python autopsy: easier forensics scripting (not dead · pdf filepython autopsy: easier...
TRANSCRIPT
![Page 1: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/1.jpg)
Python Autopsy: Easier Forensics Scripting (not dead snakes)
Richard Cordovano
![Page 2: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/2.jpg)
Have you heard about Autopsy?
• An open source desktop digital forensics tool, built on top of the SleuthKit
© Basis Technology, 2014 2
![Page 3: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/3.jpg)
Step 1: Add a data source
© Basis Technology, 2014 3
Add a data source for SleuthKit to processes in the
background
![Page 4: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/4.jpg)
Step 2: Analyze it with ingest modules
© Basis Technology, 2014 4
![Page 5: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/5.jpg)
Step 3: Review the analysis results
© Basis Technology, 2014 5
![Page 6: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/6.jpg)
Ingest modules can…
• Access every byte of the data source – Data source file
– Files in the data source courtesy of SleuthKit and other modules (archive extractors, carvers)
• Read and write the case database
• Use the blackboard to examine results of other modules and post results for other modules to see
• Submit files they discover (i.e., extracted, carved) for analysis
• So how do I write one?
© Basis Technology, 2014 6
![Page 7: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/7.jpg)
With…Java?
© Basis Technology, 2014 7
![Page 8: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/8.jpg)
Works for me…does it work for you?
• Are you a professional software developer?
• Do you know Java or have time to learn it?
• Are you prepared to package and distribute your Autopsy plugins as NetBeans modules?
© Basis Technology, 2014 8
![Page 9: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/9.jpg)
The people want Python!
• Python is already familiar to many working in the digital forensics domain and lots of Python scripts are available for reuse
• Jython could be used as a code bridge between Java and Python to support: – A simple development environment, all you would
need is a text editor
– Faster development: change code and rerun without shutting down Autopsy
– Easier module installation
• You got it!
© Basis Technology, 2014 9
![Page 10: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/10.jpg)
Getting started: one simple decision
• What kind of ingest module do you want to make?
– Data source level module if you want to analyze the data source file or a subset of files in the data source
– File level module if you want to analyze many or all files in the data source
© Basis Technology, 2014 10
![Page 11: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/11.jpg)
Finishing up: two things to do
• Write a few lines of script for an ingest module factory to make instances of your module for Autopsy
• Write as much script as you want inside your module to do your custom analysis
© Basis Technology, 2014 11
![Page 12: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/12.jpg)
Ingest module factory skeleton
© Basis Technology, 2014 12
![Page 13: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/13.jpg)
Data Source ingest module skeleton
© Basis Technology, 2014 13
![Page 14: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/14.jpg)
File Ingest Module Skeleton
© Basis Technology, 2014 14
![Page 15: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/15.jpg)
Let’s make an ingest module!
© Basis Technology, 2014 15
• We’ll make it simple, let’s find all files with “ebola” in the name and post them to the blackboard
• We only want some of the files, so we want to make a data source ingest module (or do we?)
![Page 16: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/16.jpg)
Ebola Finder module factory
© Basis Technology, 2014 16
![Page 17: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/17.jpg)
How about this?
© Basis Technology, 2014 17
![Page 18: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/18.jpg)
Better!
© Basis Technology, 2014 18
![Page 19: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/19.jpg)
Ebola Finder file module factory
© Basis Technology, 2014 19
![Page 20: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/20.jpg)
Tools -> Python Plugins
© Basis Technology, 2014 20
![Page 21: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/21.jpg)
Drop!
© Basis Technology, 2014 21
![Page 22: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/22.jpg)
Resources: SleuthKit Wiki
• http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html
• http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/platform_page.html
• http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html
• http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_report_page.html
© Basis Technology, 2014 22
![Page 23: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/23.jpg)
Resources: Sample in source
© Basis Technology, 2014 23
![Page 24: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/24.jpg)
Getting file bytes
© Basis Technology, 2014 24
![Page 25: Python Autopsy: Easier Forensics Scripting (not dead · PDF filePython Autopsy: Easier Forensics Scripting (not dead snakes) Richard Cordovano](https://reader030.vdocument.in/reader030/viewer/2022021501/5aac38707f8b9a693f8cc485/html5/thumbnails/25.jpg)
The End (Questions?)
© Basis Technology, 2014 25