Category: python Digital Forensics

Python Digital Forensics – Resources ”; Previous Next The following resources contain additional information on Python Digital Forensics. Please use them to get more in-depth knowledge on this. Useful Video Courses Python Flask and SQLAlchemy ORM 22 Lectures 1.5 hours Jack Chan More Detail Python and Elixir Programming Bundle Course 81 Lectures 9.5 hours Pranjal Srivastava More Detail TKinter Course – Build Python GUI Apps 49 Lectures 4 hours John Elder More Detail A Beginner”s Guide to Python and Data Science 81 Lectures 8.5 hours Datai Team Academy More Detail Deploy Face Recognition Project With Python, Django, And Machine Learning Best Seller 93 Lectures 6.5 hours Srikanth Guskra More Detail Professional Python Web Development with Flask 80 Lectures 12 hours Stone River ELearning More Detail Print Page Previous Next Advertisements ”;

Python Digital Network Forensics-II ”; Previous Next The previous chapter dealt with some of the concepts of network forensics using Python. In this chapter, let us understand network forensics using Python at a deeper level. Web Page Preservation with Beautiful Soup The World Wide Web (WWW) is a unique resource of information. However, its legacy is at high risk due to the loss of content at an alarming rate. A number of cultural heritage and academic institutions, non-profit organizations and private businesses have explored the issues involved and contributed to the development of technical solutions for web archiving. Web page preservation or web archiving is the process of gathering the data from World Wide Web, ensuring that the data is preserved in an archive and making it available for future researchers, historians and the public. Before proceeding further into the web page preservation, let us discuss some important issues related to web page preservation as given below − Change in Web Resources − Web resources keep changing everyday which is a challenge for web page preservation. Large Quantity of Resources − Another issue related to web page preservation is the large quantity of resources which is to be preserved. Integrity − Web pages must be protected from unauthorized amendments, deletion or removal to protect its integrity. Dealing with multimedia data − While preserving web pages we need to deal with multimedia data also, and these might cause issues while doing so. Providing access − Besides preserving, the issue of providing access to web resources and dealing with issues of ownership needs to be solved too. In this chapter, we are going to use Python library named Beautiful Soup for web page preservation. What is Beautiful Soup? Beautiful Soup is a Python library for pulling data out of HTML and XML files. It can be used with urlib because it needs an input (document or url) to create a soup object, as it cannot fetch web page itself. You can learn in detail about this at www.crummy.com/software/BeautifulSoup/bs4/doc/ Note that before using it, we must install a third party library using the following command − pip install bs4 Next, using Anaconda package manager, we can install Beautiful Soup as follows − conda install -c anaconda beautifulsoup4 Python Script for Preserving Web Pages The Python script for preserving web pages by using third party library called Beautiful Soup is discussed here − First, import the required libraries as follows − from __future__ import print_function import argparse from bs4 import BeautifulSoup, SoupStrainer from datetime import datetime import hashlib import logging import os import ssl import sys from urllib.request import urlopen import urllib.error logger = logging.getLogger(__name__) Note that this script will take two positional arguments, one is URL which is to be preserved and other is the desired output directory as shown below − if __name__ == “__main__”: parser = argparse.ArgumentParser(”Web Page preservation”) parser.add_argument(“DOMAIN”, help=”Website Domain”) parser.add_argument(“OUTPUT_DIR”, help=”Preservation Output Directory”) parser.add_argument(“-l”, help=”Log file path”, default=__file__[:-3] + “.log”) args = parser.parse_args() Now, setup the logging for the script by specifying a file and stream handler for being in loop and document the acquisition process as shown − logger.setLevel(logging.DEBUG) msg_fmt = logging.Formatter(“%(asctime)-15s %(funcName)-10s””%(levelname)-8s %(message)s”) strhndl = logging.StreamHandler(sys.stderr) strhndl.setFormatter(fmt=msg_fmt) fhndl = logging.FileHandler(args.l, mode=”a”) fhndl.setFormatter(fmt=msg_fmt) logger.addHandler(strhndl) logger.addHandler(fhndl) logger.info(“Starting BS Preservation”) logger.debug(“Supplied arguments: {}”.format(sys.argv[1:])) logger.debug(“System ” + sys.platform) logger.debug(“Version ” + sys.version) Now, let us do the input validation on the desired output directory as follows − if not os.path.exists(args.OUTPUT_DIR): os.makedirs(args.OUTPUT_DIR) main(args.DOMAIN, args.OUTPUT_DIR) Now, we will define the main() function which will extract the base name of the website by removing the unnecessary elements before the actual name along with additional validation on the input URL as follows − def main(website, output_dir): base_name = website.replace(“https://”, “”).replace(“http://”, “”).replace(“www.”, “”) link_queue = set() if “http://” not in website and “https://” not in website: logger.error(“Exiting preservation – invalid user input: {}”.format(website)) sys.exit(1) logger.info(“Accessing {} webpage”.format(website)) context = ssl._create_unverified_context() Now, we need to open a connection with the URL by using urlopen() method. Let us use try-except block as follows − try: index = urlopen(website, context=context).read().decode(“utf-8”) except urllib.error.HTTPError as e: logger.error(“Exiting preservation – unable to access page: {}”.format(website)) sys.exit(2) logger.debug(“Successfully accessed {}”.format(website)) The next lines of code include three function as explained below − write_output() to write the first web page to the output directory find_links() function to identify the links on this web page recurse_pages() function to iterate through and discover all links on the web page. write_output(website, index, output_dir) link_queue = find_links(base_name, index, link_queue) logger.info(“Found {} initial links on webpage”.format(len(link_queue))) recurse_pages(website, link_queue, context, output_dir) logger.info(“Completed preservation of {}”.format(website)) Now, let us define write_output() method as follows − def write_output(name, data, output_dir, counter=0): name = name.replace(“http://”, “”).replace(“https://”, “”).rstrip(“//”) directory = os.path.join(output_dir, os.path.dirname(name)) if not os.path.exists(directory) and os.path.dirname(name) != “”: os.makedirs(directory) We need to log some details about the web page and then we log the hash of the data by using hash_data() method as follows − logger.debug(“Writing {} to {}”.format(name, output_dir)) logger.debug(“Data Hash: {}”.format(hash_data(data))) path = os.path.join(output_dir, name) path = path + “_” + str(counter) with open(path, “w”) as outfile: outfile.write(data) logger.debug(“Output File Hash: {}”.format(hash_file(path))) Now, define hash_data() method with the help of which we read the UTF-8 encoded data and then generate the SHA-256 hash of it as follows − def hash_data(data): sha256 = hashlib.sha256() sha256.update(data.encode(“utf-8”)) return sha256.hexdigest() def hash_file(file): sha256 = hashlib.sha256() with open(file, “rb”) as in_file: sha256.update(in_file.read()) return sha256.hexdigest() Now, let us create a Beautifulsoup object out of the web page data under find_links() method as follows − def find_links(website, page, queue): for link in BeautifulSoup(page, “html.parser”,parse_only = SoupStrainer(“a”, href = True)): if website in link.get(“href”): if not os.path.basename(link.get(“href”)).startswith(“#”): queue.add(link.get(“href”)) return queue Now, we need to define recurse_pages() method by providing it the inputs of the website URL, current link queue, the unverified SSL context and the output directory as follows − def recurse_pages(website, queue, context, output_dir): processed = [] counter = 0 while True: counter += 1 if len(processed) == len(queue): break for link in queue.copy(): if link in processed: continue processed.append(link) try: page =

