本章将解释调查员在Windows上进行取证分析时可以获得的其他工件.
Windows事件日志文件, name -suggests是一些特殊文件,用于存储重要事件,例如用户登录计算机,程序遇到错误,系统更改,RDP访问,应用程序特定事件等.网络调查员总是对事件日志信息感兴趣,因为它提供了关于系统访问的大量有用的历史信息.在下面的Python脚本中,我们将处理旧的和当前的Windows事件日志格式.
对于Python脚本,我们需要安装第三方模块,即 pytsk3,pyewf,unicodecsv ,pyevt和pyevt x.我们可以按照下面给出的步骤从事件日志中提取信息并减去;
首先,搜索所有事件日志匹配输入参数.
然后,执行文件签名验证.
现在,处理使用相应库找到的每个事件日志.
最后,将输出写入电子表格.
让我们看看如何将Python代码用于此目的 :
首先,导入以下Python库 :
from __future__ import print_function import argparse import unicodecsv as csv import os import pytsk3 import pyewf import pyevt import pyevtx import sys from utility.pytskutil import TSKUtil
现在,提供命令行处理程序的参数.请注意,这里它将接受三个参数 - 第一个是证据文件的路径,第二个是证据文件的类型,第三个是要处理的事件日志的名称.
if __name__ == "__main__":
parser = argparse.ArgumentParser('Information from Event Logs')
parser.add_argument("EVIDENCE_FILE", help = "Evidence file path")
parser.add_argument("TYPE", help = "Type of Evidence",choices = ("raw", "ewf"))
parser.add_argument(
"LOG_NAME",help = "Event Log Name (SecEvent.Evt, SysEvent.Evt, ""etc.)")
parser.add_argument(
"-d", help = "Event log directory to scan",default = "/WINDOWS/SYSTEM32/WINEVT")
parser.add_argument(
"-f", help = "Enable fuzzy search for either evt or"" evtx extension", action = "store_true")
args = parser.parse_args()
if os.path.exists(args.EVIDENCE_FILE) and \ os.path.isfile(args.EVIDENCE_FILE):
main(args.EVIDENCE_FILE, args.TYPE, args.LOG_NAME, args.d, args.f)
else:
print("[-] Supplied input file {} does not exist or is not a ""file".format(args.EVIDENCE_FILE))
sys.exit(1)现在,互动使用事件日志通过创建 TSKUtil 对象来查询用户提供的路径的存在.它可以在 main()方法的帮助下完成,如下所示 :
def main(evidence, image_type, log, win_event, fuzzy): tsk_util = TSKUtil(evidence, image_type) event_dir = tsk_util.query_directory(win_event) if event_dir is not None: if fuzzy is True: event_log = tsk_util.recurse_files(log, path=win_event) else: event_log = tsk_util.recurse_files(log, path=win_event, logic="equal") if event_log is not None: event_data = [] for hit in event_log: event_file = hit[2] temp_evt = write_file(event_file)
现在,我们需要执行签名验证,然后定义一个将整个内容写入当前目录的方法 :
def write_file(event_file):
with open(event_file.info.name.name, "w") as outfile:
outfile.write(event_file.read_random(0, event_file.info.meta.size))
return event_file.info.name.name
if pyevt.check_file_signature(temp_evt):
evt_log = pyevt.open(temp_evt)
print("[+] Identified {} records in {}".format(
evt_log.number_of_records, temp_evt))
for i, record in enumerate(evt_log.records):
strings = ""
for s in record.strings:
if s is not None:
strings += s + "\n"
event_data.append([
i, hit[0], record.computer_name,
record.user_security_identifier,
record.creation_time, record.written_time,
record.event_category, record.source_name,
record.event_identifier, record.event_type,
strings, "",
os.path.join(win_event, hit[1].lstrip("//"))
])
elif pyevtx.check_file_signature(temp_evt):
evtx_log = pyevtx.open(temp_evt)
print("[+] Identified {} records in {}".format(
evtx_log.number_of_records, temp_evt))
for i, record in enumerate(evtx_log.records):
strings = ""
for s in record.strings:
if s is not None:
strings += s + "\n"
event_data.append([
i, hit[0], record.computer_name,
record.user_security_identifier, "",
record.written_time, record.event_level,
record.source_name, record.event_identifier,
"", strings, record.xml_string,
os.path.join(win_event, hit[1].lstrip("//"))
])
else:
print("[-] {} not a valid event log. Removing temp" file...".format(temp_evt))
os.remove(temp_evt)
continue
write_output(event_data)
else:
print("[-] {} Event log not found in {} directory".format(log, win_event))
sys.exit(3)
else:
print("[-] Win XP Event Log Directory {} not found".format(win_event))
sys.exit(2)最后,定义一个写输出的方法到电子表格如下 :
def write_output(data):
output_name = "parsed_event_logs.csv"
print("[+] Writing {} to current working directory: {}".format(
output_name, os.getcwd()))
with open(output_name, "wb") as outfile:
writer = csv.writer(outfile)
writer.writerow([
"Index", "File name", "Computer Name", "SID",
"Event Create Date", "Event Written Date",
"Event Category/Level", "Event Source", "Event ID",
"Event Type", "Data", "XML Data", "File Path"
])
writer.writerows(data)成功运行上述脚本后,我们将在电子表格中获取事件信息.
