RomanNum3ral
/
python-forensics-handbook
mirror of https://github.com/chapinb/python-forensics-handbook.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from chapinb/Section_6 

Added section6 - Sqlite3 & macOS/Mobile/Browsers
This commit is contained in:
Chapin Bryce 2019-11-26 20:12:12 -05:00 committed by GitHub
parent 8f28036f3e 7bc4b686d5
commit eb9f9832d2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 420 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/.buildinfo
View File

@ -1,4 +1,4 @@
# Sphinx build info version 1
# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
config: 3d75c43fddb36f788157bf623c0e7c72
config: 0fd78b0e82109c48196c34369f16014f
tags: 645f666f9bcd5a90fca523b33c5a78b7

1
docs/_sources/index.rst.txt
View File

@ -16,6 +16,7 @@ A guide for developing Python scripts in DFIR
section1
section2
section3
section6
Handbook Sections
==============================

17
docs/_sources/section6.rst.txt Normal file
View File

@ -0,0 +1,17 @@
Section 6 - Sqlite & MacOS/Mobile/Browsers
==========================================
.. toctree::
:maxdepth: 2
:caption: Contents:
Section 6.1 - Opening Sqlite
--------------------------------
.. automodule:: sections.section_06.opening_sqlite
:members:
Indices and tables
--------------------------------
* :ref:`genindex`
* :ref:`modindex`
* :ref:`search`

3
docs/genindex.html
View File

@ -99,6 +99,7 @@
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section6.html">Section 6 - Sqlite &amp; MacOS/Mobile/Browsers</a></li>
</ul>
@ -255,6 +256,8 @@
<li><a href="section2.html#module-sections.section_02.yarp_ntuser">sections.section_02.yarp_ntuser (module)</a>
</li>
<li><a href="section3.html#module-sections.section_03.open_evtx">sections.section_03.open_evtx (module)</a>
</li>
<li><a href="section6.html#module-sections.section_06.opening_sqlite">sections.section_06.opening_sqlite (module)</a>
</li>
<li><a href="section1.html#sections.section_01.logging_example.setup_logging">setup_logging() (in module sections.section_01.logging_example)</a>
</li>

2
docs/index.html
View File

@ -99,6 +99,7 @@
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section6.html">Section 6 - Sqlite &amp; MacOS/Mobile/Browsers</a></li>
</ul>
@ -173,6 +174,7 @@
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section6.html">Section 6 - Sqlite &amp; MacOS/Mobile/Browsers</a></li>
</ul>
</div>
</div>

BIN
docs/objects.inv
View File

Binary file not shown.

6
docs/py-modindex.html
View File

@ -101,6 +101,7 @@
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section6.html">Section 6 - Sqlite &amp; MacOS/Mobile/Browsers</a></li>
</ul>
@ -224,6 +225,11 @@
<td>&#160;&#160;&#160;
<a href="section3.html#module-sections.section_03.open_evtx"><code class="xref">sections.section_03.open_evtx</code></a></td><td>
<em></em></td></tr>
<tr class="cg-2">
<td></td>
<td>&#160;&#160;&#160;
<a href="section6.html#module-sections.section_06.opening_sqlite"><code class="xref">sections.section_06.opening_sqlite</code></a></td><td>
<em></em></td></tr>
</table>

1
docs/search.html
View File

@ -99,6 +99,7 @@
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section6.html">Section 6 - Sqlite &amp; MacOS/Mobile/Browsers</a></li>
</ul>

