Forensic Investigations with Python
===

In February 2005, Wichita police forensic investigator Mr. Randy Stone unraveled the  nal clues of a 30-year-old mystery. A couple of days earlier, KSAS Television station had handed the police a 3.5”  floppy disk they had received from the infamous BTK (Bind, Torture, Kill) Killer. Responsible for at least 10 murders from 1974 to 1991, the BTK Killer eluded capture while repeatedly taunting the police and his victims. On February 16th, 2005, the BTK Killer sent the television station a 3.5” disk with communication instructions. Among these instructions, the disk contained a file named Test.A.rtf. (Regan, 2006). While the  file contained instructions from the BTK Killer, it also contained something else: metadata. Embedded in the Microsoft proprietary 
Rich Text Format (RTF), the  file contained the  first name of the BTK Killer and the physical location at which the user had last saved the  file.

This narrowed the investigation to a man named Denis at the local Wichita Christ Lutheran Church. Mr. Stone verified that a man named Denis Rader served as a church officier at the Lutheran Church (Regan, 2006). With this information, police requested a warrant for a DNA sample from the medical records of Denis Rader’s daughter (Shapiro, 2007). The DNA sample confirmed what Mr. Stone already knew—Denis Rader was the BTK Killer. A 31-year investigation that had exhausted 100,000 man hours ended with Mr. Stone’s examination of metadata (Regan, 2006).

RECOVER DELETED ITEMS
---


METADATA
---
Using PyPDF2 to Parse PDF Metadata
---
Let’s use Python to quickly recreate the forensic investigation of a document that proved useful in the arrest of a member of the hacker group Anonymous. 


In [14]:
# Row data information
from PyPDF2 import PdfFileReader
pdf_toread = PdfFileReader(open("../book/ch4.pdf", "rb"))
pdf_info = pdf_toread.getDocumentInfo()
print(str(pdf_info))

{'/Producer': 'Adobe PDF Library 9.9', '/doi': '10.1016/B978-1-59-749957-6.00004-1', '/CreationDate': "D:20121106094325+05'30'", '/ElsevierWebPDFSpecifications': '6.3', '/robots': 'noindex', '/ModDate': "D:20130605170429+05'30'", '/Title': 'Network Traffic Analysis with Python', '/Creator': 'Elsevier', '/Trapped': '/Unknown', '/Subject': 'Violent Python, First Edition (2013) 125-169. doi:10.1016/B978-1-59-749957-6.00004-1', '/Keywords': ''}


Not easy to read the dict-type data, use python to finalize the data:

```
Dict Type:
   data={key1:value1, key2:val2,...}
-> data[key1] = value1
```
Python solution:
```Python
   data = (dict type ...)
   for item in data:
       print('[+] ' + item + ':' + data[item])
                       ꜛ              ꜛ   
                      key           value
 ```      

In [1]:
import PyPDF2

from PyPDF2 import PdfFileReader


def printMeta(fileName):
    pdfFile = PdfFileReader(open(fileName, 'rb'))
    docInfo = pdfFile.getDocumentInfo()
    print('[*] PDF MetaData For: ' + str(fileName))
    for metaItem in docInfo:
        print('[+] ' + metaItem + ':' + docInfo[metaItem])


def pdfRead(fileName):
    """
    Usage:
    printRead(File)
    
    For example,
        pdfRead('../book/ch4.pdf')
    """    
    printMeta(fileName)    

In [19]:
help(pdfRead)

Help on function pdfRead in module __main__:

pdfRead(fileName)
    Usage:
    printRead(File)
    
    For example,
        pdfRead('../book/ch4.pdf')



In [2]:
#pdfRead('SeniorCitizens.pdf')
pdfRead('../book/ch4.pdf')

[*] PDF MetaData For: ../book/ch4.pdf
[+] /ModDate:D:20130605170429+05'30'
[+] /ElsevierWebPDFSpecifications:6.3
[+] /Trapped:/Unknown
[+] /robots:noindex
[+] /Creator:Elsevier
[+] /Subject:Violent Python, First Edition (2013) 125-169. doi:10.1016/B978-1-59-749957-6.00004-1
[+] /Title:Network Traffic Analysis with Python
[+] /Keywords:
[+] /CreationDate:D:20121106094325+05'30'
[+] /doi:10.1016/B978-1-59-749957-6.00004-1
[+] /Producer:Adobe PDF Library 9.9