Important Artifacts In Windows-II ”; Previous Next This chapter talks about some more important artifacts in Windows and their extraction method using Python. User Activities Windows having NTUSER.DAT file for storing various user activities. Every user profile is having hive like NTUSER.DAT, which stores the information and configurations related to that user specifically. Hence, it is highly useful for the purpose of investigation by forensic analysts. The following Python script will parse some of the keys of NTUSER.DAT for exploring the actions of a user on the system. Before proceeding further, for Python script, we need to install third party modules namely Registry, pytsk3, pyewf and Jinja2. We can use pip to install them. We can follow the following steps to extract information from NTUSER.DAT file − First, search for all NTUSER.DAT files in the system. Then parse the WordWheelQuery, TypePath and RunMRU key for each NTUSER.DAT file. At last we will write these artifacts, already processed, to an HTML report by using Jinja2 fmodule. Python Code Let us see how to use Python code for this purpose − First of all, we need to import the following Python modules − from __future__ import print_function from argparse import ArgumentParser import os import StringIO import struct from utility.pytskutil import TSKUtil from Registry import Registry import jinja2 Now, provide argument for command-line handler. Here it will accept three arguments – first is the path to evidence file, second is the type of evidence file and third is the desired output path to the HTML report, as shown below − if __name__ == ”__main__”: parser = argparse.ArgumentParser(”Information from user activities”) parser.add_argument(”EVIDENCE_FILE”,help = “Path to evidence file”) parser.add_argument(”IMAGE_TYPE”,help = “Evidence file format”,choices = (”ewf”, ”raw”)) parser.add_argument(”REPORT”,help = “Path to report file”) args = parser.parse_args() main(args.EVIDENCE_FILE, args.IMAGE_TYPE, args.REPORT) Now, let us define main() function for searching all NTUSER.DAT files, as shown − def main(evidence, image_type, report): tsk_util = TSKUtil(evidence, image_type) tsk_ntuser_hives = tsk_util.recurse_files(”ntuser.dat”,”/Users”, ”equals”) nt_rec = { ”wordwheel”: {”data”: [], ”title”: ”WordWheel Query”}, ”typed_path”: {”data”: [], ”title”: ”Typed Paths”}, ”run_mru”: {”data”: [], ”title”: ”Run MRU”} } Now, we will try to find the key in NTUSER.DAT file and once you find it, define the user processing functions as shown below − for ntuser in tsk_ntuser_hives: uname = ntuser[1].split(“/”) open_ntuser = open_file_as_reg(ntuser[2]) try: explorer_key = open_ntuser.root().find_key(“Software”).find_key(“Microsoft”) .find_key(“Windows”).find_key(“CurrentVersion”).find_key(“Explorer”) except Registry.RegistryKeyNotFoundException: continue nt_rec[”wordwheel”][”data”] += parse_wordwheel(explorer_key, uname) nt_rec[”typed_path”][”data”] += parse_typed_paths(explorer_key, uname) nt_rec[”run_mru”][”data”] += parse_run_mru(explorer_key, uname) nt_rec[”wordwheel”][”headers”] = nt_rec[”wordwheel”][”data”][0].keys() nt_rec[”typed_path”][”headers”] = nt_rec[”typed_path”][”data”][0].keys() nt_rec[”run_mru”][”headers”] = nt_rec[”run_mru”][”data”][0].keys() Now, pass the dictionary object and its path to write_html() method as follows − write_html(report, nt_rec) Now, define a method, that takes pytsk file handle and read it into the Registry class via the StringIO class. def open_file_as_reg(reg_file): file_size = reg_file.info.meta.size file_content = reg_file.read_random(0, file_size) file_like_obj = StringIO.StringIO(file_content) return Registry.Registry(file_like_obj) Now, we will define the function that will parse and handles WordWheelQuery key from NTUSER.DAT file as follows − def parse_wordwheel(explorer_key, username): try: wwq = explorer_key.find_key(“WordWheelQuery”) except Registry.RegistryKeyNotFoundException: return [] mru_list = wwq.value(“MRUListEx”).value() mru_order = [] for i in xrange(0, len(mru_list), 2): order_val = struct.unpack(”h”, mru_list[i:i + 2])[0] if order_val in mru_order and order_val in (0, -1): break else: mru_order.append(order_val) search_list = [] for count, val in enumerate(mru_order): ts = “N/A” if count == 0: ts = wwq.timestamp() search_list.append({ ”timestamp”: ts, ”username”: username, ”order”: count, ”value_name”: str(val), ”search”: wwq.value(str(val)).value().decode(“UTF-16”).strip(“x00”) }) return search_list Now, we will define the function that will parse and handles TypedPaths key from NTUSER.DAT file as follows − def parse_typed_paths(explorer_key, username): try: typed_paths = explorer_key.find_key(“TypedPaths”) except Registry.RegistryKeyNotFoundException: return [] typed_path_details = [] for val in typed_paths.values(): typed_path_details.append({ “username”: username, “value_name”: val.name(), “path”: val.value() }) return typed_path_details Now, we will define the function that will parse and handles RunMRU key from NTUSER.DAT file as follows − def parse_run_mru(explorer_key, username): try: run_mru = explorer_key.find_key(“RunMRU”) except Registry.RegistryKeyNotFoundException: return [] if len(run_mru.values()) == 0: return [] mru_list = run_mru.value(“MRUList”).value() mru_order = [] for i in mru_list: mru_order.append(i) mru_details = [] for count, val in enumerate(mru_order): ts = “N/A” if count == 0: ts = run_mru.timestamp() mru_details.append({ “username”: username, “timestamp”: ts, “order”: count, “value_name”: val, “run_statement”: run_mru.value(val).value() }) return mru_details Now, the following function will handle the creation of HTML report − def write_html(outfile, data_dict): cwd = os.path.dirname(os.path.abspath(__file__)) env = jinja2.Environment(loader=jinja2.FileSystemLoader(cwd)) template = env.get_template(“user_activity.html”) rendering = template.render(nt_data=data_dict) with open(outfile, ”w”) as open_outfile: open_outfile.write(rendering) At last we can write HTML document for report. After running the above script, we will get the information from NTUSER.DAT file in HTML document format. LINK files Shortcuts files are created when a user or the operating system creates shortcut files for the files which are frequently used, double clicked or accessed from system drives such as attached storage. Such kinds of shortcut files are called link files. By accessing these link files, an investigator can find the activity of window such as the time