2
docs/searchindex.js
View File

File diff suppressed because one or more lines are too long

275
docs/section6.html Normal file
View File

@ -0,0 +1,275 @@
<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Section 6 - Sqlite &amp; MacOS/Mobile/Browsers &mdash; Python Forensics Handbook 20191126 documentation</title>
<script type="text/javascript" src="_static/js/modernizr.min.js"></script>
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/language_data.js"></script>
<script type="text/javascript" src="_static/js/theme.js"></script>
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="prev" title="Section 3 - Windows Event Log Parsing" href="section3.html" />
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-17386833-12"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-17386833-12');
</script>
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home"> Python Forensics Handbook
</a>
<div class="version">
20191126
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<p class="caption"><span class="caption-text">Table of Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Section 6 - Sqlite &amp; MacOS/Mobile/Browsers</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#module-sections.section_06.opening_sqlite">Section 6.1 - Opening Sqlite</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#opening-sqlite-configuration">Opening Sqlite configuration</a></li>
<li class="toctree-l3"><a class="reference internal" href="#listing-tables-configuration">Listing Tables configuration</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#indices-and-tables">Indices and tables</a></li>
</ul>
</li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">Python Forensics Handbook</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html">Docs</a> &raquo;</li>
<li>Section 6 - Sqlite &amp; MacOS/Mobile/Browsers</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/section6.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="section-6-sqlite-macos-mobile-browsers">
<h1>Section 6 - Sqlite &amp; MacOS/Mobile/Browsers<a class="headerlink" href="#section-6-sqlite-macos-mobile-browsers" title="Permalink to this headline"></a></h1>
<div class="toctree-wrapper compound">
</div>
<div class="section" id="module-sections.section_06.opening_sqlite">
<span id="section-6-1-opening-sqlite"></span><h2>Section 6.1 - Opening Sqlite<a class="headerlink" href="#module-sections.section_06.opening_sqlite" title="Permalink to this headline"></a></h2>
<p>Example for opening and exploring Sqlite databases.</p>
<p>Example Usage:</p>
<blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">$</span> <span class="pre">python</span> <span class="pre">opening_sqlite.py</span> <span class="pre">history_db</span></code></p>
</div></blockquote>
<p>References:</p>
<ul class="simple">
<li><p><a class="reference external" href="https://docs.python.org/3/library/argparse.html">https://docs.python.org/3/library/argparse.html</a></p></li>
<li><p><a class="reference external" href="https://docs.python.org/3/library/os.html">https://docs.python.org/3/library/os.html</a></p></li>
<li><p><a class="reference external" href="https://docs.python.org/3/library/sqlite3.html">https://docs.python.org/3/library/sqlite3.html</a></p></li>
</ul>
<div class="section" id="opening-sqlite-configuration">
<h3>Opening Sqlite configuration<a class="headerlink" href="#opening-sqlite-configuration" title="Permalink to this headline"></a></h3>
<p>This function shows an example of opening a Sqlite database with Python.
Additional information regarding Sqlite modules can be
seen at <a class="reference external" href="https://docs.python.org/3/library/sqlite3.html">https://docs.python.org/3/library/sqlite3.html</a>.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="k">def</span> <span class="nf">open_sqlite</span><span class="p">(</span><span class="n">inputdb</span><span class="p">):</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">&quot;Provided Database: </span><span class="si">{}</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">inputdb</span><span class="p">))</span>
<span class="k">return</span> <span class="n">sqlite3</span><span class="o">.</span><span class="n">connect</span><span class="p">(</span><span class="n">inputdb</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="listing-tables-configuration">
<h3>Listing Tables configuration<a class="headerlink" href="#listing-tables-configuration" title="Permalink to this headline"></a></h3>
<p>This function shows an example of listing available tables in an opened Sqlite database.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="k">def</span> <span class="nf">list_tables</span><span class="p">(</span><span class="n">conn</span><span class="p">):</span>
<span class="n">cur</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span>
<span class="n">cur</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&quot;SELECT name FROM sqlite_master&quot;</span><span class="p">)</span>
<span class="n">table_list</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">cur</span><span class="o">.</span><span class="n">fetchall</span><span class="p">():</span>
<span class="n">table_list</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">i</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
<span class="k">return</span> <span class="n">table_list</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="indices-and-tables">
<h2>Indices and tables<a class="headerlink" href="#indices-and-tables" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><p><a class="reference internal" href="genindex.html"><span class="std std-ref">Index</span></a></p></li>
<li><p><a class="reference internal" href="py-modindex.html"><span class="std std-ref">Module Index</span></a></p></li>
<li><p><a class="reference internal" href="search.html"><span class="std std-ref">Search Page</span></a></p></li>
</ul>
</div>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="section3.html" class="btn btn-neutral float-left" title="Section 3 - Windows Event Log Parsing" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
&copy; Copyright 2019, Chapin Bryce
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>

1
docssrc/index.rst
View File

@ -16,6 +16,7 @@ A guide for developing Python scripts in DFIR
section1
section2
section3
section6
Handbook Sections
==============================

2
docssrc/make.bat
View File

@ -35,4 +35,4 @@ goto end
popd
REM copy HTML to docs folder
robocopy _build\html ..\docs /S /E
robocopy _build\html ..\docs /S /E /NFL /NDL /NJH /NJS

17
docssrc/section6.rst Normal file
View File

@ -0,0 +1,17 @@
Section 6 - Sqlite & MacOS/Mobile/Browsers
==========================================
.. toctree::
:maxdepth: 2
:caption: Contents:
Section 6.1 - Opening Sqlite
--------------------------------
.. automodule:: sections.section_06.opening_sqlite
:members:
Indices and tables
--------------------------------
* :ref:`genindex`
* :ref:`modindex`
* :ref:`search`

0
sections/section_06/__init__.py Normal file
View File

94
sections/section_06/opening_sqlite.py Normal file
View File

@ -0,0 +1,94 @@
"""Example for opening and exploring Sqlite databases.
Example Usage:
``$ python opening_sqlite.py history_db``
References:
* https://docs.python.org/3/library/argparse.html
* https://docs.python.org/3/library/os.html
* https://docs.python.org/3/library/sqlite3.html
Opening Sqlite configuration
============================
This function shows an example of opening a Sqlite database with Python.
Additional information regarding Sqlite modules can be
seen at https://docs.python.org/3/library/sqlite3.html.
.. literalinclude:: ../sections/section_06/opening_sqlite.py
:pyobject: open_sqlite
Listing Tables configuration
============================
This function shows an example of listing available tables in an opened Sqlite database.
.. literalinclude:: ../sections/section_06/opening_sqlite.py
:pyobject: list_tables
"""
import argparse
import os
import sqlite3
"""
Copyright 2019 Brittney Argirakis
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
"""
__author__ = 'Brittney Argirakis'
__date__ = 20191126
__license__ = 'MIT Copyright 2019 Brittney Argirakis'
__desc__ = '''Sample script to open a SqLite DB.'''
__docs__ = [
'https://docs.python.org/3/library/argparse.html',
'https://docs.python.org/3/library/os.html',
'https://docs.python.org/3/library/sqlite3.html'
]
def open_sqlite(inputdb):
print("Provided Database: {}".format(inputdb))
return sqlite3.connect(inputdb)
def list_tables(conn):
cur = conn.cursor()
cur.execute("SELECT name FROM sqlite_master")
table_list = []
for i in cur.fetchall():
table_list.append(i[0])
return table_list
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description=__desc__,
formatter_class=argparse.ArgumentDefaultsHelpFormatter,
epilog=f"Built by {__author__}, v.{__date__}"
)
parser.add_argument("db", help="path to the database to read")
args = parser.parse_args()
conn = open_sqlite(args.db)
listed_tables = list_tables(conn)
print(listed_tables)