Sample log messages +logger.debug("This is a debug message") +logger.info("This is an info message") +logger.warning("This is a warning message") +logger.error("This is a error message") +logger.critical("This is a critical message") + +def sample_function(): + logger.info("Called from a function") + +sample_function() \ No newline at end of file