and location from where these files have been accessed. Let us discuss the Python script that we can use to get the information from these Windows LINK files. For Python script, install third party modules namely pylnk, pytsk3, pyewf. We can follow the following steps to extract information from lnk files First, search for lnk files within the system. Then, extract the information from that file by iterating through them. Now, at last we need to this information to a CSV report. Python Code Let us see how to use Python code for this purpose − First, import the following Python libraries − from __future__ import print_function from argparse import ArgumentParser import csv import StringIO from utility.pytskutil import TSKUtil import pylnk Now, provide the argument for command-line handler. Here it will accept three arguments – first is the path to evidence file, second is the type of evidence file and third is the desired output path to the CSV report, as shown below − if __name__ == ”__main__”: parser = argparse.ArgumentParser(”Parsing LNK files”) parser.add_argument(”EVIDENCE_FILE”, help = “Path to evidence file”) parser.add_argument(”IMAGE_TYPE”, help = “Evidence file format”,choices = (”ewf”, ”raw”)) parser.add_argument(”CSV_REPORT”, help = “Path to CSV report”) args = parser.parse_args() main(args.EVIDENCE_FILE, args.IMAGE_TYPE, args.CSV_REPORT) Now, interpret

Discuss Python Digital Forensics ”; Previous Next Digital forensics is the branch of forensic science that analyzes, examines, identifies as well as recovers the digital evidences from electronic devices. It is commonly used in criminal law and private investigation. This tutorial will make you comfortable with performing Digital Forensics in Python on Windows operated digital devices. In this tutorial, you will learn various concepts and coding for carrying out digital forensics in Python. Print Page Previous Next Advertisements ”;

Python Digital Forensics – Quick Guide ”; Previous Next Python Digital Forensics – Introduction This chapter will give you an introduction to what digital forensics is all about, and its historical review. You will also understand where you can apply digital forensics in real life and its limitations. What is Digital Forensics? Digital forensics may be defined as the branch of forensic science that analyzes, examines, identifies and recovers the digital evidences residing on electronic devices. It is commonly used for criminal law and private investigations. For example, you can rely on digital forensics extract evidences in case somebody steals some data on an electronic device. Brief Historical Review of Digital Forensics The history of computer crimes and the historical review of digital forensics is explained in this section as given below − 1970s-1980s: First Computer Crime Prior to this decade, no computer crime has been recognized. However, if it is supposed to happen, the then existing laws dealt with them. Later, in 1978 the first computer crime was recognized in Florida Computer Crime Act, which included legislation against unauthorized modification or deletion of data on a computer system. But over the time, due to the advancement of technology, the range of computer crimes being committed also increased. To deal with crimes related to copyright, privacy and child pornography, various other laws were passed. 1980s-1990s: Development Decade This decade was the development decade for digital forensics, all because of the first ever investigation (1986) in which Cliff Stoll tracked the hacker named Markus Hess. During this period, two kind of digital forensics disciplines developed – first was with the help of ad-hoc tools and techniques developed by practitioners who took it as a hobby, while the second being developed by scientific community. In 1992, the term “Computer Forensics”was used in academic literature. 2000s-2010s: Decade of Standardization After the development of digital forensics to a certain level, there was a need of making some specific standards that can be followed while performing investigations. Accordingly, various scientific agencies and bodies have published guidelines for digital forensics. In 2002, Scientific Working Group on Digital Evidence (SWGDE) published a paper named “Best practices for Computer Forensics”. Another feather in the cap was a European led international treaty namely “The Convention on Cybercrime” was signed by 43 nations and ratified by 16 nations. Even after such standards, still there is a need to resolve some issues which has been identified by researchers. Process of Digital Forensics Since first ever computer crime in 1978, there is a huge increment in digital criminal activities. Due to this increment, there is a need for structured manner to deal with them. In 1984, a formalized process has been introduced and after that a great number of new and improved computer forensics investigation processes have been developed. A computer forensics investigation process involves three major phases as explained below − Phase 1: Acquisition or Imaging of Exhibits The first phase of digital forensics involves saving the state of the digital system so that it can be analyzed later. It is very much similar to taking photographs, blood samples etc. from a crime scene. For example, it involves capturing an image of allocated and unallocated areas of a hard disk or RAM. Phase 2: Analysis The input of this phase is the data acquired in the acquisition phase. Here, this data was examined to identify evidences. This phase gives three kinds of evidences as follows − Inculpatory evidences − These evidences support a given history. Exculpatory evidences − These evidences contradict a given history. Evidence of tampering − These evidences show that the system was tempered to avoid identification. It includes examining the files and directory content for recovering the deleted files. Phase 3: Presentation or Reporting As the name suggests, this phase presents the conclusion and corresponding evidences from the investigation. Applications of Digital Forensics Digital forensics deals with gathering, analyzing and preserving the evidences that are contained in any digital device. The use of digital forensics depends on the application. As mentioned earlier, it is used mainly in the following two applications − Criminal Law In criminal law, the evidence is collected to support or oppose a hypothesis in the court. Forensics procedures are very much similar to those used in criminal investigations but with different legal requirements and limitations. Private Investigation Mainly corporate world uses digital forensics for private investigation. It is used when companies are suspicious that employees may be performing an illegal activity on their computers that is against company policy. Digital forensics provides one of the best routes for company or person to take when investigating someone for digital misconduct. Branches of Digital Forensics The digital crime is not restricted to computers alone, however hackers and criminals are using small digital devices such as tablets, smart-phones etc. at a very large scale too. Some of the devices have volatile memory, while others have non-volatile memory. Hence depending upon type of devices, digital forensics has the following branches − Computer Forensics This branch of digital forensics deals with computers, embedded systems and static memories such as USB drives. Wide range of information from logs to actual files on drive can be investigated in computer forensics. Mobile Forensics This deals with investigation of data from mobile devices. This branch is different from computer forensics in the sense that mobile devices have an inbuilt communication system which is useful for providing useful information related to location. Network Forensics This deals with the monitoring and analysis of computer network traffic, both local and WAN(wide area network) for the purposes of information gathering, evidence collection, or intrusion detection. Database Forensics This branch of digital forensics deals with forensics study of databases and their metadata. Skills Required for Digital Forensics Investigation Digital forensics examiners help to track hackers, recover stolen data, follow computer attacks back to their source, and aid in other types of investigations involving computers. Some of the key skills required to become digital forensics