Parsing Firefox Sqlite3 Databases
---
Firefox stores these databases in a default directory located at 

- Windows: `C:\Documents and Settings\<USER>\Application Data\Mozilla\Firefox\Profiles\<profile folder>\`
- MacOS: `/Users/<USER>/Library/Application Support/Firefox/Profiles/<profile>/`
```
addons.sqlite		formhistory.sqlite	signons.sqlite
content-prefs.sqlite	healthreport.sqlite	webappsstore.sqlite
cookies.sqlite		permissions.sqlite
extensions.sqlite	places.sqlite
```

Parsing Firefox Sqlite3 Databases
---
Firefox stores these databases in a default directory located at 

- Windows: `C:\Documents and Settings\<USER>\Application Data\Mozilla\Firefox\Profiles\<profile folder>\`
- MacOS: `/Users/<USER>/Library/Application Support/Firefox/Profiles/<profile>/`
```
addons.sqlite		formhistory.sqlite	signons.sqlite
content-prefs.sqlite	healthreport.sqlite	webappsstore.sqlite
cookies.sqlite		permissions.sqlite
extensions.sqlite	places.sqlite
```

Consider, for example, when a user logs onto a web-based email: if the browser could not maintain cookies, the user would have to log on in order to read every individual email. Firefox stores these cookies in a database named <font color="green">cookies.sqlite</font>. If an investigator can extract cookies and reuse them, it provides the opportunity to log on to resources that require authentication.
```

                                No
    |----------|   cookies? |-------->   log on to read mail
    | web-basd |  ----------|
    |  Email   |            |-------->   get data in cookies.sqlite to login automatically
    |----------|               Yes
    
    
    
```



Let’s write a quick Python script to extract cookies from a user under investigation. We connect to the database and execute our SELECT statement. In the database, the moz_cookies maintains the data regarding cookies. From the moz_cookies table in the cookies.sqlite database, we will query the column values for host, name, and cookie value, and print them to the screen.

Though the sqlite is created as binany, part of <font color="green">downloads.sqlite</font> should give the details of table what it owns:
```
...
CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)
...
```
i.e. the details of created table and its columns are listed as follows:
```
  Table
      moz_downloads
  Columns: type/value
      id: INTEGER (PRIMARY KEY),
      name: TEXT,
      source: TEXT,
      target: TEXT,
      tempPath: TEXT, 
      startTime: INTEGER, 
      endTime: INTEGER, 
      state: INTEGER, 
      referrer: TEXT,
      entityID TEXT,
      currBytes INTEGER NOT NULL DEFAULT 0, 
      maxBytes INTEGER NOT NULL DEFAULT -1, 
      mimeType TEXT, 
      preferredApplication TEXT, 
      preferredAction INTEGER NOT NULL DEFAULT 0, 
      autoResume INTEGER NOT NULL DEFAULT 0
```      

Investingate the Sqlite Data
---
- use `Sqlite` library:
```
shell> sqlite3 cookies.sqlite
SQLite version 3.13.0 2016-05-18 10:57:30
Enter ".help" for usage hints.
sqlite> select * from moz_cookies;
1|google.com||__utma|29003808.1143615086.1386662234.1386662234.1386662234.1|.mail.google.com|/intl/|1449734236|1386662236729073|1386662233628573|0|0|0|0
2|google.com||__utmb|29003808.2.9.1386662236726|.mail.google.com|/intl/|1386664036|1386662236729451|1386662233628903|0|0|0|0
...
```
- by Pyhon's sqlite3 library as follows:

In [1]:
import sqlite3

def printDownloads(downloadDB):
    conn = sqlite3.connect(downloadDB)
    c = conn.cursor()
    c.execute('SELECT name, source, datetime(endTime/1000000,\
    \'unixepoch\') FROM moz_downloads;'
              )
    print('\n[*] --- Files Downloaded --- ')
    for row in c:
        print('[+] File: ' + str(row[0]) + ' from source: ' \
            + str(row[1]) + ' at: ' + str(row[2]))

def printCookies(cookiesDB):
    try:
        conn = sqlite3.connect(cookiesDB)
        c = conn.cursor()
        c.execute('SELECT host, name, value FROM moz_cookies')

        print('\n[*] -- Found Cookies --')
        for row in c:
            host = str(row[0])
            name = str(row[1])
            value = str(row[2])
            print('[+] Host: ' + host + ', Cookie: ' + name \
                + ', Value: ' + value)
    except Exception as e:
        if 'encrypted' in str(e):
            print('\n[*] Error reading your cookies database.')
            print('[*] Upgrade your Python-Sqlite3 Library')

