Init

.gitignore

@@ -0,0 +1,2 @@
+venv3
+.vscode

Outline.md

@@ -0,0 +1,111 @@
+# Outline
+
+Outline of chapters and sections of the book. For quick reference
+on where to find the snippet you are looking for. Each snippet
+should drop into another script without significant tweaking
+
+## Section 1 - Essential Script Snippets
+
+### Argparse
+
+Sample argparse usage and help information
+
+### Logging
+
+Setting up a basic logger with stdout and log file support.
+
+### 
+
+### CSV writing
+
+For Python 2 and 3, also unicode csv. Drop into any
+
+### Parallel Processing
+
+Simple implementation of multithreading and multiprocessing
+
+- Show off calling volatility?
+
+## Section 2 - Registry Hives with YARP
+
+### Using yarp to open a single hive
+
+Opening a hive and confirming it's the one you want to view
+
+### Read key information/metadata
+
+- USB Devices
+
+### Read value information/metadata
+
+- USB Devices
+
+### YARP hive file + transaction logs/other registry fragments
+
+- Show how we can get more data with this method
+
+## Section 3 - Event Logs
+
+### Using python-evtx
+
+#### Opening evtx files
+
+- Counts/Metadata about EVTX container
+
+#### Parsing Logins (with types, levels, privs)
+
+#### Parsing Logouts (durations)
+
+#### Parsing Powershell decoding
+
+## Section 4 - Text logs
+
+### Handling IIS Logs
+
+### Handling Syslog
+
+### Adding in GeoIP
+
+## Section 5 - API calls & JSON data
+
+### VirusTotal
+
+### HybridAnalysis
+
+### Manipulating JSON
+
+- Lists of dictionaries
+
+## Section 6 - SQLite & macOS/mobile/browsers
+
+### macOS Activity
+
+- KnowledgeC
+
+### Andriod SMS
+
+### Google Chome History DB
+
+## Section 7 - Opening forensic images
+
+### LibEWF
+
+- Expose an E01 as a raw image
+
+### PyTSK
+
+#### Read data from a raw image
+
+- Read MBR/GPT
+
+#### Read data from a file
+
+- Hashing a file
+
+#### Iterate through folders
+
+- Generate a metadata rich file listing
+
+#### Perform targetted reads
+
+- Signature look ups

README.md

@@ -0,0 +1,5 @@
+# Python Forensics Handbook
+
+A handy reference guide for building Python scripts to help out
+Digital Forensic, Incident Response, and other Cyber Secutiry
+tools.

sections/section_01_essentials/argparse_example.py

@@ -0,0 +1,63 @@
+import argparse
+import os
+from pathlib import PurePath
+
+"""
+Copyright 2019 Chapin Bryce
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use, copy,
+modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+"""
+
+__author__ = 'Chapin Bryce'
+__date__ = 20190527
+__license = 'MIT Copyright 2019 Chapin Bryce'
+__desc__ = '''Sample script to accept command line arguments.'''
+__docs__ = [
+    'https://docs.python.org/3/library/argparse.html',
+    'https://docs.python.org/3/library/os.html',
+    'https://docs.python.org/3/library/pathlib.html'
+]
+
+# Only run if called directly (not imported)
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description='Sample Argparse',
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+        epilog=f"Built by {__author__}, v.{__date__}"
+    )
+    parser.add_argument('INPUT_FILE', help="Input file to parse")
+    parser.add_argument('OUTPUT_FOLDER', 
+        help="Folder to store output")
+    parser.add_argument('-l', '--log', help="Path to log file",
+        default=os.path.abspath(os.path.join(
+            PurePath(__file__).parent, 
+            PurePath(__file__).name.rsplit('.', 1)[0] + '.log'))
+    )
+    parser.add_argument('-v', '--verbose', action='store_true',
+        help='Include debug log messages')
+
+    args = parser.parse_args()
+
+    # Show arguments
+    print(f'Input file: {args.INPUT_FILE}')
+    print(f'Output folder: {args.OUTPUT_FOLDER}')
+    print(f'Log file: {args.log}')
+    print(f'Be verbose?: {args.verbose}')

sections/section_01_essentials/csv_example.py

@@ -0,0 +1,36 @@
+import csv
+import os
+
+"""
+Copyright 2019 Chapin Bryce
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use, copy,
+modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+"""
+
+__author__ = 'Chapin Bryce'
+__date__ = 20190527
+__license = 'MIT Copyright 2019 Chapin Bryce'
+__desc__ = '''Sample script to write to CSV files.'''
+__docs__ = [
+    'https://docs.python.org/3/library/csv.html',
+    'https://docs.python.org/3/library/os.html'
+]
+

sections/section_01_essentials/logging_example.py

@@ -0,0 +1,73 @@
+import logging
+import sys
+
+"""
+Copyright 2019 Chapin Bryce
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use, copy,
+modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+"""
+
+__author__ = 'Chapin Bryce'
+__date__ = 20190527
+__license = 'MIT Copyright 2019 Chapin Bryce'
+__desc__ = '''Sample script to display and write logging 
+    messages.'''
+__docs__ = [
+    'https://docs.python.org/3/library/logging.html',
+    'https://docs.python.org/3/library/os.html'
+]
+
+# Set logger object, uses module's name
+logger = logging.getLogger(name=__name__)
+
+# Set default logger level to DEBUG. You can change this later
+logger.setLevel(logging.DEBUG)
+
+# Logging formatter. Best to keep consistent for most usecases
+log_format = logging.Formatter(
+    '%(asctime)s %(filename)s %(levelname)s %(module)s '
+    '%(funcName)s %(lineno)d %(message)s')
+
+# Setup STDERR logging
+stderr_handle = logging.StreamHandler(stream=sys.stderr)
+stderr_handle.setLevel(logging.INFO)
+stderr_handle.setFormatter(log_format)
+
+# Setup file loggings
+file_handle = logging.FileHandler('sample.log', 'a')
+file_handle.setLevel(logging.DEBUG)
+file_handle.setFormatter(log_format)
+
+# Add handles
+logger.addHandler(stderr_handle)
+logger.addHandler(file_handle)
+
+# Sample log messages
+logger.debug("This is a debug message")
+logger.info("This is an info message")
+logger.warning("This is a warning message")
+logger.error("This is a error message")
+logger.critical("This is a critical message")
+
+def sample_function():
+    logger.info("Called from a function")
+
+sample_function()