By Chet Hosmer
Many digital investigators, students, academics, examiners and researchers are frustrated by the current set of forensic tools available. Don’t get me wrong, many of the toolkits are quite capable, but they also can be complex, expensive and come with a steep learning curve. Furthermore, when the need arises to address new issues, handle special cases or to directly impact performance by unleashing multiple processing cores toward a specific problem, your control may be limited. In addition, you may want to develop a deeper understanding of how digital evidence is acquired, examined and analyzed and add some of your own twists to the art of cybercrime investigation.
Enter Python Forensics
The Python programming language is an environment that can be learned and applied by “anyone”. You simply need a computer (PC, Mac, Linux, iOS, Android, Raspberry Pi or even and old Microvax laying around, and another yes – even a Windows phone) In addition, the open source nature has connected developers and researchers across the globe spurring them on to innovate modules and libraries to address many challenges including but certainly not limited to: space flight, weather prediction, financial modeling, movie production and now digital investigations. Python is used today by prominent organizations like Google, Disney, Dropbox, Industrial Light and Magic, the National Weather Service, NASA, IBM and many others.
The language has built-in capabilities that directly relate to digital investigation. For example the code below will perform a SHA 256 hash of a string – in three lines of code no less! This is one of the fundamental practices performed in digital investigation to protect the integrity of evidence and to perform searches for specific known files.
>>> import hashlib >>> sha256 = hashlib.sha256() >>> sha256.update("some data I would like hashed") >>> print "SHA 256: "+sha256.hexdigest()
SHA 256: 994dcf28257fd644d4393e1fb56e26f3ed66e602b697b7bfaec1fc54bd475e2e
Or maybe you need to capture network packets to identify possible information leaks. Python provides Standard Libraries for a variety of network interface capabilities. For example the built-in socket library provides the necessary building blocks for creating simple or advanced scripts that interface with the network.
>>> import socket >>> mySocket = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP) >>> recvBuffer, addr = mySocket.recvfrom(255)
Python Forensics: A workbench for inventing and sharing digital forensic technoology, my most recent book, dives into these and many other topics to provide you with a deep understanding of the fundamental concepts of applying the Python language to digital investigation challenges. The book also contains fully coded and documented python applications that can be used out of the box or extended by you.
So what are you waiting for? Start building, learning and experimenting with your new first language “Python”! And be sure to keep in touch along your journey!!
Chet Hosmer is an author, educator and researcher. Chet is a co-founder of WetStone Technologies, Inc., a Visiting Professor at Utica College in the Cybersecurity graduate program, and an Adjunct Professor at Champlain College where he teaches in the Digital Forensics Graduate program. He resides with his two-legged and four-legged family near Myrtle Beach, South Carolina. He is the author of the popular Syngress titles Data Hiding and Python Forensics, with more to come!