Mastering Python forensics : master the art of digital forensics and analysis with Python / Michael Spreitzenbarth and Johann Uhrmann

Preface;
Chapter 1: Setting Up the Lab and Introduction to Python ctypes; Setting up the Lab; Ubuntu; Python virtual environment (virtualenv); Introduction to Python ctypes; Working with Dynamic Link Libraries; C data types; Defining Unions and Structures; Summary; Chapter 2: Forensic Algorithms; Algorithms; MD5; SHA256; SSDEEP; Supporting the chain of custody; Creating hash sums of full disk images; Creating hash sums of directory trees; Real-world scenarios; Mobile Malware; NSRLquery Downloading and installing nsrlsvrWriting a client for nsrlsvr in Python; Summary; Chapter 3: Using Python for Windows and Linux Forensics; Analyzing the Windows Event Log; The Windows Event Log; Interesting Events; Parsing the Event Log for IOC; The python-evtx parser; The plaso and log2timeline tools; Analyzing the Windows Registry; Windows Registry Structure; Parsing the Registry for IOC; Connected USB Devices; User histories; Startup programs; System Information; Shim Cache Parser; Implementing Linux specific checks; Checking the integrity of local user credentials Analyzing file meta informationUnderstanding inode; Reading basic file metadata with Python; Evaluating POSIX ACLs with Python; Reading file capabilities with Python; Clustering file information; Creating histograms; Advanced histogram techniques; Summary; Chapter 4: Using Python for Network Forensics; Using Dshell during an investigation; Using Scapy during an investigation; Summary; Chapter 5: Using Python for Virtualization Forensics; Considering virtualization as a new attack surface; Virtualization as an additional layer of abstraction; Creation of rogue machines; Cloning of systems Searching for misuse of virtual resourcesDetecting rogue network interfaces; Detecting direct hardware access; Using virtualization as a source of evidence; Creating forensic copies of RAM content; Using snapshots as disk images; Capturing network traffic; Summary; Chapter 6: Using Python for Mobile Forensics; The investigative model for smartphones; Android; Manual Examination; Automated Examination with the help of ADEL; Idea behind the system; Implementation and system workflow; Working with ADEL; Movement profiles; Apple iOS; Getting the Keychain from a jailbroken iDevice Manual Examination with libimobiledeviceSummary; Chapter 7: Using Python for Memory Forensics; Understanding Volatility basics; Using Volatility on Android; LiME and the recovery image; Volatility for Android; Reconstructing data for Android; Call history; Keyboard cache; Using Volatility on Linux; Memory acquisition; Volatility for Linux; Reconstructing data for Linux; Analyzing processes and modules; Analyzing networking information; Malware hunting with the help of YARA; Summary; Where to go from here; Index