RomanNum3ral
/
python-forensics-handbook
mirror of https://github.com/chapinb/python-forensics-handbook.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
python-forensics-handbook/docs/index.html

427 lines
12 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>The Python Forensics Handbook &mdash; Python Forensics Handbook 20191103 documentation</title>
<script type="text/javascript" src="_static/js/modernizr.min.js"></script>
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/language_data.js"></script>
<script type="text/javascript" src="_static/js/theme.js"></script>
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Section 1 - Essential Scripts" href="section1.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="#" class="icon icon-home"> Python Forensics Handbook
</a>
<div class="version">
20191103
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<p class="caption"><span class="caption-text">Table of Contents:</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="#">Python Forensics Handbook</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="#">Docs</a> &raquo;</li>
<li>The Python Forensics Handbook</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/index.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="the-python-forensics-handbook">
<h1>The Python Forensics Handbook<a class="headerlink" href="#the-python-forensics-handbook" title="Permalink to this headline"></a></h1>
<div class="section" id="a-guide-for-developing-python-scripts-in-dfir">
<h2>A guide for developing Python scripts in DFIR<a class="headerlink" href="#a-guide-for-developing-python-scripts-in-dfir" title="Permalink to this headline"></a></h2>
<div class="toctree-wrapper compound">
<p class="caption"><span class="caption-text">Table of Contents:</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
</ul>
</div>
</div>
</div>
<div class="section" id="module-sections">
<span id="handbook-sections"></span><h1>Handbook Sections<a class="headerlink" href="#module-sections" title="Permalink to this headline"></a></h1>
<p>This handbook has 7 sections covering common tasks for developing
Python scripts for use in DFIR. Each section contains short,
portable code blocks that can drop into a new script with minimal
tweaking. This way, you can quickly build out your custom script
without needing to re-invent the wheel each time.</p>
<p>This handbook is not intended to be read in order - if anything
this outline is the main launching point to find the correct page
containing the code block you wish to reference.</p>
<p>Please feel free to contribute your own sections with the snippets that have
worked well for you, even if a similar section already exists. This handbook
is hosted on GitHub at <a class="reference external" href="https://github.com/chapinb/python-forensics-handbook">https://github.com/chapinb/python-forensics-handbook</a> and
available to read online at <a class="reference external" href="https://chapinb.com/python-forensics-handbook">https://chapinb.com/python-forensics-handbook</a>.
Please consider submitting a pull request with your additions!</p>
<div class="section" id="section-1-essential-script-elements">
<h2>Section 1 - Essential Script Elements<a class="headerlink" href="#section-1-essential-script-elements" title="Permalink to this headline"></a></h2>
<p>This chapter covers code blocks that are useful across scripts
and are not DFIR specific, but solid practices to integrate into
projects to allow for uniformity.</p>
<ul class="simple">
<li><dl class="simple">
<dt>Argparse</dt><dd><ul>
<li><p>Command line parameter handling</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Logging</dt><dd><ul>
<li><p>Writing status and error messages to the console and
log file</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Open Files</dt><dd><ul>
<li><p>Read text files with varying UTF encodings.</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>CSV Generation</dt><dd><ul>
<li><p>For better or worse, CSV reports are very common in DFIR
and this code block covers several methods for
generating a CSV</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Recursive File Exploration</dt><dd><ul>
<li><p>Quick example of code to explore directories and access
nested files.</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Parallel Processing</dt><dd><ul>
<li><p>Simple implementation of multithreading and multiprocessing</p></li>
</ul>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="section-2-registry-hives-with-yarp">
<h2>Section 2 - Registry Hives with YARP<a class="headerlink" href="#section-2-registry-hives-with-yarp" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><dl class="simple">
<dt>Using yarp to open a single hive</dt><dd><ul>
<li><p>Opening a hive and recovering data available in transaction logs</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Parse registry hive keys and values</dt><dd><ul>
<li><p>Building off our prior code to parse specific artifacts from an
NTUSER.DAT hive, including string and binary values. Uses classes in a
manner that is very flexible and permits extending functionality as
needed with minimal effort.</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Searching for a pattern across hive keys and values.</dt><dd><ul>
<li><p>Looking for a provided pattern across the entire hive.</p></li>
</ul>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="section-3-event-logs">
<h2>Section 3 - Event Logs<a class="headerlink" href="#section-3-event-logs" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><dl class="simple">
<dt>Using python-evtx</dt><dd><ul>
<li><p>Opening evtx files</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Parsing Logins (with types, levels, privs)</dt><dd><ul>
<li><p>Parse out the commonly investigated 4624/4672 events</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Parsing Logouts (durations)</dt><dd><ul>
<li><p>Parse 4624/4634 events to get information on user sessions</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Parsing Powershell decoding</dt><dd><ul>
<li><p>Reassemble PowerShell strings in events and decode commands</p></li>
</ul>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="section-4-text-logs">
<h2>Section 4 - Text logs<a class="headerlink" href="#section-4-text-logs" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><dl class="simple">
<dt>Handling IIS Logs</dt><dd><ul>
<li><p>Parse common fields in IIS logs into a report</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Handling Syslog</dt><dd><ul>
<li><p>Parse common syslog formats into a report</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>Adding in GeoIP</dt><dd><ul>
<li><p>Function to add GeoIP recognition</p></li>
</ul>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="section-5-api-calls-json-data">
<h2>Section 5 - API calls &amp; JSON data<a class="headerlink" href="#section-5-api-calls-json-data" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><p>VirusTotal</p></li>
<li><p>HybridAnalysis</p></li>
<li><p>Manipulating JSON</p></li>
</ul>
</div>
<div class="section" id="section-6-sqlite-macos-mobile-browsers">
<h2>Section 6 - SQLite &amp; macOS/mobile/browsers<a class="headerlink" href="#section-6-sqlite-macos-mobile-browsers" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><dl class="simple">
<dt>macOS Activity</dt><dd><ul>
<li><p>KnowledgeC</p></li>
</ul>
</dd>
</dl>
</li>
<li><p>Andriod SMS</p></li>
<li><p>Google Chome History DB</p></li>
</ul>
</div>
<div class="section" id="section-7-opening-forensic-images">
<h2>Section 7 - Opening forensic images<a class="headerlink" href="#section-7-opening-forensic-images" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><dl class="simple">
<dt>LibEWF</dt><dd><ul>
<li><p>Expose an E01 as a raw image</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt>PyTSK</dt><dd><ul>
<li><p>Read data from a raw image (MBR)</p></li>
<li><p>Read data from a file (hashing)</p></li>
<li><p>Iterate through folders (file listing)</p></li>
<li><p>Perform targetted reads (file sigs)</p></li>
</ul>
</dd>
</dl>
</li>
</ul>
</div>
</div>
<div class="section" id="indices-and-tables">
<h1>Indices and tables<a class="headerlink" href="#indices-and-tables" title="Permalink to this headline"></a></h1>
<ul class="simple">
<li><p><a class="reference internal" href="genindex.html"><span class="std std-ref">Index</span></a></p></li>
<li><p><a class="reference internal" href="py-modindex.html"><span class="std std-ref">Module Index</span></a></p></li>
<li><p><a class="reference internal" href="search.html"><span class="std std-ref">Search Page</span></a></p></li>
</ul>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="section1.html" class="btn btn-neutral float-right" title="Section 1 - Essential Scripts" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>
&copy; Copyright 2019, Chapin Bryce
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink