-
Learning by doing
-
Trainers with practical experience
-
Classroom training
-
Detailed course material
-
Clear content description
-
Tailormade content possible
-
Training that proceeds
-
Small groups
In the course Python Forensics the participants learn to use the Python programming language for the investigation of data on desktop computers and mobile devices and the analysis of message traffic to support investigative research.
The course targets the research and analysis of the data present on devices in file systems, browsers, log files and other data sources.
In the first place the fundamentals of the Python programming language are discussed in which data types, control flow, classes, modules, packages and comprehensions are discussed. Various Python Libraries that are important in criminal investigations are also discussed, such as the Regular Expression pattern matching library, the log library and the Date and Time library.
Subsequently extensive attention is paid to the approach to the file system and the analysis of files. Special topics are the creation of Artifact Reports and the hashing of Data Streams.
The analysis of databases such as SQLite, identifying gaps in them and data recovery are also part of the course program. Furthermore it is discussed how location data can be retrieved from Wi-Fi messages and the analysis of web server logs is treated.
The analysis of audio and video data and the mining of PDF and Office Metadata are also part of the course schedule. The registry can also provide important information and its analysis is discussed.
Finally attention is paid to the analysis of PST and OST mail boxes, the reading and analysis of EML files and the detection and use of Key Loggers.
The course Python Forensics is designed for developers and analysts who want to learn how to use Python for criminal investigation to support the legal process.
Knowledge and experience with Python programming is not strictly necessary to participate in this course. Experience in Python programming is beneficial to good understanding.
The theory in the course Python Forensics is discussed on the basis of presentation slides. Illustrative demos clarify the concepts. The theory is interchanged with exercises. Course times are from 9:30 to 16:30.
After successful completion of the course the participants receive an official certificate Python Forensics.
Module 1 : Python Essentials |
Module 2 : Classes and Objects |
Module 3 : Python Libraries |
Python 2 versus Python 3 Lines and Indentation Python Data Types Numbers and Strings Lists and Tuples Sets and Dictionaries Python Flow Control Comprehensions Functions Modules and Packages Exception Handling |
Python Object Orientation Creating Classes Class Members Creating and Using Objects Property Syntax Static Methods Encapsulation Inheritance and Polymorphism Constructor Chaining Overriding Methods Abstract Classes |
Regular Expressions Logging Log Configuration Generators Unit Testing Dates and Times JSON Access XML Access Numpy Library Pandas Library Plotting |
Module 4 : File Analysis |
Module 5 : DB and Mobile Data |
Module 6 : Extracting Metadata |
File I/O Iterating over Files Recording File Attributes Copying Files Attributes and Timestamps Hashing Data Streams Creating Artifact Reports Working with CSVs Visualizing Events with Excel Parsing PLIST Files |
Database Access Python DB API Handling SQLite Databases Identifying Gaps in SQLite Logging Results Putting Wi-Fi on the map Recover Messages Log-Based Artifact Recipes Parsing IIS Web Logs Interpreting daily.out Log |
Audio and Video Metadata Mining for PDF Metadata Review Executable Metadata Office Document Metadata Metadata Extractor with EnCase Networking Analysis Compromise Recipes Jump start with IEF Taking Names Recipes Viewing MSG Files |
Module 7 : Forensic Artifacts Recipes |
Module 8 : Parsing PST Containers |
Module 9 : Key Loggers |
Forensic Evidence Recipes Opening Acquisitions Gathering Media Information Processing Container Files Searching for Hashes Searching High and Low Reading the Registry Gathering User Activity Parsing Prefetch Files Indexing Internet History Dissecting the SRUM database |
Personal Storage Table PST and OST Mailboxes libpff and pypff Reading Emails Parsing EML files Traversing Folders Summarizing Data Using HTML Templates Heat Map Word Statistics pffexport and pffinfo |
Detecting Malicious Processes Hardware Keyloggers Software Keyloggers Monitoring Keyboard Events Capturing Screenshots Capturing Clipboard Monitoring Processes Multi Processing Keylogger Controllers Special Keys Non-English Keyboards |