PowerShell and Python Together: Targeting Digital Investigations

PowerShell and Python Together: Targeting Digital Investigations

Now pay Easier and Secure using Paypal

Read more

by Chet Hosmer

Longs, SC, USA

e-books shop
e-books shop
Purchase Now !
Just with Paypal

Book Details
 223 p
 File Size 
 10,867 KB
 File Type
 PDF format
 ISBN-13 (electronic) 
 ISBN-13 (pbk)
 2019 by Chet Hosmer

About the Author
Chet Hosmer is the founder of Python
Forensics, Inc., a nonprofit organization focused on the collaborative development
of open-source investigative technologies using Python and other popular scripting
languages. Chet has been researching and developing technology and training
surrounding forensics, digital investigation, and steganography for decades. He has made
numerous appearances to discuss emerging cyber threats, including
National Public Radio’s Kojo Nnamdi Show, ABC’s Primetime Thursday,
and ABC News (Australia). He has also been a frequent contributor to
technical and news stories relating to cybersecurity and forensics with
IEEE, The New York Times, The Washington Post, Government Computer
News, Salon.com, and Wired magazine.

Chet is the author of Defending IoT Infrastructures with the Raspberry
Pi (Apress, 2018), Passive Python Network Mapping (Syngress, 2015),
Python Forensics (Syngress, 2014), and Integrating Python with Leading
Computer Forensics Platforms (Syngress, 2016). He coauthored Data
Hiding (Syngress, 2012) with Mike Raggo and Executing Windows
Command Line Investigation (Syngress, 2016) with Joshua Bartolomie and Rosanne Pelli.

Chet serves as a visiting professor at Utica College in the Cybersecurity
graduate program, where his research and teaching focus on advanced
steganography/data hiding methods and the latest active cyber defense
methods and techniques. Chet is also an adjunct professor at Champlain
College, where his research and teaching focus on applying Python
and other scripting languages to solve challenging problems in digital
investigation and forensics.

Chet resides in the Grand Strand area of South Carolina with his wife
Janet, son Matthew, two Labrador Retrievers (Bailey and Vinny), and feline
tenants Lucy, Rosie, and Evander.

About the Technical Reviewer
Gary C. Kessler, PhD, CCE, CISSP, is a
Professor of Cybersecurity and Chair of the Security Studies & International
Affairs Department at Embry-Riddle Aeronautical University in Daytona Beach,
Florida. His academic background is in mathematics and computer science, and
his research interests include network protocols, digital forensics, and cybersecurity
management and policy, particularly related to maritime and aviation. Gary is also an adjunct
professor at Edith Cowan University (Perth, WA) and American Marine
University (Sarasota, FL).

Gary started the undergraduate and graduate digital forensics
programs at Champlain College (Burlington, VT) and has been affiliated
with the National Internet Crimes Against Children (ICAC) program and
Vermont, Northern Florida, and Hawaii Task Forces since 1999. He is also
a frequent speaker at national and international conferences, notably the
annual National Cyber Crime Conference.

Gary is also a member of the advisory board of the Maritime and Port
Security Information Sharing & Analysis Organization (MPS_ISAO), holds
a USCG master merchant mariner certificate, and is a Master SCUBA Diver
Trainer. More information about Gary can be found at www.garykessler.net.

The endeavor to integrate PowerShell and Python came about a couple
of years ago. I was providing training for a large utility and began by
teaching the members of the secure operations center, or SOC, on how to
apply Python scripts during investigations and incident response. A few
months later, they asked for similar training – this time using PowerShell
as the scripting engine for the SOC team. Based on this, I quickly realized
that PowerShell was perfect for acquisition of information across the
enterprise, and Python was good at performing analysis of data that had
been acquired by other tools.

Now, of course, PowerShell advocates will say that PowerShell
scripts can be developed to perform detailed analysis. Likewise,
Python advocates will say Python scripts can be developed to perform
very capable evidence acquisition. I agree with both advocates – but
only to a point. The real question is… if we combine the best of both
environments, does 1 + 1 = 2 or does 1 + 1 = 11? I believe that the answer
falls somewhere in the middle.

Thus, the purpose of the book along with the research and
experimentation that went into it was to build a model, in fact two models,
to integrate and leverage the best capabilities of Python and PowerShell
and apply the result to digital investigation. It is important to note that
this is a work in progress. I believe that the continued development of
advanced PowerShell and Python capabilities that leverage the models
provided here has great potential and should be pursued.

