Magnet User Summit 2019 – April 2, 2019
Leveraging PowerShell and Python for Incident Response and Live Forensic Applications
Chet Hosmer, Author, Python Forensics
This lecture/demonstration brings together the Python Programming Language and Microsoft’s PowerShell to address digital investigations at a new level. PowerShell provides digital investigators with a rich set of cmdlets and deep access to the internals of the Windows Desktop, Cloud Services and now Linux and Mac. The Python development environment provides a rich scripting environment allowing for the rapid development of new tools, deep analysis, automation and correlation of evidence. Integrating the best of both technologies facilitates the creation of next-generation solutions for incident response, live forensic investigation, and e-Discovery. During this session, participants will: Learn the fundamentals of both Powershell and Python, experience the value of integrating PowerShell and Python, and learn how to apply these open source integrations to current challenges.
Paraben Forensic Innovation Conference
PFIC 2018, Sept 5-6, Park City Utah
Another fantastic year with the team at Paraben. In beautiful Park City, Utah with the latest cutting edge sessions covering digital investigations and incident response.
My training session this year focused on the use of Python for digital investigations.
High Tech Crimes International 2018, Washington D.C. August 19-22
The phenomena of Fake Photos, Audio and Video have become viral. Just one example according to the Washington Post (2017),
“following an attack on the London Bridge that killed eight people, fake photos started popping up of individuals falsely labeled as missing. Internet trolls widely shared a grainy picture of a man driving a silver car and said it was a picture of the suspect. (It turned out to be an old photo of a controversial but unrelated American comedian.)”
This activity has become commonplace on the Internet and Social Media and the results in many cases end up on the nightly news as FACTS. Not only is this practice extremely dangerous and unethical but it is simply fraud.
Our ability to separate Legitimate from Fake digital photos that are created with sophisticated Artificial Intelligence methods is vital. Once we do, we can prosecute those that conduct this activity for economic, political or other even more nefarious motives.
During this training session methods for the creating of fake photos and the detection of them was presented.
William Wan (2017, July 17). “Many people can’t tell when photos are fake. Can you?” The Washington Post. Retrieved from
Digital Forensic Research Workshop 2018, Providence, RI
Another great DFRWS event.
This year, I demonstrated the use of a Raspberry Pi coupled with a dedicated Python script to monitor, detect, respond and record evidence of aberrant behavior within targeted network environments (such as IoT and ICS).
The demonstration illustrated how a simple $35 Raspberry Pi can deliver vital information, evidence, and reason about an attacker’s methods and motives.
August 11, 2018, DEFCON Skytalks and Wall of Sheep
Chet Hosmer and Mike Raggo, Exploiting IoT Communications, A Cover within a Cover
IoT offers new protocols and frequencies over which communication travels. Due to lack of familiarity amongst most enterprises, most organizations are ill-equipped to monitor or detect these mysterious channels.
This introduces a plethora of covert channels by which data could be exfiltrated, or malware to be infiltrated into the network.
In this session, we explore this new frontier by focusing on new methods of IoT protocol exploitation by revealing research conducted over the last 2 years. Detailed examples will be provided, as well as a demo of a python tool for exploiting unused portions of protocol fields.
From our research, we’ll also reveal new methods of detecting aberrant behavior emanating to/from these devices gathered from our lab and real-world testing.
April 11, 2018 Cybersecurity Innovation Forum at George Mason University
Using a Raspberry Pi as a Passive Network Sensor
Another great evening with the Innovation Forum at GMU, presenting the Raspberry Pi Sensor project to a packed house.
Great working with J.P. Auffret and the whole GMU Team.
HTCIA Conference 2017
Python Forensics is proud to once again sponsor the HTCIA International Conference
Oct 1-5 in Anaheim California.
We will be exhibiting, speaking and training at this years event. Please stop by our both and/or attended one of our Labs or Lectures.
Leveraging PowerShell with Cool Python Scripts
Rancho Las Palmas
Monday 10:45 AM – 2:15 PM and
Tuesday 2:30 PM – 5:00 PM
This hands-on lab brings together the Python Programming Language and Microsoft’s PowerShell to address digital investigations at a whole new level. PowerShell provides digital investigators with a rich set of cmdlets and deep access to the internals of both the Windows Desktop and Enterprise. The Python development environment provides a rich scripting environment allowing for the rapid development of new tools for investigation, automation and deep analysis. Integrating the best of both technologies facilitates the creation of next generation solutions for incident response forensic live forensic investigation and e-Discovery. During this hands-on lab session, participants will: – Learn the fundamentals of both Powershell and Python. – Use existing PowerShell and Python scripts to extract and examine evidence. – Apply PowerShell and Python to specific Forensics and Incident Response challenges. – Use Python to leverage existing PowerShell CmdLets to perform advanced evidence acquisition.
Speaker: Chet Hosmer
Python Passive IoT Investigations using a Raspberry Pi
Grand Ballroom A
Tuesday 9:00 AM – 10:00 AM
This lecture demonstrates the use of a Raspberry Pi coupled with a dedicated Python script to monitor, detect, respond and record evidence of aberrant behavior originating from or directed to Internet of Things (IoT) devices. The proliferation of IoT devices in business, home, industrial applications, mobile devices, transportation systems, health-care, surveillance systems and government applications has been explosive. “McKinsey estimates the total IoT market size in 2015 was up to $900M, growing to $3.7B in 2020” (McKinsey 2016) The impact on digital investigations based on the rapid proliferation of IoT is significant. The IoT devices, their networks and related cloud based systems have the potential of holding key information related to traditional criminal activity, as well as detailed evidence associated with Internet based attacks including vital data regarding those responsible. During this lecture and live demonstration, attack methods and exfiltration examples will be covered in detail. In addition, a Raspberry Pi, will be used to monitor, detect, react and record evidence of live attempted attacks and exfiltration exploits of the IoT devices being monitored. A detailed walk-through of the Python script used to perform the monitoring, detection, reaction and evidence capture methods will also be provided.
Speaker: Chet Hosmer