互联网历史对法医分析师非常有用;因为大多数网络犯罪只发生在互联网上.让我们看看如何从Internet Explorer中提取Internet历史记录,因为我们讨论的是Windows取证,而Windows默认使用Internet Explorer.
在Internet Explorer上,Internet历史记录保存在 index.dat 文件.让我们看一下Python脚本,它将从 index.dat 文件中提取信息.
我们可以按照下面给出的步骤从
首先,搜索 index.dat 系统中的文件.
然后,通过遍历它们从该文件中提取信息.
现在,将所有这些信息写入CSV报告.
让我们看看如何将Python代码用于此目的 :
首先,导入以下Python库 :
from __future__ import print_function import argparse from datetime import datetime, timedelta import os import pytsk3 import pyewf import pymsiecf import sys import unicodecsv as csv from utility.pytskutil import TSKUtil
现在,为命令行处理程序提供参数.请注意,这里它将接受两个参数 - 第一个是证据文件的路径,第二个是证据文件的类型 :
if __name__ == "__main__":
parser = argparse.ArgumentParser('getting information from internet history')
parser.add_argument("EVIDENCE_FILE", help = "Evidence file path")
parser.add_argument("TYPE", help = "Type of Evidence",choices = ("raw", "ewf"))
parser.add_argument("-d", help = "Index.dat directory to scan",default = "/USERS")
args = parser.parse_args()
if os.path.exists(args.EVIDENCE_FILE) and os.path.isfile(args.EVIDENCE_FILE):
main(args.EVIDENCE_FILE, args.TYPE, args.d)
else:
print("[-] Supplied input file {} does not exist or is not a ""file".format(args.EVIDENCE_FILE))
sys.exit(1)现在,通过创建的对象来解释证据文件TSKUtil 并迭代粗略的文件系统找到index.dat文件.可以通过定义 main()函数来完成,如下所示 :
def main(evidence, image_type, path):
tsk_util = TSKUtil(evidence, image_type)
index_dir = tsk_util.query_directory(path)
if index_dir is not None:
index_files = tsk_util.recurse_files("index.dat", path = path,logic = "equal")
if index_files is not None:
print("[+] Identified {} potential index.dat files".format(len(index_files)))
index_data = []
for hit in index_files:
index_file = hit[2]
temp_index = write_file(index_file)现在,定义一个函数,借助它我们可以将index.dat文件的信息复制到当前工作目录,稍后可以处理它们由第三方模块 :
def write_file(index_file): with open(index_file.info.name.name, "w") as outfile: outfile.write(index_file.read_random(0, index_file.info.meta.size)) return index_file.info.name.name
现在,使用以下代码在内置函数的帮助下执行签名验证,即 check_file_signature() :
if pymsiecf.check_file_signature(temp_index):
index_dat = pymsiecf.open(temp_index)
print("[+] Identified {} records in {}".format(
index_dat.number_of_items, temp_index))
for i, record in enumerate(index_dat.items):
try:
data = record.data
if data is not None:
data = data.rstrip("\x00")
except AttributeError:
if isinstance(record, pymsiecf.redirected):
index_data.append([
i, temp_index, "", "", "", "", "",record.location, "", "", record.offset,os.path.join(path, hit[1].lstrip("//"))])
elif isinstance(record, pymsiecf.leak):
index_data.append([
i, temp_index, record.filename, "","", "", "", "", "", "", record.offset,os.path.join(path, hit[1].lstrip("//"))])
continue
index_data.append([
i, temp_index, record.filename,
record.type, record.primary_time,
record.secondary_time,
record.last_checked_time, record.location,
record.number_of_hits, data, record.offset,
os.path.join(path, hit[1].lstrip("//"))
])
else:
print("[-] {} not a valid index.dat file. Removing "
"temp file..".format(temp_index))
os.remove("index.dat")
continue
os.remove("index.dat")
write_output(index_data)
else:
print("[-] Index.dat files not found in {} directory".format(path))
sys.exit(3)
else:
print("[-] Directory {} not found".format(win_event))
sys.exit(2)现在,定义一个将输出打印在CSV文件中的方法,如下所示 :
def write_output(data):
output_name = "Internet_Indexdat_Summary_Report.csv"
print("[+] Writing {} with {} parsed index.dat files to current "
"working directory: {}".format(output_name, len(data),os.getcwd()))
with open(output_name, "wb") as outfile:
writer = csv.writer(outfile)
writer.writerow(["Index", "File Name", "Record Name",
"Record Type", "Primary Date", "Secondary Date",
"Last Checked Date", "Location", "No. of Hits",
"Record Data", "Record Offset", "File Path"])
writer.writerows(data)运行上面的脚本后,我们将从CSV文件中的index.dat文件中获取信息.