Investigation Using Emails ”; Previous Next The previous chapters discussed about the importance and the process of network forensics and the concepts involved. In this chapter, let us learn about the role of emails in digital forensics and their investigation using Python. Role of Email in Investigation Emails play a very important role in business communications and have emerged as one of the most important applications on internet. They are a convenient mode for sending messages as well as documents, not only from computers but also from other electronic gadgets such as mobile phones and tablets. The negative side of emails is that criminals may leak important information about their company. Hence, the role of emails in digital forensics has been increased in recent years. In digital forensics, emails are considered as crucial evidences and Email Header Analysis has become important to collect evidence during forensic process. An investigator has the following goals while performing email forensics − To identify the main criminal To collect necessary evidences To presenting the findings To build the case Challenges in Email Forensics Email forensics play a very important role in investigation as most of the communication in present era relies on emails. However, an email forensic investigator may face the following challenges during the investigation − Fake Emails The biggest challenge in email forensics is the use of fake e-mails that are created by manipulating and scripting headers etc. In this category criminals also use temporary email which is a service that allows a registered user to receive email at a temporary address that expires after a certain time period. Spoofing Another challenge in email forensics is spoofing in which criminals used to present an email as someone else’s. In this case the machine will receive both fake as well as original IP address. Anonymous Re-emailing Here, the Email server strips identifying information from the email message before forwarding it further. This leads to another big challenge for email investigations. Techniques Used in Email Forensic Investigation Email forensics is the study of source and content of email as evidence to identify the actual sender and recipient of a message along with some other information such as date/time of transmission and intention of sender. It involves investigating metadata, port scanning as well as keyword searching. Some of the common techniques which can be used for email forensic investigation are Header Analysis Server investigation Network Device Investigation Sender Mailer Fingerprints Software Embedded Identifiers In the following sections, we are going to learn how to fetch information using Python for the purpose of email investigation. Extraction of Information from EML files EML files are basically emails in file format which are widely used for storing email messages. They are structured text files that are compatible across multiple email clients such as Microsoft Outlook, Outlook Express, and Windows Live Mail. An EML file stores email headers, body content, attachment data as plain text. It uses base64 to encode binary data and Quoted-Printable (QP) encoding to store content information. The Python script that can be used to extract information from EML file is given below − First, import the following Python libraries as shown below − from __future__ import print_function from argparse import ArgumentParser, FileType from email import message_from_file import os import quopri import base64 In the above libraries, quopri is used to decode the QP encoded values from EML files. Any base64 encoded data can be decoded with the help of base64 library. Next, let us provide argument for command-line handler. Note that here it will accept only one argument which would be the path to EML file as shown below − if __name__ == ”__main__”: parser = ArgumentParser(”Extracting information from EML file”) parser.add_argument(“EML_FILE”,help=”Path to EML File”, type=FileType(”r”)) args = parser.parse_args() main(args.EML_FILE) Now, we need to define main() function in which we will use the method named message_from_file() from email library to read the file like object. Here we will access the headers, body content, attachments and other payload information by using resulting variable named emlfile as shown in the code given below − def main(input_file): emlfile = message_from_file(input_file) for key, value in emlfile._headers: print(“{}: {}”.format(key, value)) print(“nBodyn”) if emlfile.is_multipart(): for part in emlfile.get_payload(): process_payload(part) else: process_payload(emlfile[1]) Now, we need to define process_payload() method in which we will extract message body content by using get_payload() method. We will decode QP encoded data by using quopri.decodestring() function. We will also check the content MIME type so that it can handle the storage of the email properly. Observe the code given below − def process_payload(payload): print(payload.get_content_type() + “n” + “=” * len(payload.get_content_type())) body = quopri.decodestring(payload.get_payload()) if payload.get_charset(): body = body.decode(payload.get_charset()) else: try: body = body.decode() except UnicodeDecodeError: body = body.decode(”cp1252”) if payload.get_content_type() == “text/html”: outfile = os.path.basename(args.EML_FILE.name) + “.html” open(outfile, ”w”).write(body) elif payload.get_content_type().startswith(”application”): outfile = open(payload.get_filename(), ”wb”) body = base64.b64decode(payload.get_payload()) outfile.write(body) outfile.close() print(“Exported: {}n”.format(outfile.name)) else: print(body) After executing the above script, we will get the header information along with various payloads on the console. Analyzing MSG Files using Python Email messages come in many different formats. MSG is one such kind of format used by Microsoft Outlook and Exchange. Files with MSG extension may contain plain ASCII text for the headers and the main message body as well as hyperlinks and attachments. In this section, we will learn how to extract information from MSG file using Outlook API. Note that the following Python script will work only on Windows. For this, we need to install third party Python library named pywin32 as follows − pip install pywin32 Now, import the following libraries using the commands shown − from __future__ import print_function from argparse import ArgumentParser import os import win32com.client import pywintypes Now, let us provide an argument for command-line handler. Here it will accept two arguments one would be the path to MSG file and other would be the desired output folder as follows − if __name__ == ”__main__”: parser = ArgumentParser(‘Extracting information from MSG file’) parser.add_argument(“MSG_FILE”, help=”Path to MSG file”) parser.add_argument(“OUTPUT_DIR”, help=”Path to output

