by Chet Hosmer
Longs, SC, USA
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
4.00 |
|---|---|
Pages
| 223 p |
File Size
|
10,867 KB |
File Type
|
PDF format |
ISBN-13 (electronic) ISBN-13 (pbk)
| 978-1-4842-4504-0 978-1-4842-4503-3 |
Copyright©
| 2019 by Chet Hosmer |
Chet Hosmer is the founder of Python
Forensics, Inc., a nonprofit organization focused on the collaborative development
of open-source investigative technologies using Python and other popular scripting
languages. Chet has been researching and developing technology and training
surrounding forensics, digital investigation, and steganography for decades. He has made
numerous appearances to discuss emerging cyber threats, including
National Public Radio’s Kojo Nnamdi Show, ABC’s Primetime Thursday,
and ABC News (Australia). He has also been a frequent contributor to
technical and news stories relating to cybersecurity and forensics with
IEEE, The New York Times, The Washington Post, Government Computer
News, Salon.com, and Wired magazine.
Chet is the author of Defending IoT Infrastructures with the Raspberry
Pi (Apress, 2018), Passive Python Network Mapping (Syngress, 2015),
Python Forensics (Syngress, 2014), and Integrating Python with Leading
Computer Forensics Platforms (Syngress, 2016). He coauthored Data
Hiding (Syngress, 2012) with Mike Raggo and Executing Windows
Command Line Investigation (Syngress, 2016) with Joshua Bartolomie and Rosanne Pelli.
Chet serves as a visiting professor at Utica College in the Cybersecurity
graduate program, where his research and teaching focus on advanced
steganography/data hiding methods and the latest active cyber defense
methods and techniques. Chet is also an adjunct professor at Champlain
College, where his research and teaching focus on applying Python
and other scripting languages to solve challenging problems in digital
investigation and forensics.
Chet resides in the Grand Strand area of South Carolina with his wife
Janet, son Matthew, two Labrador Retrievers (Bailey and Vinny), and feline
tenants Lucy, Rosie, and Evander.
About the Technical Reviewer
Gary C. Kessler, PhD, CCE, CISSP, is a
Professor of Cybersecurity and Chair of the Security Studies & International
Affairs Department at Embry-Riddle Aeronautical University in Daytona Beach,
Florida. His academic background is in mathematics and computer science, and
his research interests include network protocols, digital forensics, and cybersecurity
management and policy, particularly related to maritime and aviation. Gary is also an adjunct
professor at Edith Cowan University (Perth, WA) and American Marine
University (Sarasota, FL).
Gary started the undergraduate and graduate digital forensics
programs at Champlain College (Burlington, VT) and has been affiliated
with the National Internet Crimes Against Children (ICAC) program and
Vermont, Northern Florida, and Hawaii Task Forces since 1999. He is also
a frequent speaker at national and international conferences, notably the
annual National Cyber Crime Conference.
Gary is also a member of the advisory board of the Maritime and Port
Security Information Sharing & Analysis Organization (MPS_ISAO), holds
a USCG master merchant mariner certificate, and is a Master SCUBA Diver
Trainer. More information about Gary can be found at www.garykessler.net.
Introduction
The endeavor to integrate PowerShell and Python came about a couple
of years ago. I was providing training for a large utility and began by
teaching the members of the secure operations center, or SOC, on how to
apply Python scripts during investigations and incident response. A few
months later, they asked for similar training – this time using PowerShell
as the scripting engine for the SOC team. Based on this, I quickly realized
that PowerShell was perfect for acquisition of information across the
enterprise, and Python was good at performing analysis of data that had
been acquired by other tools.
Now, of course, PowerShell advocates will say that PowerShell
scripts can be developed to perform detailed analysis. Likewise,
Python advocates will say Python scripts can be developed to perform
very capable evidence acquisition. I agree with both advocates – but
only to a point. The real question is… if we combine the best of both
environments, does 1 + 1 = 2 or does 1 + 1 = 11? I believe that the answer
falls somewhere in the middle.
Thus, the purpose of the book along with the research and
experimentation that went into it was to build a model, in fact two models,
to integrate and leverage the best capabilities of Python and PowerShell
and apply the result to digital investigation. It is important to note that
this is a work in progress. I believe that the continued development of
advanced PowerShell and Python capabilities that leverage the models
provided here has great potential and should be pursued.
