Python Forensics Tutorial
Python Forensics Useful Resources
Selected Reading
- Implementation of Cloud
- Indicators of Compromise
- Forensics in Linux
- Memory & Forensics
- Multiprocessing Support
- Network Time Protocol
- Mobile Forensics
- Python Imaging Library
- Indexing
- Searching
- Dshell and Scapy
- Python Modules
- Network Forensics
- Virtualization
- Cracking an Encryption
- Hash Function
- Basic Forensic Application
- Overview of Python
- Installation of Python
- Introduction
- Home
Python Forensics Useful Resources
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Dshell and Scapy
Python Forensics - Dshell and Scapy
DShell
Dshell is a Python-based network forensic analysis toolkit. This toolkit was developed by the US Army Research Laboratory. The release of this open source toolkit was in the year 2014. The major focus of this toolkit is to make forensic investigations with ease.
The toolkit consists of large number of decoders which are psted in the following table.
| Sr.No. | Decoder Name & Description |
|---|---|
| 1 | dns This is used to extract DNS related queries |
| 2 | reservedips Identifies the solutions for DNS problems |
| 3 | large-flows Listing of the netflows |
| 4 | rip-http It is used extract the files from the HTTP traffic |
| 5 | Protocols Used for identification of non-standard protocols |
The US Army Laboratory has maintained the clone repository in GitHub in the following pnk −
The clone consists of a script install-ubuntu.py () used for installation of this toolkit.
Once the installation is successful, it will automatically build the executables and dependencies that will be used later.
The dependencies are as follows −
dependencies = {
"Crypto": "crypto",
"dpkt": "dpkt",
"IPy": "ipy",
"pcap": "pypcap"
}
This toolkit can be used against the pcap (packet capture) files, which is usually recorded during the incidents or during the alert. These pcap files is either created by pbpcap on Linux platform or WinPcap on Windows platform.
Scapy
Scapy is a Python-based tool used to analyze and manipulate the network traffic. Following is the pnk for Scapy toolkit −
This toolkit is used to analyze packet manipulation. It is very capable to decode packets of a wide number of protocols and capture them. Scapy differs from the Dshell toolkit by providing a detailed description to the investigator about network traffic. These descriptions have been recorded in real time.
Scapy has the abipty to plot using third-party tools or OS fingerprinting.
Consider the following example.
import scapy, GeoIP #Imports scapy and GeoIP toolkit
from scapy import *
geoIp = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE) #locates the Geo IP address
def locatePackage(pkg):
src = pkg.getlayer(IP).src #gets source IP address
dst = pkg.getlayer(IP).dst #gets destination IP address
srcCountry = geoIp.country_code_by_addr(src) #gets Country details of source
dstCountry = geoIp.country_code_by_addr(dst) #gets country details of destination
print src+"("+srcCountry+") >> "+dst+"("+dstCountry+")
"
This script gives the detailed description of the country details in the network packet, who are communicating with each other.
The above script will produce the following output.
Advertisements