Make Python Your “First” Language – when investigating cybercrime!

Many digital investigators, students, academics, examiners and researchers would like to extend and enhance current proprietary forensic platforms. When the need arises to address new issues, handle special cases or to directly impact performance by unleashing multiple processing cores toward a specific problem, your control may be limited. In addition, you may want to develop a deeper understanding of how digital evidence is acquired, examined and analyzed and add some of your own twists to the art of cybercrime investigation.

Enter Python Forensics

Python | ForensicsThe Python programming language is an environment that can be learned and applied by “anyone”. You simply need a computer (PC, Mac, Linux, iOS, Android, Raspberry Pi or even and old Microvax laying around, and another yes – even a Windows phone)

In addition, the open source nature has connected developers and researchers across the globe spurring them on to innovate modules and libraries to address many challenges including but certainly not limited to: space flight, weather prediction, financial modeling, movie production and now digital investigations. Python is used today by prominent organizations like Google, Disney, Dropbox, Industrial Light and Magic, the National Weather Service, NASA, IBM and many others.

The language has built-in capabilities that directly relate to digital investigation. For example the code below will perform a SHA 256 hash of a string – in three lines of code no less! This is one of the fundamental practices performed in digital investigation to protect the integrity of evidence and to perform searches for specific known files.

Python Hashing Code

1    >>> import hashlib
2    >>> sha256 = hashlib.sha256()
3    >>> sha256.update("some data I would like hashed")
4    >>> print "SHA 256: "+sha256.hexdigest()


SHA 256: 994dcf28257fd644d4393e1fb56e26f3ed66e602b697b7bfaec1fc54bd475e2e

Or maybe you need to capture network packets to identify possible information leaks.

How about some packet sniffing?

Python provides Standard Libraries for a variety of network interface capabilities. For example the built-in socket library provides the necessary building blocks for creating simple or advanced scripts that interface with the network.

1    >>> import socket
2    >>> mySocket = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
3    >>> recvBuffer, addr = mySocket.recvfrom(255)

If you would like to dive in deeper Python Forensics: A workbench for inventing and sharing digital forensic technology and Passive Python Network Mapping my most recent book, provides detailed open source Python examples into these and many other topics.

So what are you waiting for? Start building, learning and experimenting with your new first language “Python”! And be sure to keep in touch along your journey!!

Greg Kipper

Chet Hosmer

Chet Hosmer is an author, educator and researcher and founder of Python Forensics, Inc. a Non Profit Research Institute devoted to developing open source Python solutions for investigators.

Chet is also the co-founded of WetStone Technologies, Inc., a Visiting Professor at Utica College in the Cybersecurity graduate program, and an Adjunct Professor at Champlain College where he teaches in the Digital Forensics Graduate program. He is the author of the popular Syngress titles Python Forensics, Passive Python Network Mapping and Co-Author with Mike Raggo on the book Data Hiding. Chet resides with his two-legged and four-legged family near Myrtle Beach, South Carolina.