Down and Dirty With Python At Enfuse 2016
As it turns out, Python can be an invaluable skill for a forensic investigator to have. As a Computer Science major at Champlain College coming to a digital forensics conference like Enfuse 2016, I had to do my best to find the niche sessions that apply to my practice. I ended up taking just about every programming session I could take. One of the sessions that I was most looking forward to was Down and Dirty With Python. This session was an educational presentation that showed how Python can be used in the digital forensics field.
Presentation Overview
James Habben was the spokesperson for the presentation, a member of the Verizon RISK Team and recipient of the second highest session rating at the conference. I found this guy pretty cool, and I really enjoyed what he had to say about scripting and Python. “Scripting and Python allows an investigator to make tools do things they were not meant to do.” This contributed to his main theme of the presentation which was “ do what you want ” He was essentially advising investigators that if a tool does not do what you want to do, write one. What James meant by this was, don’t develop EnCase, write a simple script that gets the single and simple job done.
Focus Point
Habben was really emphasizing to sell scripting to investigators, including him discussing relevant data formats like; CSV, SQLite, text, binary and registry. This did a pretty good job of letting investigators know that scripts can deal with the same things they already work with. Along with the familiar formats, he went over some techniques and libraries that making script writing simpler. Two of the techniques Habben mentioned were: String formats/inserts and displaying data values. Some libraries he explained were ArgParse and E01 File Access. I personally enjoyed the most when he was explaining and elaborating about ArgParse. This is a Python library that makes parsing arguments from the commands line super simple. It’s is definitely a library I will use in all my future Python scripts that require arguments.
The scripts that Habben presented could be very useful to forensic investigators.
He showed off:
- A script that parses a prefetch file, and displays all of the important information to the console, which could then be piped into a text file or CSV.
- A script that took an IEF search SQLite database, and parses out the important info, and pipes it to another SQLite database.
- Went over parsed out important forensic info out of an Apache log file, and piped it into a SQLite database for quick and easy access to the information.
Conclusion
In general, I enjoyed this presentation. Habben recommended a tool called PyCharm which I already use which was pretty cool. I am really excited to see what kind of Python or EnScripts I could write for the LCDI to either expedite our cases, or assist in research projects.
Want to know more about our trip to Enfuse 2016? Head to the LCDI blog! We also constantly communicate updates through our Twitter and Facebook, so be sure to Follow and give us a LIKE!