We want to take this time to recap what we have been over thus far regarding this series on Python and or Python forensics. We had a few goals in mind when starting this series. One, we wanted to introduce what python is and its abilities. For many this may be old news but to some, they may not have known the word Python before and what it can do. Second, we wanted to point users in a good direction for learning Python coding, aka Corey Schafer. We did not and do not want to reinvent the wheel. If it isn’t broke, don’t fix it. We use some code found across the internet and if it does not work, we tweak it to get it to work. We plan to move forward in this series and continue building on the code we have started.
We completed an introduction in “Where Should I Start”. We listed and linked to the Python program, which is free by the way. We gave some resources to learning Python and links to each one. We then moved in to extracting information from a live Windows system in “One step at a time”. The next step was to create a file and write the collected information to a file in “Onward and Upwards”. In “Shooting for the Stars” we looked further in to the hard drives, to see if they were physical drives or network drives. We ran our code on a system that had physical and network drives attached or connected. The following is what was returned to our text file:
(u'DRIVE0', u' 769TC0OET')
(u'DRIVE1', u' B9E7B7654321')
(u'DROM0', None)
(u'Drive Letter: A:', 'HD Size: 2722427301888', 'Free: 1136190230528')
Network Drive: True
(u'Drive Letter: B:', 'HD Size: 2722427301888', 'Free: 1136190230528')
Network Drive: True
(u'Drive Letter: C:', 'HD Size: 478421184512', 'Free: 388283899904')
Network Drive: False
(u'Drive Letter: D:', 'HD Size: 500088438784', 'Free: 375198973952')
Network Drive: False
(u'Drive Letter: E:', 'HD Size: None', 'Free: None')
Network Drive: False
(u'Drive Letter: X:', 'HD Size: None', 'Free: None')
Network Drive: True
We can see that our code now lets us know what the drive letters are assigned, network or not, size, and free space. Last but not least we ended on “Sucking it all in”, where we continued building on our Python code to extract further information on the live system. In this one, we build upon information for future reference and or documentation purposes. What we added to our code collects this information below:
Installed OS: Windows
OS Version: 7
OS Build: 6.1.7601
Current Dir: D:\myPython
Machine Type: AMD64
Processor: Intel64 Family 6 Model 78 Stepping 3, Genuine Intel
RAM Total: 8471973888
Current User Name: cmullis
Computer Name: LR6X01671
We are far from done in this series as we will in the future continue building on this code and collecting further and deeper intel from a live system. We will be moving in to collecting typed URL’s and key words from Internet Explorer aka IE (Deprecated but still used by some) as well as Google Chrome. We will in future article(s) decrypt the Google Chrome stored accounts and passwords. So stick with us and we will build together a great tool that just might solve that next crime for you. All this with a free tool called Python.
If you have been with us from the start, then your python code should now look something like this:
# What modules will we be calling upon?
# We need to import them to have access to them within the code
import wmi
import sys
import win32file
import os
from psutil import virtual_memory
import platform
import getpass
import socket
# Variables
pr = platform.release()
ps = platform.system()
build = platform.version()
mem = virtual_memory()
username = getpass.getuser()
hostname = socket.gethostname()
mType = platform.machine()
pType = platform.processor()
cdir = os.getcwd()
# lets open our text file in the same location as our python script
sys.stdout = open("HDserial.txt", "w+")
# what are we writing to file?
# the hard drive serial numbers, as called below
HDs = wmi.WMI()
for hdSerialnum in HDs.Win32_PhysicalMedia():
print(hdSerialnum.Tag.strip("\\.\\PHYSICAL"), hdSerialnum.SerialNumber)
# Add a line space
print("")
# Lets print out the drive assigned letters, size, free space, and if network or not
w = wmi.WMI()
for drive in w.Win32_LogicalDisk():
print ("Drive Letter: " + drive.Caption, "HD Size: " + str(drive.Size), "Free: " + str(drive.FreeSpace))
isNetworkDrive = win32file.GetDriveType(drive.Caption) == win32file.DRIVE_REMOTE
print("Network Drive: " + str(isNetworkDrive))
# Add a line space
print("")
# Lets call upon our variables we created above and add some text for readability later
print("Installed OS: " + ps + '\n' + "OS Version: " + pr + '\n' + "OS Build: " + build + '\n' +
"Current Dir: " + cdir + '\n' + "Machine Type: " + mType + '\n' + "Processor: " +
pType + '\n' + "RAM Total: " + str(mem.total) + '\n' + "Current User Name: "
+ username + '\n' + "Computer Name: " + hostname + '\n')
# lets close our text doc as we are done with it
sys.stdout.close()
We have covered many things so far, but as you see we will be covering much more in the future. So, stick with us and if you have a better way, then please share, so that we all may learn together. Happy coding and until next time, keep learning!
Author - Emory Casey Mullis has been in Law Enforcement for roughly 20 plus years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00. Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!