Opleiding: Python Forensics
In the course Python Forensics the participants learn to use the Python programming language for the investigation of data on desktop computers and mobile devices and the analysis of message traffic tDevice Data Analysis
The course targets the research and analysis of the data present on devices in file systems, browsers, log files and other data sources.
Python Fundamentals and Libraries
In the first place the fundamentals of the Python programming language are discussed in which data types, control flow, classes, modules, packages and comprehensions are discussed. Various Python Libraries that are important in criminal investigations are also discussed, such as the Regular Expression pattern matching library, the log library and the Date and Time library.
File and Database Analysis
Subsequently extensive attention is paid to the approach to the file system and the analysis of files. Special topics are the creation of Artifact Reports and the hashing of Data Streams.
The analysis of databases such as SQLite, identifying gaps in them and data recovery are also part of the course program. Furthermore it is discussed how location data can be retrieved from Wi-Fi messages and the analysis of web server logs is treated.
Audio and Video Analysis
The analysis of audio and video data and the mining of PDF and Office Metadata are also part of the course schedule. The registry can also provide important information and its analysis is discussed.
Mail Box Analysis
Finally attention is paid to the analysis of PST and OST mail boxes, the reading and analysis of EML files and the detection and use of Key Loggers.
Audience Course Python Forensics
The course Python Forensics is designed for developers and analysts who want to learn how to use Python for criminal investigation to support the legal process.
Prerequisites Training Python Forensics
Knowledge and experience with Python programming is not strictly necessary to participate in this course. Experience in Python programming is beneficial to good understanding.
Realization Training Python Forensics
The theory in the course Python Forensics is discussed on the basis of presentation slides. Illustrative demos clarify the concepts. The theory is interchanged with exercises. Course times are from 9:30 to 16:30.
Certificate Python Forensics
After successful completion of the course the participants receive an official certificate Python Forensics.
Modules
Module 1 : Python Essentials
- Python 2 versus Python 3
- Lines and Indentation
- Python Data Types
- Numbers and Strings
- Lists and Tuples
- Sets and Dictionaries
- Python Flow Control
- Comprehensions
- Functions
- Modules and Packages
- Exception Handling
Module 2 : Classes and Objects
- Python Object Orientation
- Creating Classes
- Class Members
- Creating and Using Objects
- Property Syntax
- Static Methods
- Encapsulation
- Inheritance and Polymorphism
- Constructor Chaining
- Overriding Methods
- Abstract Classes
Module 3 : Python Libraries
- Regular Expressions
- Logging
- Log Configuration
- Generators
- Unit Testing
- Dates and Times
- JSON Access
- XML Access
- Numpy Library
- Pandas Library
- Plotting
Module 4 : File Analysis
- File I/O
- Iterating over Files
- Recording File Attributes
- Copying Files
- Attributes and Timestamps
- Hashing Data Streams
- Creating Artifact Reports
- Working with CSVs
- Visualizing Events with Excel
- Parsing PLIST Files
Module 5 : DB and Mobile Data
- Database Access
- Python DB API
- Handling SQLite Databases
- Identifying Gaps in SQLite
- Logging Results
- Putting Wi-Fi on the map
- Recover Messages
- Log-Based Artifact Recipes
- Parsing IIS Web Logs
- Interpreting daily.out Log
Module 6 : Extracting Metadata
- Audio and Video Metadata
- Mining for PDF Metadata
- Review Executable Metadata
- Office Document Metadata
- Metadata Extractor with EnCase
- Networking Analysis
- Compromise Recipes
- Jump start with IEF
- Taking Names Recipes
- Viewing MSG Files
Module 7 : Forensic Artifacts Recipes
- Forensic Evidence Recipes
- Opening Acquisitions
- Gathering Media Information
- Processing Container Files
- Searching for Hashes
- Searching High and Low
- Reading the Registry
- Gathering User Activity
- Parsing Prefetch Files
- Indexing Internet History
- Dissecting the SRUM database
Module 8 : Parsing PST Containers
- Personal Storage Table
- PST and OST Mailboxes
- libpff and pypff
- Reading Emails
- Parsing EML files
- Traversing Folders
- Summarizing Data
- Using HTML Templates
- Heat Map
- Word Statistics
- pffexport and pffinfo
Module 9 : Key Loggers
- Detecting Malicious Processes
- Hardware Keyloggers
- Software Keyloggers
- Monitoring Keyboard Events
- Capturing Screenshots
- Capturing Clipboard
- Monitoring Processes
- Multi Processing
- Keylogger Controllers
- Special Keys
- Non-English Keyboards
