Python Digital Forensics 简明教程

Artifact Report

现在您已熟悉在本地系统上安装和运行 Python 命令,让我们详细了解取证概念。本章将解释与处理 Python 数字取证中的痕迹有关的各种概念。

Now that you are comfortable with installation and running Python commands on your local system, let us move into the concepts of forensics in detail. This chapter will explain various concepts involved in dealing with artifacts in Python digital forensics.

Need of Report Creation

数字取证的过程包括报告作为第三阶段。这是数字取证过程最重要的部分之一。由于以下原因,需要进行报告创建:

The process of digital forensics includes reporting as the third phase. This is one of the most important parts of digital forensic process. Report creation is necessary due to the following reasons −

  1. It is the document in which digital forensic examiner outlines the investigation process and its findings.

  2. A good digital forensic report can be referenced by another examiner to achieve same result by given same repositories.

  3. It is a technical and scientific document that contains facts found within the 1s and 0s of digital evidence.

General Guidelines for Report Creation

报告的目的是向读者提供信息,并且必须具有一个坚实的基础。如果在没有一些一般准则或标准的情况下准备报告,调查人员可能会在有效地提供调查结果时遇到困难。创建数字取证报告时必须遵循一些一般准则,如下所示:

The reports are written to provide information to the reader and must start with a solid foundation. investigators can face difficulties in efficiently presenting their findings if the report is prepared without some general guidelines or standards. Some general guidelines which must be followed while creating digital forensic reports are given below −

  1. Summary − The report must contain the brief summary of information so that the reader can ascertain the report’s purpose.

  2. Tools used − We must mention the tools which have been used for carrying the process of digital forensics, including their purpose.

  3. Repository − Suppose, we investigated someone’s computer then the summary of evidence and analysis of relevant material like email, internal search history etc., then they must be included in the report so that the case may be clearly presented.

  4. Recommendations for counsel − The report must have the recommendations for counsel to continue or cease investigation based on the findings in report.

Creating Different Type of Reports

在上述部分中,我们了解到报告在数字取证中的重要性,以及创建报告的指导原则。以下是用于创建不同类型报告的一些 Python 格式−

In the above section, we came to know about the importance of report in digital forensics along with the guidelines for creating the same. Some of the formats in Python for creating different kind of reports are discussed below −

CSV Reports

最常见的报告输出格式之一是 CSV 电子表格报告。你可以使用 Python 代码创建 CSV 来创建已处理数据报告,如下所示−

One of the most common output formats of reports is a CSV spreadsheet report. You can create a CSV to create a report of processed data using the Python code as shown below −

首先,导入有用的库来编写电子表格−

First, import useful libraries for writing the spreadsheet −

from __future__ import print_function
import csv
import os
import sys

现在,调用以下方法−

Now, call the following method −

Write_csv(TEST_DATA_LIST, ["Name", "Age", "City", "Job description"], os.getcwd())

我们使用以下全局变量表示样本数据类型−

We are using the following global variable to represent sample data types −

TEST_DATA_LIST = [["Ram", 32, Bhopal, Manager],
   ["Raman", 42, Indore, Engg.],
   ["Mohan", 25, Chandigarh, HR],
   ["Parkash", 45, Delhi, IT]]

接下来,让我们定义继续进行其他操作的方法。我们在“w”模式下打开文件,并将换行关键字参数设置为一个空字符串。

Next, let us define the method to proceed for further operations. We open the file in the “w” mode and set the newline keyword argument to an empty string.

def Write_csv(data, header, output_directory, name = None):
   if name is None:
      name = "report1.csv"
   print("[+] Writing {} to {}".format(name, output_directory))

   with open(os.path.join(output_directory, name), "w", newline = "") as \ csvfile:
      writer = csv.writer(csvfile)
      writer.writerow(header)
      writer.writerow(data)

如果你运行上述脚本,你将得到存储在 report1.csv 文件中的以下详细信息。

If you run the above script, you will get the following details stored in report1.csv file.

Name

Age

City

Designation

Ram

32

Bhopal

Managerh

Raman

42

Indore

Engg

Mohan

25

Chandigarh

HR

Parkash

45

Delhi

IT

Excel Reports

报告的另一个常见输出格式是 Excel(.xlsx)电子表格报告。我们可以使用 Excel 创建表格并绘制图表。我们可以使用 Python 代码以 Excel 格式创建已处理数据报告,如下所示−

Another common output format of reports is Excel (.xlsx) spreadsheet report. We can create table and also plot the graph by using Excel. We can create report of processed data in Excel format using Python code as shown below−

首先,导入 XlsxWriter 模块来创建电子表格−

First, import XlsxWriter module for creating spreadsheet −

import xlsxwriter

现在,创建一个工作簿对象。为此,我们需要使用 Workbook() 构造函数。

Now, create a workbook object. For this, we need to use Workbook() constructor.

workbook = xlsxwriter.Workbook('report2.xlsx')

现在,使用 add_worksheet() 模块创建一个新工作表。

Now, create a new worksheet by using add_worksheet() module.

worksheet = workbook.add_worksheet()

接下来,将以下数据写入工作表 −

Next, write the following data into the worksheet −

report2 = (['Ram', 32, ‘Bhopal’],['Mohan',25, ‘Chandigarh’] ,['Parkash',45, ‘Delhi’])

row = 0
col = 0

您可以迭代这些数据,并按如下方式写入 −

You can iterate over this data and write it as follows −

for item, cost in (a):
   worksheet.write(row, col, item)
   worksheet.write(row, col+1, cost)
   row + = 1

现在,让我们使用 close() 方法关闭此 Excel 文件。

Now, let us close this Excel file by using close() method.

workbook.close()

上面的脚本将创建一个名为 report2.xlsx 的 Excel 文件,其中包含以下数据 −

The above script will create an Excel file named report2.xlsx having the following data −

Ram

32

Bhopal

Mohan

25

Chandigarh

Parkash

45

Delhi

Investigation Acquisition Media

对调查者来说,拥有详细的调查记录非常重要,以便准确回忆调查结果或将所有调查环节整理到一起。截图对于跟踪特定调查所采取的步骤非常有用。借助以下 Python 代码,我们可以截屏并将其保存在硬盘上以备将来使用。

It is important for an investigator to have the detailed investigative notes to accurately recall the findings or put together all the pieces of investigation. A screenshot is very useful to keep track of the steps taken for a particular investigation. With the help of the following Python code, we can take the screenshot and save it on hard disk for future use.

首先,使用下列命令安装名为 pyscreenshot 的 Python 模块 −

First, install Python module named pyscreenshot by using following command −

Pip install pyscreenshot

现在,导入必要的模块,如下所示 −

Now, import the necessary modules as shown −

import pyscreenshot as ImageGrab

使用以下代码行获取屏幕截图 −

Use the following line of code to get the screenshot −

image = ImageGrab.grab()

使用以下代码行将屏幕截图保存到给定位置 −

Use the following line of code to save the screenshot to the given location −

image.save('d:/image123.png')

现在,如果您想将屏幕截图弹出一个图表,可以使用以下 Python 代码 −

Now, if you want to pop up the screenshot as a graph, you can use the following Python code −

import numpy as np
import matplotlib.pyplot as plt
import pyscreenshot as ImageGrab
imageg = ImageGrab.grab()
plt.imshow(image, cmap='gray', interpolation='bilinear')
plt.show()