The following recipes are covered in this chapter:
- Getting a jump start with IEF
- Coming into contact with IEF
- It's a beautiful soup
- Going hunting for viruses
- Gathering intel
- Totally passive
The following recipes are covered in this chapter:
Technology has come a long way and, with it, the extent to which tools are made widely available has changed too. As a matter of fact, being cognizant of the tools' existence is half the battle due to the sheer volume of tools available on the internet. Some of these tools are publicly available and can be bent toward forensic purposes. In this chapter, we will learn how to interact with websites and identify malware through Python, including an automated review of potentially malicious domains, IP addresses, or files.
We start out by taking a look at how to manipulate Internet Evidence Finder (IEF) results and perform additional processing outside of the context of the application. We also explore using services such as VirusShare, PassiveTotal, and VirusTotal to create HashSets of known malware, query suspicious domain resolutions, and identify known bad domains...
Recipe Difficulty: Easy
Python Version: 3.5
Operating System: Any
This recipe will act as a quick means of dumping all reports from IEF to a CSV file and an introduction to interacting with IEF results. IEF stores data in a SQLite database, which we explored rather thoroughly in Chapter 3, A Deep Dive into Mobile Forensic Recipes. As IEF can be configured to scan specific categories of information, it is not so simple as dumping out set tables for each IEF database. Instead, we must determine this information dynamically and then interact with said tables. This recipe will dynamically identify result tables within the IEF database and dump them to respective CSV files. This process can be performed on any SQLite database to quickly dump its contents to a CSV file for review.
Recipe Difficulty: Medium
Python Version: 3.5
Operating System: Any
We can take further advantage of the IEF results in the SQLite database by manipulating and gleaning, even more, information from artifacts that IEF does not necessarily support. This can be particularly important when new artifacts are discovered and are unsupported. As the internet, and many businesses using the internet change constantly, it is unrealistic for software to keep up with every new artifact. In this case, we will look at cached Yahoo Mail contacts that get stored on the local system as a byproduct of using Yahoo Mail.
All libraries used in this script are present in Python's standard library...
Recipe Difficulty: Medium
Python Version: 3.5
Operating System: Any
In this recipe, we create a website preservation tool leveraging the Beautiful Soup library. This is a library meant to process markup languages, such as HTML or XML, and can be used to easily process these types of data structures. We will use it to identify and extract all links from a web page in a few lines of code. This script is meant to showcase a very simplistic example of a website preservation script; it is by no means intended to replace existing software out there on the market.
This recipe requires the installation of the third-party library bs4. This module can be installed via the following command. All other libraries...
Recipe Difficulty: Medium
Python Version: 3.5
Operating System: Any
VirusShare is the largest privately owned collection of malware samples, with over 29.3 million samples and counting. One of the great benefits of VirusShare, besides the literal cornucopia of malware that is every malware researcher's dream, is the list of malware hashes which is made freely available. We can use these hashes to a create a very comprehensive hash set and leverage that in casework to identify potentially malicious files.
In this recipe, we demonstrate how to automate downloading lists of hashes from VirusShare to create a newline-delimited hash list. This list can be used by forensic tools, such as X-Ways, to create a HashSet. Other forensic tools, EnCase, for example, can use this...
Recipe Difficulty: Medium
Python Version: 3.5
Operating System: Any
In this recipe, we use VirusTotal, a free online virus, malware, and URL scanner, to automate the review of potentially malicious websites or files. VirusTotal maintains detailed documentation of their API on their website. We will demonstrate how to perform basic queries against their system using their documented API and store returned results into a CSV file.
To follow this recipe, you need to first create an account with VirusTotal and decide between the free public API or the private API. The public API has request limitations, which the private API does not. For example, with the public API, we are limited to 4 requests...
Recipe Difficulty: Medium
Python Version: 3.5
Operating System: Any
This recipe explores the PassiveTotal API and how to use it to automate the review of domains and IP addresses. This service is particularly useful in viewing historical resolution details for a given domain. For example, you may have a suspected phishing website and, based on historical resolution patterns, can identify how long it has been active and what other domains used to share that IP. This then gives you additional domains to review and search for, in your evidence as you identify the different means and methods of how the attackers maintained persistence as they compromised multiple users across the environment.
To...