Today, information technology is a part of almost everything that surrounds us. These are the systems that we wear and that support us in building and running cities, companies, our personal online shopping tours, and our friendships. These systems are attractive to useāand abuse. Consequently, all criminal fields such as theft, fraud, blackmailing, and so on expanded to the IT. Nowadays, this is a multi-billion, criminal, global shadow industry.
Can a single person spot traces of criminal or suspicious activity conducted by a multi-billion, criminal, global shadow industry? Well, sometimes you can. To analyze the modern crime, you do not need magnifying glasses and lifting fingerprints off wine bottles. Instead, we will see how to apply your Python skills to get a close look at the most promising spots on a file system and take digital fingerprints from the traces left behind by hackers.
As authors, we believe in the strength of examples over dusty theory. This is why we provide samples for forensic tooling and scripts, which are short enough to be understood by the average Python programmer, yet usable tools and building blocks for real-world IT forensics.
Are you ready to turn suspicion into hard facts?
Chapter 1, Setting Up the Lab and Introduction to Python ctypes, covers how to set up your environment to follow the examples that are provided in this book. We will take a look at the various Python modules that support our forensic analyses. With ctypes, we provide the means to go beyond Python modules and leverage the capabilities of native system libraries.
Chapter 2, Forensic Algorithms, provides you with the digital equivalent of taking fingerprints. Just like in the case of classic fingerprints, we will show you how to compare the digital fingerprints with a huge registry of the known good and bad samples. This will support you in focusing your analysis and providing a proof of forensical soundness.
Chapter 3, Using Python for Windows and Linux Forensics, is the first step on your journey to understanding digital evidence. We will provide examples to detect signs of compromise on Windows and Linux systems. We will conclude the chapter with an example on how to use machine learning algorithms in the forensic analysis.
Chapter 4, Using Python for Network Forensics, is all about capturing and analyzing network traffic. With the provided tools, you can search and analyze the network traffic for signs of exfiltration or signature of malware communication.
Chapter 5, Using Python for Virtualization Forensics, explains how modern virtualization concepts can be used by the attacker and forensic analyst. Consequently, we will show how to find traces of malicious behavior on the hypervisor level and utilize the virtualization layer as a reliable source of forensic data.
Chapter 6, Using Python for Mobile Forensics, will give you an insight on how to retrieve and analyze forensic data from mobile devices. The examples will include analyzing Android devices as well as Apple iOS devices.
Chapter 7, Using Python for Memory Forensics, demonstrates how to retrieve memory snapshots and analyze these RAM images forensically with Linux and Android. With the help of tools such as LiME and Volatility, we will demonstrate how to extract information from the system memory.