Hello Readers!

Well, I finally made it…the last post of the year.  I have to say I didn’t think I would be able to make my deadline every week, much less through the entire year.  And with the exception of one week (which screwed me up because of a time change), I managed to pull it off.

So here we have the last script of the year.  This again is another simple script I created.  Most of the time (like I’m sure a lot of forensic examiners do), I like to take the memory images I create and run strings against them to pull out all the text in the raw file (I use the Sleuth Kit srch_string command specifically).  From there I’ll end up running it through grep for possible keywords of interest.

However there are times when I’m on a windows box where I can’t do that as easily.  Yes I could install Unix tools on Windows, but then I wouldn’t be able to write something in Python would I?

What I do with this script is feed in the memory image string file as the input, and then it prompts me for the search term.  Then it goes through the text file and returns the search hit and the line number from the file.  I wanted it to include the line number, so if there’s something interesting I want to look at further, I can open the file in a text program and look at what may be around it.  Of course sometimes the text file is too big for a standard text editor, but at least I have a starting point.

Now where do I go from here?  Well I’m planning on continuing to write code.  I’m going to be taking some of the scripts I’ve used over the last year and expand them out.  One of them being a case management system, something I’ve wanted to write for a while.  Now that I’m not on a weekly schedule I can’t take more time to write code.  I’m also planning on putting together a presentation on my experiences over the last year, which I’ll probably submit to one or two conferences.

I’ll end this last one not by saying until next week, but Keep Coding!

https://github.com/CdtDelta/YOP

Hello reader!

This week we continue working with the Windows DNS script from last week.  The next step in my process was the ability to search the data.  Now in my case, I’m only interested in two fields, the Remote IP field and the Question Name field.

Mind you this is designed around the script from Week 50, so it’s making assumptions on the table name in the database.

All I’m doing this week with the script is loading the database and then asking the user what they want to look for (IP or DNS name).  Depending on their choice, I run a specific function with the appropriate search term and print the rows with the results.

The one caveat with the DNS search terms, is that you have to end it with a period.  That’s how the data is listed in the database, so if it’s not there you won’t get any results.

Of course for anyone who would like to tailor this script to their needs, you can modify the functions to only return the fields from each row that you are actually concerned with.

Until next week!

https://github.com/CdtDelta/YOP

Hello Reader!

This week we’re going back and revisiting my Windows DNS script from a couple of weeks ago.  What I had planned to do when I first wrote the script is add the ability to write it all to a SQLite database.  After that I’m going to make a script that will let me search for data within the database.

So the main difference between this script and the previous version is one section:

if os.path.isfile(args.output_file): print "{} exists...".format(args.output_file) else: db_connect = sqlite3.connect(args.output_file) dns_db = db_connect.cursor() # create table dns_db.execute("CREATE TABLE dns_record (ID INTEGER PRIMARY KEY AUTOINCREMENT, dns_date text, dns_time text, dns_am_pm text,dns_thread text, dns_context text, dns_ipi text, dns_udp_tcp text, dns_send_recv text, dns_ip text, dns_xid text, dns_query text,dns_opcode text, dns_flagsh text, dns_flagsc text, dns_response text, dns_ques_t text, dns_ques_n text);") with open(args.backup_file, "r") as new_file: for line in new_file: try: dns_record = dns_record_parse(line) dns_db.execute("insert into dns_record values(NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);",(dns_record[0], dns_record[1], dns_record[2], dns_record[3], dns_record[4], dns_record[5], dns_record[6],dns_record[7], dns_record[8], dns_record[9], dns_record[10], dns_record[11], dns_record[12], str(dns_record[13]),dns_record[14], dns_record[15], dns_record[16])) db_connect.commit() except Exception, e: print "{}: {}".format(str(e), dns_record) continue

What we’re doing here is checking to see if the SQLite database exists, if it doesn’t we’ll set up the table to store the data.

Once that part is done, we read in the DNS log file and insert it into the database.  If we run into any issues we print out an error.

Until next week!

https://github.com/CdtDelta/YOP