Investigation Of Log Based Artifacts ”; Previous Next Till now, we have seen how to obtain artifacts in Windows using Python. In this chapter, let us learn about investigation of log based artifacts using Python. Introduction Log-based artifacts are the treasure trove of information that can be very useful for a digital forensic expert. Though we have various monitoring software for collecting the information, the main issue for parsing useful information from them is that we need lot of data. Various Log-based Artifacts and Investigating in Python In this section, let us discuss various log based artifacts and their investigation in Python − Timestamps Timestamp conveys the data and time of the activity in the log. It is one of the important elements of any log file. Note that these data and time values can come in various formats. The Python script shown below will take the raw date-time as input and provides a formatted timestamp as its output. For this script, we need to follow the following steps − First, set up the arguments that will take the raw data value along with source of data and the data type. Now, provide a class for providing common interface for data across different date formats. Python Code Let us see how to use Python code for this purpose − First, import the following Python modules − from __future__ import print_function from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter from datetime import datetime as dt from datetime import timedelta Now as usual we need to provide argument for command-line handler. Here it will accept three arguments, first would be the date value to be processed, second would be the source of that date value and third would be its type − if __name__ == ”__main__”: parser = ArgumentParser(”Timestamp Log-based artifact”) parser.add_argument(“date_value”, help=”Raw date value to parse”) parser.add_argument( “source”, help = “Source format of date”,choices = ParseDate.get_supported_formats()) parser.add_argument( “type”, help = “Data type of input value”,choices = (”number”, ”hex”), default = ”int”) args = parser.parse_args() date_parser = ParseDate(args.date_value, args.source, args.type) date_parser.run() print(date_parser.timestamp) Now, we need to define a class which will accept the arguments for date value, date source, and the value type − class ParseDate(object): def __init__(self, date_value, source, data_type): self.date_value = date_value self.source = source self.data_type = data_type self.timestamp = None Now we will define a method that will act like a controller just like the main() method − def run(self): if self.source == ”unix-epoch”: self.parse_unix_epoch() elif self.source == ”unix-epoch-ms”: self.parse_unix_epoch(True) elif self.source == ”windows-filetime”: self.parse_windows_filetime() @classmethod def get_supported_formats(cls): return [”unix-epoch”, ”unix-epoch-ms”, ”windows-filetime”] Now, we need to define two methods which will process Unix epoch time and FILETIME respectively − def parse_unix_epoch(self, milliseconds=False): if self.data_type == ”hex”: conv_value = int(self.date_value) if milliseconds: conv_value = conv_value / 1000.0 elif self.data_type == ”number”: conv_value = float(self.date_value) if milliseconds: conv_value = conv_value / 1000.0 else: print(“Unsupported data type ”{}” provided”.format(self.data_type)) sys.exit(”1”) ts = dt.fromtimestamp(conv_value) self.timestamp = ts.strftime(”%Y-%m-%d %H:%M:%S.%f”) def parse_windows_filetime(self): if self.data_type == ”hex”: microseconds = int(self.date_value, 16) / 10.0 elif self.data_type == ”number”: microseconds = float(self.date_value) / 10 else: print(“Unsupported data type ”{}” provided”.format(self.data_type)) sys.exit(”1”) ts = dt(1601, 1, 1) + timedelta(microseconds=microseconds) self.timestamp = ts.strftime(”%Y-%m-%d %H:%M:%S.%f”) After running the above script, by providing a timestamp we can get the converted value in easy-to-read format. Web Server Logs From the point of view of digital forensic expert, web server logs are another important artifact because they can get useful user statistics along with information about the user and geographical locations. Following is the Python script that will create a spreadsheet, after processing the web server logs, for easy analysis of the information. First of all we need to import the following Python modules − from __future__ import print_function from argparse import ArgumentParser, FileType import re import shlex import logging import sys import csv logger = logging.getLogger(__file__) Now, we need to define the patterns that will be parsed from the logs − iis_log_format = [ (“date”, re.compile(r”d{4}-d{2}-d{2}”)), (“time”, re.compile(r”dd:dd:dd”)), (“s-ip”, re.compile( r”((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(.|$)){4}”)), (“cs-method”, re.compile( r”(GET)|(POST)|(PUT)|(DELETE)|(OPTIONS)|(HEAD)|(CONNECT)”)), (“cs-uri-stem”, re.compile(r”([A-Za-z0-1/.-]*)”)), (“cs-uri-query”, re.compile(r”([A-Za-z0-1/.-]*)”)), (“s-port”, re.compile(r”d*”)), (“cs-username”, re.compile(r”([A-Za-z0-1/.-]*)”)), (“c-ip”, re.compile( r”((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(.|$)){4}”)), (“cs(User-Agent)”, re.compile(r”.*”)), (“sc-status”, re.compile(r”d*”)), (“sc-substatus”, re.compile(r”d*”)), (“sc-win32-status”, re.compile(r”d*”)), (“time-taken”, re.compile(r”d*”))] Now, provide an argument for command-line handler. Here it will accept two arguments, first would be the IIS log to be processed, second would be the desired CSV file path. if __name__ == ”__main__”: parser = ArgumentParser(”Parsing Server Based Logs”) parser.add_argument(”iis_log”, help = “Path to IIS Log”,type = FileType(”r”)) parser.add_argument(”csv_report”, help = “Path to CSV report”) parser.add_argument(”-l”, help = “Path to processing log”,default=__name__ + ”.log”) args = parser.parse_args() logger.setLevel(logging.DEBUG) msg_fmt = logging.Formatter( “%(asctime)-15s %(funcName)-10s “”%(levelname)-8s %(message)s”) strhndl = logging.StreamHandler(sys.stdout) strhndl.setFormatter(fmt = msg_fmt) fhndl = logging.FileHandler(args.log, mode = ”a”) fhndl.setFormatter(fmt = msg_fmt) logger.addHandler(strhndl) logger.addHandler(fhndl) logger.info(“Starting IIS Parsing “) logger.debug(“Supplied arguments: {}”.format(“, “.join(sys.argv[1:]))) logger.debug(“System ” + sys.platform) logger.debug(“Version ” + sys.version) main(args.iis_log, args.csv_report, logger) iologger.info(“IIS Parsing Complete”) Now we need to define main() method that will handle the script for bulk log information − def main(iis_log, report_file, logger): parsed_logs = [] for raw_line in iis_log: line = raw_line.strip() log_entry = {} if line.startswith(“#”) or len(line) == 0: continue if ””” in line: line_iter = shlex.shlex(line_iter) else: line_iter = line.split(” “) for count, split_entry in enumerate(line_iter): col_name, col_pattern = iis_log_format[count] if col_pattern.match(split_entry): log_entry[col_name] = split_entry else: logger.error(“Unknown column pattern discovered. ” “Line preserved in full below”) logger.error(“Unparsed Line: {}”.format(line)) parsed_logs.append(log_entry) logger.info(“Parsed {} lines”.format(len(parsed_logs))) cols = [x[0] for x in iis_log_format] logger.info(“Creating report file: {}”.format(report_file)) write_csv(report_file, cols, parsed_logs) logger.info(“Report created”) Lastly, we need to define a method that will write the output to spreadsheet − def write_csv(outfile, fieldnames, data): with open(outfile, ”w”, newline=””) as open_outfile: csvfile = csv.DictWriter(open_outfile, fieldnames) csvfile.writeheader() csvfile.writerows(data) After running the above script we will get the web server based logs in a spreadsheet. Scanning Important Files using YARA YARA(Yet Another Recursive Algorithm) is a pattern matching utility designed for malware identification and incident response. We will use YARA for scanning the files. In the following Python script, we will use YARA. We can install YARA with the help of following command − pip install YARA We can