Therefore, I encourage you to experiment with the models that I have
presented here and use them to develop new solutions that are desperately
needed to acquire and analyze evidence collected before, during, and after
a cyber incident, a cyber breach, as well as physical or cybercrimes. I also
encourage you to share your work and innovations with others in our field
to benefit those that fight cybercrime every day.
Table of Contents
About the Author ....ix
About the Technical Reviewer ...xi
Acknowledgments .......xiii
Introduction ......xv
Chapter 1: An Introduction to PowerShell for Investigators 1
A Little PowerShell History 2
How Is PowerShell Used Today? 3
How Do You Experiment with PowerShell? 3
Navigating PowerShell ISE 3
PowerShell CmdLets 7
What Is a CmdLet? 7
Introduction to Some Key CmdLets 8
Challenge Problems: Investigative CmdLets to Explore 18
Challenge One: Executing a “Find” Based on File Extension 18
Challenge Two: Examining Network Settings 19
Challenge Three: Examining Firewall Settings 20
Challenge Four: Your Chance to Explore 20
Summary 20
Chapter 2: PowerShell Pipelining . .23
What Is CmdLet Pipelining? 23
Example 1: Get-Service 23
Example 2: Get-Process 27
Adding a Transcript to Track Your Activities 37
Challenge Problem: CmdLet Experimentation 41
Summary 43
Chapter 3: PowerShell Scripting Targeting Investigation ...45
Basic Facts About PowerShell Scripts 46
Example 1: The EventProcessor PowerShell Script 46
EventLog CmdLets 47
Retrieving More Specific Eventlog Information 49
Creating the Script 50
EventProcessor Get-Help Result 62
EventProcessor Script Execution 66
Resulting Directory 67
HTML Output Report 67
Remote Access 68
Example 2: USB Device Usage Discovery 70
Create the Script 72
USBAcquire Script Execution 83
USBAcquire Get-Help Result 84
Challenge Problem: Create File Inventory List with Hashes 85
Summary 86
Chapter 4: Python and Live Investigation/Acquisition ...89
What Is “By Example”? 90
Directing PowerShell with Python 91
Launching PowerShell CmdLets from Python 94
Creating a System Files Baseline with PowerShell and Python 97
Overview of Python Execution with PowerShell 117
Challenge Problem: Perform Remote Script Execution 118
Summary 119
Chapter 5: PowerShell/Python Investigation Example ..121
Enable PowerShell Remoting 122
Gathering and Analyzing Remote Evidence 126
Invoking Remote Access 130
Building a PowerShell Script for DnsCache Acquisition 131
Python Script and PowerShell CacheAquire Script 136
Overview of Client DNS Cache Acquisition and Search 144
Challenge Problem: Multiple Target Computer DNSCache Acquisition 144
Summary 145
Chapter 6: Launching Python from PowerShell . .147
Reversing Roles from PowerShell to Python 147
Examine the PowerShell Script 148
Examine the Corresponding Python Script 149
Executing the Combined PowerShell to Python Scripts 150
Extracting Possible Proper Names from Text Documents 150
Examine the PowerShell Script 151
Examine the Corresponding Python ProperNames Script 153
Executing the Combined PowerShell to Python ProperNames Scripts 162
Extracting EXIF Data from Photographs 164
PowerShell Script 164
pyGeo.py Python Script 166
Executing the Combined PowerShell to Python exifxtract Scripts 177
Summary 178
Chapter 7: Loose Ends and Future Considerations ...181
Loose Ends 181
Future Considerations 186
Summary 187
Appendix A: Challenge Problem Solutions ..189
Chapter 1: Investigative CmdLets to Explore 190
Challenge One: Executing a “Find” Based on File Extension 190
Challenge Two: Examining Network Settings 192
Challenge Three: Examining Firewall Settings 193
Chapter 2: CmdLet Experimentation 194
Transcript of Commands and Responses 195
Chapter 3: Create File Inventory List with Hashes 203
Sample PowerShell Script Output 206
HTML Screenshots 206
Chapter 4: Perform Remote Script Execution 208
Example A: Acquire Remote Processes from PLUTO 209
Example B: Acquire Remote Services from PLUTO 210
Example C: Acquire Remote IP Configuration from PLUTO 211
Chapter 5: Multiple Target Computer DNSCache Acquisition 212
Index .................................................................................................213
Bookscreen
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Susan McDermott
Development Editor: Laura Berendson
Coordinating Editor: Rita Fernando
Cover designed by eStudioCalamar
Cover image designed by Freepik (www.freepik.com)