In [2]:
printDownloads('firefox_profile/downloads.sqlite')


[*] --- Files Downloaded --- 
[+] File: python-nmap-0.1.4.tar.gz from source: http://xael.org/norman/python/python-nmap/python-nmap-0.1.4.tar.gz at: 2012-06-20 02:53:09


In [3]:
printCookies('Cookies.sqlite')


[*] -- Found Cookies --
[+] Host: .mail.google.com, Cookie: __utma, Value: 29003808.1143615086.1386662234.1386662234.1386662234.1
[+] Host: .mail.google.com, Cookie: __utmb, Value: 29003808.2.9.1386662236726
[+] Host: .mail.google.com, Cookie: __utmz, Value: 29003808.1386662234.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=icho%20taiwan
[+] Host: accounts.youtube.com, Cookie: CheckConnectionTempCookie395, Value: 343246
[+] Host: accounts.google.com, Cookie: ACCOUNT_CHOOSER, Value: AFx_qI5yF-W47GJx05la4a6iPw6WUzFsh9aD8EYkdDWLs22T-iuGw90BK3i24K3rJtP-Jd-xJ-B2k9inNdHB1_SAkd7LdeD8mc2kRK_lWFFWn08C05TXpFpRhjJzSx0ba-xUQody29Eq
[+] Host: sagecell.sagemath.org, Cookie: accepted_tos, Value: true
[+] Host: .myweb.hinet.net, Cookie: MyWeb_HostID_L1, Value: twoyears44.myweb.hinet.net
[+] Host: apis.google.com, Cookie: BEAT, Value: APfa0bqy_ARx8giFGyUS4LB7RwA_GCyvLmpBx_xJtuddXj5UjTDTbiH-FIr6D1EiYHDVvqp-gC7x
[+] Host: .apple.com, Cookie: ds01_a, Value: d2700059be72ba2434f40f39e3233dc741e53

An investigator may also wish to enumerate the browser history. Firefox stores this data in a database named places.sqlite. Here, the moz_places table gives us valuable columns that include information about when (date) and where (address) a user visited a site. While our script for printHistory() only takes into account the moz_places table, the ForensicWiki Web site recommends using data from both the moz_places table and the moz_historyvisits table as well to get a live browser history (Forensics Wiki, 2011).

In [1]:
def printHistory(placesDB):
    try:
        conn = sqlite3.connect(placesDB)
        c = conn.cursor()
        c.execute("select url, datetime(visit_date/1000000, \
          'unixepoch') from moz_places, moz_historyvisits \
          where visit_count > 0 and moz_places.id==\
          moz_historyvisits.place_id;")

        print('\n[*] -- Found History --')
        for row in c:
            url = str(row[0])
            date = str(row[1])
            print('[+] ' + date + ' - Visited: ' + url)
    except Exception as e:
        if 'encrypted' in str(e):
            print('\n[*] Error reading your places database.')
            print('[*] Upgrade your Python-Sqlite3 Library')
            exit(0)

In [2]:
printHistory('history.sqlite')

In [7]:
import re
def printGoogle(placesDB):
    conn = sqlite3.connect(placesDB)
    c = conn.cursor()
    c.execute("select url, datetime(visit_date/1000000, \
      'unixepoch') from moz_places, moz_historyvisits \
      where visit_count > 0 and moz_places.id==\
      moz_historyvisits.place_id;")

    print('\n[*] -- Found Google --')
    for row in c:
        url = str(row[0])
        date = str(row[1])
        if 'google' in url.lower():
            r = re.findall(r'q=.*\&', url)
            if r:
                search=r[0].split('&')[0]
                search=search.replace('q=', '').replace('+', ' ')
                print('[+] '+date+' - Searched For: ' + search)


Let’s use the last example and our knowledge of regular expressions to expand the previous function. While browser history is in nitely valuable, it would be useful to look deeper into some of the speci c URLs visited. Google search queries contain the search terms right inside of the URL, for example. In the wireless section, we will expand on this in great depth. However, right now, let’s just extract the search terms right out of the URL. If we spot a URL in our history that contains Google, we will search it for the characters `q=` followed by an `&`. This speci c sequence of characters indicates a Google search. If we do  nd this term, we will clean up the output by replacing some of the characters used in URLs to pad whitespace with actual whitespace. Finally, we will print out the corrected output to the screen. Now we have a function that can search the places.sqlite  le for and print out Google search queries.