卷影副本是Windows中包含的用于手动或自动获取计算机文件备份副本或快照的技术.它也称为卷快照服务或卷影服务(VSS).
借助这些VSS文件法医专家可以获得一些关于系统如何随时间变化以及计算机上存在哪些文件的历史信息.卷影复制技术要求文件系统为NTFS以创建和存储卷影副本.
在本节中,我们将看到一个Python脚本,它有助于访问取证图像中存在的任何卷影副本.
对于Python脚本,我们需要安装第三方模块即 pytsk3,pyewf,unicodecsv,p yvshadow 和 vss .我们可以按照下面给出的步骤从VSS文件中提取信息
首先,访问原始图像的卷并识别所有NTFS分区.
然后,通过遍历它们从该卷影副本中提取信息.
现在,我们需要在快照中创建数据的文件列表.
让我们看看如何将Python代码用于此目的 :
首先,导入以下Python库 :
from __future__ import print_function import argparse from datetime import datetime, timedelta import os import pytsk3 import pyewf import pyvshadow import sys import unicodecsv as csv from utility import vss from utility.pytskutil import TSKUtil
现在,提供争论用于命令行处理程序.这里它将接受两个参数 - 第一个是证据文件的路径,第二个是输出文件.
if __name__ == "__main__":
parser = argparse.ArgumentParser('Parsing Shadow Copies')
parser.add_argument("EVIDENCE_FILE", help = "Evidence file path")
parser.add_argument("OUTPUT_CSV", help = "Output CSV with VSS file listing")
args = parser.parse_args()现在,验证输入文件路径的存在并分离输出文件中的目录.
directory = os.path.dirname(args.OUTPUT_CSV)
if not os.path.exists(directory) and directory != "":
os.makedirs(directory)
if os.path.exists(args.EVIDENCE_FILE) and \ os.path.isfile(args.EVIDENCE_FILE):
main(args.EVIDENCE_FILE, args.OUTPUT_CSV)
else:
print("[-] Supplied input file {} does not exist or is not a "
"file".format(args.EVIDENCE_FILE))
sys.exit(1)现在,通过创建与证据文件的卷进行交互TSKUtil 对象.它可以在 main()方法的帮助下完成,如下所示 :
def main(evidence, output):
tsk_util = TSKUtil(evidence, "raw")
img_vol = tsk_util.return_vol()
if img_vol is not None:
for part in img_vol:
if tsk_util.detect_ntfs(img_vol, part):
print("Exploring NTFS Partition for VSS")
explore_vss(evidence, part.start * img_vol.info.block_size,output)
else:
print("[-] Must be a physical preservation to be compatible ""with this script")
sys.exit(2)现在,定义一个探索解析后的卷影文件的方法,如下所示;
def explore_vss(evidence, part_offset, output):
vss_volume = pyvshadow.volume()
vss_handle = vss.VShadowVolume(evidence, part_offset)
vss_count = vss.GetVssStoreCount(evidence, part_offset)
if vss_count > 0:
vss_volume.open_file_object(vss_handle)
vss_data = []
for x in range(vss_count):
print("Gathering data for VSC {} of {}".format(x, vss_count))
vss_store = vss_volume.get_store(x)
image = vss.VShadowImgInfo(vss_store)
vss_data.append(pytskutil.openVSSFS(image, x))
write_csv(vss_data, output)最后,定义在电子表格中写入结果的方法跟随 :
def write_csv(data, output):
if data == []:
print("[-] No output results to write")
sys.exit(3)
print("[+] Writing output to {}".format(output))
if os.path.exists(output):
append = True
with open(output, "ab") as csvfile:
csv_writer = csv.writer(csvfile)
headers = ["VSS", "File", "File Ext", "File Type", "Create Date",
"Modify Date", "Change Date", "Size", "File Path"]
if not append:
csv_writer.writerow(headers)
for result_list in data:
csv_writer.writerows(result_list)成功运行此Python脚本后,我们会将驻留在VSS中的信息放入电子表格中.