Python Digital Mobile Device Forensics ”; Previous Next This chapter will explain Python digital forensics on mobile devices and the concepts involved. Introduction Mobile device forensics is that branch of digital forensics which deals with the acquisition and analysis of mobile devices to recover digital evidences of investigative interest. This branch is different from computer forensics because mobile devices have an inbuilt communication system which is useful for providing useful information related to location. Though the use of smartphones is increasing in digital forensics day-by-day, still it is considered to be non-standard due to its heterogeneity. On the other hand, computer hardware, such as hard disk, is considered to be standard and developed as a stable discipline too. In digital forensic industry, there is a lot of debate on the techniques used for non-standards devices, having transient evidences, such as smartphones. Artifacts Extractible from Mobile Devices Modern mobile devices possess lot of digital information in comparison with the older phones having only a call log or SMS messages. Thus, mobile devices can supply investigators with lots of insights about its user. Some artifacts that can be extracted from mobile devices are as mentioned below − Messages − These are the useful artifacts which can reveal the state of mind of the owner and can even give some previous unknown information to the investigator. Location History− The location history data is a useful artifact which can be used by investigators to validate about the particular location of a person. Applications Installed − By accessing the kind of applications installed, investigator get some insight into the habits and thinking of the mobile user. Evidence Sources and Processing in Python Smartphones have SQLite databases and PLIST files as the major sources of evidences. In this section we are going to process the sources of evidences in python. Analyzing PLIST files A PLIST (Property List) is a flexible and convenient format for storing application data especially on iPhone devices. It uses the extension .plist. Such kind of files used to store information about bundles and applications. It can be in two formats: XML and binary. The following Python code will open and read PLIST file. Note that before proceeding into this, we must create our own Info.plist file. First, install a third party library named biplist by the following command − Pip install biplist Now, import some useful libraries to process plist files − import biplist import os import sys Now, use the following command under main method can be used to read plist file into a variable − def main(plist): try: data = biplist.readPlist(plist) except (biplist.InvalidPlistException,biplist.NotBinaryPlistException) as e: print(“[-] Invalid PLIST file – unable to be opened by biplist”) sys.exit(1) Now, we can either read the data on the console or directly print it, from this variable. SQLite Databases SQLite serves as the primary data repository on mobile devices. SQLite an in-process library that implements a self-contained, server-less, zero-configuration, transactional SQL database engine. It is a database, which is zero-configured, you need not configure it in your system, unlike other databases. If you are a novice or unfamiliar with SQLite databases, you can follow the link www.tutorialspoint.com/sqlite/index.htm Additionally, you can follow the link www.tutorialspoint.com/sqlite/sqlite_python.htm in case you want to get into detail of SQLite with Python. During mobile forensics, we can interact with the sms.db file of a mobile device and can extract valuable information from message table. Python has a built in library named sqlite3 for connecting with SQLite database. You can import the same with the following command − import sqlite3 Now, with the help of following command, we can connect with the database, say sms.db in case of mobile devices − Conn = sqlite3.connect(‘sms.db’) C = conn.cursor() Here, C is the cursor object with the help of which we can interact with the database. Now, suppose if we want to execute a particular command, say to get the details from the abc table, it can be done with the help of following command − c.execute(“Select * from abc”) c.close() The result of the above command would be stored in the cursor object. Similarly we can use fetchall() method to dump the result into a variable we can manipulate. We can use the following command to get column names data of message table in sms.db − c.execute(“pragma table_info(message)”) table_data = c.fetchall() columns = [x[1] for x in table_data Observe that here we are using SQLite PRAGMA command which is special command to be used to control various environmental variables and state flags within SQLite environment. In the above command, the fetchall() method returns a tuple of results. Each column’s name is stored in the first index of each tuple. Now, with the help of following command we can query the table for all of its data and store it in the variable named data_msg − c.execute(“Select * from message”) data_msg = c.fetchall() The above command will store the data in the variable and further we can also write the above data in CSV file by using csv.writer() method. iTunes Backups iPhone mobile forensics can be performed on the backups made by iTunes. Forensic examiners rely on analyzing the iPhone logical backups acquired through iTunes. AFC (Apple file connection) protocol is used by iTunes to take the backup. Besides, the backup process does not modify anything on the iPhone except the escrow key records. Now, the question arises that why it is important for a digital forensic expert to understand the techniques on iTunes backups? It is important in case we get access to the suspect’s computer instead of iPhone directly because when a computer is used to sync with iPhone, then most of the information on iPhone is likely to be backed up on the computer. Process of Backup and its Location Whenever an Apple product is backed up to the computer, it is in sync with iTunes and there will be a specific folder with device’s unique ID. In the latest backup format, the files are