In [8]:
printGoogle('places.sqlite')


[*] -- Found Google --
[+] 2013-12-10 07:54:47 - Searched For: icho taiwan
[+] 2013-12-10 07:54:47 - Searched For: icho taiwan
[+] 2013-12-10 07:54:58 - Searched For: icho taiwan
[+] 2013-12-10 07:55:05 - Searched For: 
[+] 2014-01-10 00:51:53 - Searched For: Write To Learn
[+] 2014-01-10 00:51:53 - Searched For: Write To Learn
[+] 2014-01-10 00:52:10 - Searched For: 
[+] 2014-05-21 08:07:47 - Searched For: RTC
[+] 2014-05-21 08:07:47 - Searched For: RTC
[+] 2014-05-21 08:07:54 - Searched For: web RTC
[+] 2014-05-21 08:07:54 - Searched For: web RTC
[+] 2014-05-21 08:08:04 - Searched For: 
[+] 2014-05-21 08:08:46 - Searched For: web RTC Android
[+] 2014-05-21 08:08:46 - Searched For: web RTC Android
[+] 2014-05-21 08:08:53 - Searched For: 
[+] 2014-05-21 08:09:32 - Searched For: 
[+] 2014-07-03 23:22:36 - Searched For: where is jdk in Mac
[+] 2014-07-03 23:22:36 - Searched For: where is jdk in Mac
[+] 2014-07-03 23:22:40 - Searched For: 
[+] 2014-07-03 23:25:04 - Searched For: jdk
[+] 

INVESTIGATING ITUNES MOBILE BACKUPS 
---
In April 2011, security researcher and former Apple employee Pete Warden disclosed a privacy issue with the popular Apple iPhone/Ipad iOS operating system (Warden, 2011). After a significant investigation, Mr. Warden revealed proof that the Apple iOS operating system actually tracked and recorded the GPS coordinates of the device and stored them in a database on the phone called `consolidated.db` (Warden, 2011). Inside this database, a table named Cell-Location contained the GPS points the phone had collected. The device determined the location information by triangulating off the nearest cell-phone towers in order to provide the best service for the device user. However, as Mr. Warden suggested, this same data could be used maliciously to track the entire movements an iPhone/iPad user. Furthermore, the process used to backup and store a copy of the mobile device to a computer also recorded this information. While the location-recording information has been removed from the Apple iOS operating system functionality, the process Mr. Warden used to discover the data remains. In this section, we will repeat this process to extract information from iOS mobile device backups. Specifically, we will extract all the text messages out of an iOS backup using a Python script.

```
~/Library/Application Support/MobileSync/Backup
```

In [9]:
import os

def isMessageTable(iphoneDB):
    try:
        conn = sqlite3.connect(iphoneDB)
        c = conn.cursor()
        c.execute('SELECT tbl_name FROM sqlite_master \
          WHERE type==\"table\";')
        for row in c:
            if 'message' in str(row):
                return True
    except:
        return False


def printMessage(msgDB):
    try:
        conn = sqlite3.connect(msgDB)
        c = conn.cursor()
        c.execute('select datetime(date,\'unixepoch\'),\
          address, text from message WHERE address>0;')
        for row in c:
            date = str(row[0])
            addr = str(row[1])
            text = row[2]
            print('\n[+] Date: '+date+', Addr: '+addr \
                + ' Message: ' + text)
    except:
        pass

def iphoneMessage(pathName):
    dirList = os.listdir(pathName)
    for fileName in dirList:
        iphoneDB = os.path.join(pathName, fileName)
        if isMessageTable(iphoneDB):
            try:
                print('\n[*] --- Found Messages ---')
                printMessage(iphoneDB)
            except:
                pass
    
    

Try
```
iphoneMessage('where-the backup-dircetory')
```
