Python Forensics
BT215
Table of Contents
Description
What makes an excellent digital forensics investigator is to have the knowledge and skills to automate forensics stages using the power of the Python programming language. Many laboratories rely on Python to build basic models for predictions and to run experiments. It also helps to control critical operational systems. Python has built-in capabilities to support the digital investigation and protect the integrity of evidence during an investigation.
This training will provide the participant with steppingstones on how to take forensics skills to the next level, combining them with powerful Python scripting.
How to make the most of this course?
In order to succeed in the course, the following requirements must be met:
- Participation in all practical laboratories
- Self-work at home between lessons
- Repetition of materials, self-learning, performing tasks, etc…
In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.
Target audience
- Law enforcement officers & intelligence corps
- Incident responders
- Computer investigators
- IT/network administrators
- IT security personnel
- Junior-Cyber forensics analysts
Objectives
- Learning to work with different modules to accomplish tasks
- Analyzing artifacts left on a compromised system using Python
- Performing network traffic monitoring and analyzing logs
Pre-requisites
Syllabus
Description
During this module, participants will be introduced to the world of Python. They will learn to install Python and its additional modules, write basic scripts, create clients and servers socket, and to work with files.
Technical content
- Introduction to Python Scripting
o Installing of Python
o Python Basics
▪ Variables and Booleans
▪ Dictionaries and Tuples
▪ Conditional Statements
▪ While and For Loops
▪ Scoping and Subroutines
▪ Exceptions, Testing, Comprehensions
▪ Files I/O - OS and Networks
o Using PIP to Install Additional Modules
o The OS Module
▪ os.stat()
▪ os.walk()
▪ os.environ()
o Sockets
▪ Simple HTTP Request
▪ Network Client and Server
Description
This module will cover the subject of network forensics; participants will learn to install and work with a variety of network frameworks and tools, as well as network trace analysis and capturing, recovering, and visualizing the traffic.
Technical content
- Pandas and Scapy
o Introduction to Scapy
o Crafting Raw Packets with Scapy
Sending DNS Requests Replacing the Default ICMP Payload ARP Packets
o Communicating with SSL
o Introduction to Numpy Numpy Basics Universal Functions Boolean Indexing
o Panda Basics Vector Operations String Operations
o Panda Dataframe Basics - Analyzing Network Traces
o DSHELL Framework
o Network Traces Statistics
o Visualizing Network Traces
o Converting Pcap to Pandas DataFrame
o Basic Payload Investigation
Description
Python OS Forensics is a core essential of Python forensics; this module will cover forensics in both of the primary operating systems today, image manipulation, and metadata analysis.
Technical content
- Python Forensics in Windows
o Basic File Metadata
o Data Representation
o Carving Data and Metadata
o Analyzing Windows Artifacts
o Windows Event Logs Handling - Python Forensics in Linux
o The Linux Filesystem
▪ Understanding inode
▪ File Capabilities
▪ Basic File Metadata
o Analyzing User’s Command-Histories
o Capturing Images
o Extracting Object from Image
o Memory Capture and Analyzes
Description
During this module, participants will learn to deal with advanced networking.
Technical content
- Advanced Forensics
o Advanced Networking
▪ Replaying Network Traces
▪ Preforming Basic Attacks
o Working with Data
o TWISTED Python
▪ TWISTED Reactor
▪ TWISTED Deferreds
▪ TWISTED Transport
o Footprinting Applications
Labs
- Lab 1 Basic Python Scripting
- Lab 2 Building Remote Connection
- Lab 3 Panda Basics
- Lab 4 Analyzing Network with Python
- Lab 5 Registry
- Lab 6 Memory
- Lab 7 Linux Forensics
- Lab 8 Building a Framework
Course type
This course is delivered in the following ways:
- Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
- In situe classroom with proctored labs and scenarios executed in our Cyberium Arena
All sessions are recorded and attendees can replay them during 30 days. All course material is electronically made available to the participant.
Course Group:
defense
Hands-on / Theory MiX
The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.
Required EqUIPMENT
Network connection
As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.
BYOD – Bring Your Own Device
As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:
- Audio and Video
- 8 GB RAM
- 200 GB Disk Space
- Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)
And also a Good Headset with Mic
