Review Of Mastering Python Forensics

On October 30th, Dr. Michael Spreitzenbarth and Dr. Johann Uhrmann released Mastering Python Forensics.
Here are a few of my thoughts on it...

Chapter 1: Setting Up the Lab and Introduction to Python ctypes

I enjoyed learning about Python virtualenv. For those that don’t know, Virtual Environment is a tool to keep the dependencies required by different projects in separate places by creating virtual Python environments for them. This helps when packaging tools for distribution. This book does a excellent job of explaining the basics and incorporates virtualenv throughout all of examples in the text. Here is a great rundown I discovered this nice write up.
The Introduction to Python ctypes was worth reading 3 or 4 times. I have been using ctypes and structs in Python for a while but this chapter helped organize and clarify the "copy and paste" knowledge I was working with. I expect to use the portion about interacting with DLLs as a reference numerous times in the pursuit of reverse engineering malware.

For me, this first chapter alone was worth the cost of the book. I think I can leverage the principles covered in this chapter to do some interesting stuff.

Chapter 2 , Forensic Algorithms

While chapter is surely a necessary topic for beginners, it was not particularly revolutionary for me. They did a great job of covering the subject though. I did like the addition of a Python client for nsrlsvr to compare files hashes against list of known files provided by the good people at NIST. That might come in handy.

Chapter 3 , Using Python for Windows and Linux Forensics

This is a deep subject to cover in one chapter. This chapter highlights one of the things I like the most about this book: it leans on assumed knowledge by quickly covering the foundations and moves on to advanced topics. This is not a "basics of forensics" or "Python for Dummies" style of book but it covers enough to still be inclusive for the ambitious novice. This chapter:

  • does a great job explaining how to use Willi Ballenthin's Python-EVTX to parse the Windows Registry and search for Indicators of Compromise.
  • does feature a small blurb about plaso and log2timeline tools. For what it is worth, I would have liked to see more from this project but, again, they had a lot of ground to cover so I understand the brevity.
  • covers the Windows Registry structure, and highlights of what to look for in the registry. This chapter fails to mention Mr. Ballenthin's Python-Registry module and the resulting Python Registry Parser from Patrick Olsen both I think are missed opportunities. It does cover Andrew Davis' ShimCacheParser which uses an old version of Ballenthin's Registry module. The surface was scratched but in my opinion, they could have dug a little deeper.
  • nails Linux Forensics 101 with Python perfectly. I have nothing but praise for this section of the book. It is rich with practical examples and insightful explanations.
  • does a good job of using matplotlib to visualize data with histograms. The method demonstrated could be leveraged to display all kinds of data.

Chapter 4 , Using Python for Network Forensics

This chapter is short and doesn't cover as much ground as I would have hoped. This chapter:

  • Introduces Dshell to dissect packet captures. I learned a lot from this section and see a lot of practical applications for the examples provided. Dshell makes carving files out pcaps easy peasy.
  • Offers an example of using Scapy for during a forensic investigation. The script they provide records the statistics about the geolocation of the IP address source and the destination of an ongoing network connection. While this seems cool, this falls more into the realm of Incident Response than Forensics.
  • Explains how to use Scapy to create a simple port scanner. Building a port scanner for a Forensic investigation feels like a stretch to me. Again, I feel like this is more suited for IR or Penetration Testing. Neat though.
  • I would have loved to see more deep packet analysis or visualization of traffic patterns. Perhaps decrypting CryptoWall's RC4 C&C traffic in Python? Just a thought.
  • For the next edition, newer projects like Omri Herscovici's CapTipper would make a fine addition.

Chapter 5 , Using Python for Virtualization Forensics

Chapter 5 is well executed and covered topic thoroughly. This is another chapter that made me glad I bought the book though I will be the first to admit that I didn't lob any of the example scripts at an actual VMware vSphere environment. I enjoyed this portion of the book because it describes an area of digital forensics that is outside of my usual wheelhouse. This chapter describes how to use pyVmomi, VMware's Python SDK for the vSphere API, to analyze ESX, ESXi, or vCenter systems for the creation of rogue virtual machines, the creation of rogue virtual network devices on existing virtual machines, and enumerating virtual machines' direct hardware access. Pretty cool stuff. Since I am more of a VMware Workstation/Fusion type of guy , I have done similar things from using the vmrun command line interface.

Chapter 6 , Using Python for Mobile Forensics

I am not a seasoned mobile forensics analyst but I struggle with the mechanics of rooting an android phone in the pursuit of a forensic investigation.I say all that to say this, to me it seems like the introduction of an exploit to jailbreak or root your mobile device would not only be a tough sell in court but would trample all over filesystem metadata during the rooting process. I have some experience using Cellebrite's equipment to perform logical extractions of Blackberries and Android devices which doesn't dig deep but also doesn't compromise the device either.

For the record, I am familiar with rooting. I rooted all four of my Motorola Droids (Droid 1-4)(I was a sucker for the sliding keyboard. Don't judge me) and my Motorola Xoom (Motorola had me in their clutches for a while). Like many earlier android rooters, I pretty much only rooted my phone to install hacking tools and use the phone as a Wifi hotspot. Once the mobile hotspot became a mainstream feature and rooting because an enormous pain in the ass, I stopped scouring the android forums for hours trying to find shady recovery images and poorly written instructions for my exact model of phone. All things being considered, it was a good turning point in my life. I digress...

This chapter assumes you have rooted/jailbroken your device so, tabling all of my silly apprehensions about compromising the device, I found this to be another very interesting chapter. It covers using Python to grab the hash of the screen pin and cracking the hash with hashcat to unlock the screen. I could see this being very handy. Overall, I see enormous practicality in the examples provided in this chapter. I was previously unaware of the ADEL project and I haven't evaluated it but upfront it says it works on Android 4.X. I wonder if the development of this tool and tools like are keeping up with the versions of Android. As of October 5th, we are up to Android 6.0 Marshmallow. The project looks awesome for the record and this book does a great job of explaining the applications.

Chapter 7 , Using Python for Memory Forensics

This is not the Art of Memory Forensics and it doesn't try to be. I like that. The subject of analyzing Windows memory images with Volatility is covered, in depth, all over the place so I appreciate that this book doesn't attempt to cover it. Smart move. Instead it offers examples of how to analyze volatile memory from Android and Linux devices. By targeting this subset of Volatility's functionality, I think it adds a lot of value to this text. This chapter was another that broadened my horizons and made me glad I purchased.

Conclusion

If you are someone that would read this blog, you should buy this book.  This book is easy to digest and a wonderful starting point for DFIR professionals that are interested in leveraging Python to accomplish their work. "Forensics with Python" is a broad and ambitious topic to cover in 192 pages with diagrams and source code. Spreitzenbarth and Uhrmann did an impressive job of tackling the variety of subjects in an appropriate level of detail to make this book useful for forensic analysts of any experience level. Well done.