Important Artifacts In Windows-I ”; Previous Next This chapter will explain various concepts involved in Microsoft Windows forensics and the important artifacts that an investigator can obtain from the investigation process. Introduction Artifacts are the objects or areas within a computer system that have important information related to the activities performed by the computer user. The type and location of this information depends upon the operating system. During forensic analysis, these artifacts play a very important role in approving or disapproving the investigator’s observation. Importance of Windows Artifacts for Forensics Windows artifacts assume significance due to the following reasons − Around 90% of the traffic in world comes from the computers using Windows as their operating system. That is why for digital forensics examiners Windows artifacts are very essentials. The Windows operating system stores different types of evidences related to the user activity on computer system. This is another reason which shows the importance of Windows artifacts for digital forensics. Many times the investigator revolves the investigation around old and traditional areas like user crated data. Windows artifacts can lead the investigation towards non-traditional areas like system created data or the artifacts. Great abundance of artifacts is provided by Windows which are helpful for investigators as well as for companies and individuals performing informal investigations. Increase in cyber-crime in recent years is another reason that Windows artifacts are important. Windows Artifacts and their Python Scripts In this section, we are going to discuss about some Windows artifacts and Python scripts to fetch information from them. Recycle Bin It is one of the important Windows artifacts for forensic investigation. Windows recycle bin contains the files that have been deleted by the user, but not physically removed by the system yet. Even if the user completely removes the file from system, it serves as an important source of investigation. This is because the examiner can extract valuable information, like original file path as well as time that it was sent to Recycle Bin, from the deleted files. Note that the storage of Recycle Bin evidence depends upon the version of Windows. In the following Python script, we are going to deal with Windows 7 where it creates two files: $R file that contains the actual content of the recycled file and $I file that contains original file name, path, file size when file was deleted. For Python script we need to install third party modules namely pytsk3, pyewf and unicodecsv. We can use pip to install them. We can follow the following steps to extract information from Recycle Bin − First, we need to use recursive method to scan through the $Recycle.bin folder and select all the files starting with $I. Next, we will read the contents of the files and parse the available metadata structures. Now, we will search for the associated $R file. At last, we will write the results into CSV file for review. Let us see how to use Python code for this purpose − First, we need to import the following Python libraries − from __future__ import print_function from argparse import ArgumentParser import datetime import os import struct from utility.pytskutil import TSKUtil import unicodecsv as csv Next, we need to provide argument for command-line handler. Note that here it will accept three arguments – first is the path to evidence file, second is the type of evidence file and third is the desired output path to the CSV report, as shown below − if __name__ == ”__main__”: parser = argparse.ArgumentParser(”Recycle Bin evidences”) parser.add_argument(”EVIDENCE_FILE”, help = “Path to evidence file”) parser.add_argument(”IMAGE_TYPE”, help = “Evidence file format”, choices = (”ewf”, ”raw”)) parser.add_argument(”CSV_REPORT”, help = “Path to CSV report”) args = parser.parse_args() main(args.EVIDENCE_FILE, args.IMAGE_TYPE, args.CSV_REPORT) Now, define the main() function that will handle all the processing. It will search for $I file as follows − def main(evidence, image_type, report_file): tsk_util = TSKUtil(evidence, image_type) dollar_i_files = tsk_util.recurse_files(“$I”, path = ”/$Recycle.bin”,logic = “startswith”) if dollar_i_files is not None: processed_files = process_dollar_i(tsk_util, dollar_i_files) write_csv(report_file,[”file_path”, ”file_size”, ”deleted_time”,”dollar_i_file”, ”dollar_r_file”, ”is_directory”],processed_files) else: print(“No $I files found”) Now, if we found $I file, then it must be sent to process_dollar_i() function which will accept the tsk_util object as well as the list of $I files, as shown below − def process_dollar_i(tsk_util, dollar_i_files): processed_files = [] for dollar_i in dollar_i_files: file_attribs = read_dollar_i(dollar_i[2]) if file_attribs is None: continue file_attribs[”dollar_i_file”] = os.path.join(”/$Recycle.bin”, dollar_i[1][1:]) Now, search for $R files as follows − recycle_file_path = os.path.join(”/$Recycle.bin”,dollar_i[1].rsplit(“/”, 1)[0][1:]) dollar_r_files = tsk_util.recurse_files( “$R” + dollar_i[0][2:],path = recycle_file_path, logic = “startswith”) if dollar_r_files is None: dollar_r_dir = os.path.join(recycle_file_path,”$R” + dollar_i[0][2:]) dollar_r_dirs = tsk_util.query_directory(dollar_r_dir) if dollar_r_dirs is None: file_attribs[”dollar_r_file”] = “Not Found” file_attribs[”is_directory”] = ”Unknown” else: file_attribs[”dollar_r_file”] = dollar_r_dir file_attribs[”is_directory”] = True else: dollar_r = [os.path.join(recycle_file_path, r[1][1:])for r in dollar_r_files] file_attribs[”dollar_r_file”] = “;”.join(dollar_r) file_attribs[”is_directory”] = False processed_files.append(file_attribs) return processed_files Now, define read_dollar_i() method to read the $I files, in other words, parse the metadata. We will use read_random() method to read the signature’s first eight bytes. This will return none if signature does not match. After that, we will have to read and unpack the values from $I file if that is a valid file. def read_dollar_i(file_obj): if file_obj.read_random(0, 8) != ”x01x00x00x00x00x00x00x00”: return None raw_file_size = struct.unpack(”<q”, file_obj.read_random(8, 8)) raw_deleted_time = struct.unpack(”<q”, file_obj.read_random(16, 8)) raw_file_path = file_obj.read_random(24, 520) Now, after extracting these files we need to interpret the integers into human-readable values by using sizeof_fmt() function as shown below − file_size = sizeof_fmt(raw_file_size[0]) deleted_time = parse_windows_filetime(raw_deleted_time[0]) file_path = raw_file_path.decode(“utf16”).strip(“x00″) return {”file_size”: file_size, ”file_path”: file_path,”deleted_time”: deleted_time} Now, we need to define sizeof_fmt() function as follows − def sizeof_fmt(num, suffix = ”B”): for unit in [””, ”Ki”, ”Mi”, ”Gi”, ”Ti”, ”Pi”, ”Ei”, ”Zi”]: if abs(num) < 1024.0: return “%3.1f%s%s” % (num, unit, suffix) num /= 1024.0 return “%.1f%s%s” % (num, ”Yi”, suffix) Now, define a function for interpreted integers into formatted date and time as follows − def parse_windows_filetime(date_value): microseconds = float(date_value) / 10 ts = datetime.datetime(1601, 1, 1) + datetime.timedelta( microseconds = microseconds) return ts.strftime(”%Y-%m-%d %H:%M:%S.%f”) Now, we will define write_csv() method