Therefore, I encourage you to experiment with the models that I have
presented here and use them to develop new solutions that are desperately
needed to acquire and analyze evidence collected before, during, and after
a cyber incident, a cyber breach, as well as physical or cybercrimes. I also
encourage you to share your work and innovations with others in our field
to benefit those that fight cybercrime every day.

Table of Contents
About the Author ....ix
About the Technical Reviewer ...xi
Acknowledgments .......xiii
Introduction ......xv
Chapter 1: An Introduction to PowerShell for Investigators  1
A Little PowerShell History 2
How Is PowerShell Used Today? 3
How Do You Experiment with PowerShell?  3
Navigating PowerShell ISE 3
PowerShell CmdLets 7
What Is a CmdLet?  7
Introduction to Some Key CmdLets  8
Challenge Problems: Investigative CmdLets to Explore  18
Challenge One: Executing a “Find” Based on File Extension  18
Challenge Two: Examining Network Settings  19
Challenge Three: Examining Firewall Settings  20
Challenge Four: Your Chance to Explore  20
Summary  20
Chapter 2: PowerShell Pipelining . .23
What Is CmdLet Pipelining?  23
Example 1: Get-Service  23
Example 2: Get-Process  27
Adding a Transcript to Track Your Activities  37
Challenge Problem: CmdLet Experimentation  41
Summary 43
Chapter 3: PowerShell Scripting Targeting Investigation ...45
Basic Facts About PowerShell Scripts  46
Example 1: The EventProcessor PowerShell Script  46
EventLog CmdLets  47
Retrieving More Specific Eventlog Information  49
Creating the Script  50
EventProcessor Get-Help Result  62
EventProcessor Script Execution  66
Resulting Directory  67
HTML Output Report  67
Remote Access  68
Example 2: USB Device Usage Discovery  70
Create the Script  72
USBAcquire Script Execution  83
USBAcquire Get-Help Result  84
Challenge Problem: Create File Inventory List with Hashes  85
Summary  86
Chapter 4: Python and Live Investigation/Acquisition  ...89
What Is “By Example”?  90
Directing PowerShell with Python  91
Launching PowerShell CmdLets from Python  94
Creating a System Files Baseline with PowerShell and Python   97
Overview of Python Execution with PowerShell  117
Challenge Problem: Perform Remote Script Execution  118
Summary  119
Chapter 5: PowerShell/Python Investigation Example  ..121
Enable PowerShell Remoting  122
Gathering and Analyzing Remote Evidence  126
Invoking Remote Access  130
Building a PowerShell Script for DnsCache Acquisition  131
Python Script and PowerShell CacheAquire Script  136
Overview of Client DNS Cache Acquisition and Search  144
Challenge Problem: Multiple Target Computer DNSCache Acquisition  144
Summary  145
Chapter 6: Launching Python from PowerShell . .147
Reversing Roles from PowerShell to Python  147
Examine the PowerShell Script  148
Examine the Corresponding Python Script  149
Executing the Combined PowerShell to Python Scripts  150
Extracting Possible Proper Names from Text Documents  150
Examine the PowerShell Script  151
Examine the Corresponding Python ProperNames Script  153
Executing the Combined PowerShell to Python ProperNames Scripts  162
Extracting EXIF Data from Photographs  164
PowerShell Script  164
pyGeo.py Python Script  166
Executing the Combined PowerShell to Python exifxtract Scripts  177
Summary  178
Chapter 7: Loose Ends and Future Considerations ...181
Loose Ends  181
Future Considerations  186
Summary  187
Appendix A: Challenge Problem Solutions  ..189
Chapter 1: Investigative CmdLets to Explore  190
Challenge One: Executing a “Find” Based on File Extension  190
Challenge Two: Examining Network Settings  192
Challenge Three: Examining Firewall Settings  193
Chapter 2: CmdLet Experimentation  194
Transcript of Commands and Responses  195
Chapter 3: Create File Inventory List with Hashes  203
Sample PowerShell Script Output  206
HTML Screenshots  206
Chapter 4: Perform Remote Script Execution  208
Example A: Acquire Remote Processes from PLUTO  209
Example B: Acquire Remote Services from PLUTO  210
Example C: Acquire Remote IP Configuration from PLUTO 211
Chapter 5: Multiple Target Computer DNSCache Acquisition  212
Index .................................................................................................213

e-books shop

Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Susan McDermott
Development Editor: Laura Berendson
Coordinating Editor: Rita Fernando
Cover designed by eStudioCalamar
Cover image designed by Freepik (www.freepik.com)