Important Artifacts In Windows-III ”; Previous Next This chapter will explain about further artifacts that an investigator can obtain during forensic analysis on Windows. Event Logs Windows event log files, as name –suggests, are special files that stores significant events like when user logs on the computer, when program encounter an error, about system changes, RDP access, application specific events etc. Cyber investigators are always interested in event log information because it provides lots of useful historical information about the access of system. In the following Python script we are going to process both legacy and current Windows event log formats. For Python script, we need to install third party modules namely pytsk3, pyewf, unicodecsv, pyevt and pyevtx. We can follow the steps given below to extract information from event logs − First, search for all the event logs that match the input argument. Then, perform file signature verification. Now, process each event log found with the appropriate library. Lastly, write the output to spreadsheet. Python Code Let us see how to use Python code for this purpose − First, import the following Python libraries − from __future__ import print_function import argparse import unicodecsv as csv import os import pytsk3 import pyewf import pyevt import pyevtx import sys from utility.pytskutil import TSKUtil Now, provide the arguments for command-line handler. Note that here it will accept three arguments – first is the path to evidence file, second is the type of evidence file and third is the name of the event log to process. if __name__ == “__main__”: parser = argparse.ArgumentParser(”Information from Event Logs”) parser.add_argument(“EVIDENCE_FILE”, help = “Evidence file path”) parser.add_argument(“TYPE”, help = “Type of Evidence”,choices = (“raw”, “ewf”)) parser.add_argument( “LOG_NAME”,help = “Event Log Name (SecEvent.Evt, SysEvent.Evt, “”etc.)”) parser.add_argument( “-d”, help = “Event log directory to scan”,default = “/WINDOWS/SYSTEM32/WINEVT”) parser.add_argument( “-f”, help = “Enable fuzzy search for either evt or”” evtx extension”, action = “store_true”) args = parser.parse_args() if os.path.exists(args.EVIDENCE_FILE) and os.path.isfile(args.EVIDENCE_FILE): main(args.EVIDENCE_FILE, args.TYPE, args.LOG_NAME, args.d, args.f) else: print(“[-] Supplied input file {} does not exist or is not a “”file”.format(args.EVIDENCE_FILE)) sys.exit(1) Now, interact with event logs to query the existence of the user supplied path by creating our TSKUtil object. It can be done with the help of main() method as follows − def main(evidence, image_type, log, win_event, fuzzy): tsk_util = TSKUtil(evidence, image_type) event_dir = tsk_util.query_directory(win_event) if event_dir is not None: if fuzzy is True: event_log = tsk_util.recurse_files(log, path=win_event) else: event_log = tsk_util.recurse_files(log, path=win_event, logic=”equal”) if event_log is not None: event_data = [] for hit in event_log: event_file = hit[2] temp_evt = write_file(event_file) Now, we need to perform signature verification followed by defining a method that will write the entire content to the current directory − def write_file(event_file): with open(event_file.info.name.name, “w”) as outfile: outfile.write(event_file.read_random(0, event_file.info.meta.size)) return event_file.info.name.name if pyevt.check_file_signature(temp_evt): evt_log = pyevt.open(temp_evt) print(“[+] Identified {} records in {}”.format( evt_log.number_of_records, temp_evt)) for i, record in enumerate(evt_log.records): strings = “” for s in record.strings: if s is not None: strings += s + “n” event_data.append([ i, hit[0], record.computer_name, record.user_security_identifier, record.creation_time, record.written_time, record.event_category, record.source_name, record.event_identifier, record.event_type, strings, “”, os.path.join(win_event, hit[1].lstrip(“//”)) ]) elif pyevtx.check_file_signature(temp_evt): evtx_log = pyevtx.open(temp_evt) print(“[+] Identified {} records in {}”.format( evtx_log.number_of_records, temp_evt)) for i, record in enumerate(evtx_log.records): strings = “” for s in record.strings: if s is not None: strings += s + “n” event_data.append([ i, hit[0], record.computer_name, record.user_security_identifier, “”, record.written_time, record.event_level, record.source_name, record.event_identifier, “”, strings, record.xml_string, os.path.join(win_event, hit[1].lstrip(“//”)) ]) else: print(“[-] {} not a valid event log. Removing temp” file…”.format(temp_evt)) os.remove(temp_evt) continue write_output(event_data) else: print(“[-] {} Event log not found in {} directory”.format(log, win_event)) sys.exit(3) else: print(“[-] Win XP Event Log Directory {} not found”.format(win_event)) sys.exit(2 Lastly, define a method for writing the output to spreadsheet as follows − def write_output(data): output_name = “parsed_event_logs.csv” print(“[+] Writing {} to current working directory: {}”.format( output_name, os.getcwd())) with open(output_name, “wb”) as outfile: writer = csv.writer(outfile) writer.writerow([ “Index”, “File name”, “Computer Name”, “SID”, “Event Create Date”, “Event Written Date”, “Event Category/Level”, “Event Source”, “Event ID”, “Event Type”, “Data”, “XML Data”, “File Path” ]) writer.writerows(data) Once you successfully run the above script, we will get the information of events log in spreadsheet. Internet History Internet history is very much useful for forensic analysts; as most cyber-crimes happen over the internet only. Let us see how to extract internet history from the Internet Explorer, as we discussing about Windows forensics, and Internet Explorer comes by default with Windows. On Internet Explorer, the internet history is saved in index.dat file. Let us look into a Python script, which will extract the information from index.dat file. We can follow the steps given below to extract information from index.dat files − First, search for index.dat files within the system. Then, extract the information from that file by iterating through them. Now, write all this information to a CSV report. Python Code Let us see how to use Python code for this purpose − First, import the following Python libraries − from __future__ import print_function import argparse from datetime import datetime, timedelta import os import pytsk3 import pyewf import pymsiecf import sys import unicodecsv as csv from utility.pytskutil import TSKUtil Now, provide arguments for command-line handler. Note that here it will accept two arguments – first would be the path to evidence file and second would be the type of evidence file − if __name__ == “__main__”: parser = argparse.ArgumentParser(”getting information from internet history”) parser.add_argument(“EVIDENCE_FILE”, help = “Evidence file path”) parser.add_argument(“TYPE”, help = “Type of Evidence”,choices = (“raw”, “ewf”)) parser.add_argument(“-d”, help = “Index.dat directory to scan”,default = “/USERS”) args = parser.parse_args() if os.path.exists(args.EVIDENCE_FILE) and os.path.isfile(args.EVIDENCE_FILE): main(args.EVIDENCE_FILE, args.TYPE, args.d) else: print(“[-] Supplied input file {} does not exist or is not a “”file”.format(args.EVIDENCE_FILE)) sys.exit(1) Now, interpret the evidence file by creating an object of TSKUtil and iterate through the file system to find index.dat files. It can be done by defining the main() function as follows − def main(evidence, image_type, path): tsk_util = TSKUtil(evidence, image_type) index_dir = tsk_util.query_directory(path) if index_dir is not None: index_files = tsk_util.recurse_files(“index.dat”, path = path,logic = “equal”) if index_files is not None: print(“[+]