📌  相关文章
📜  Python取证Python模块(1)

📅  最后修改于: 2023-12-03 15:34:28.049000             🧑  作者: Mango

Python取证Python模块

简介

Python取证Python模块是一个用于数字取证的Python框架。它为数字取证调查员提供了一种强大的、Python-native的方式来操纵数字证据。

特点
  • 从多个数据源提取数据
  • 自动解压常见的压缩文件格式
  • 读取常见的文件格式(如PDF,Microsoft Office和多媒体文件)
  • 解密BitLocker加密卷
  • 支持SQLite, MySQL和PostgreSQL数据库
  • 可以创建时间线,回溯文件、文件夹、注册表等的操作记录
  • 可以在IO上下文管理的情况下访问数据流(例如解压缩的文件)
  • 支持对元数据的自定义心夹
  • 可以生成报告(如CSV, HTML和Excel格式报告)
安装

使用pip安装:

pip install pytsk3
pip install dfdatetime
pip install dfwinreg
pip install dfvfs
pip install dftimewolf
pip install pandas
pip install openpyxl
pip install requests
示例

下面的示例展示了如何使用Python取证Python模块来提取Windows注册表中的信息:

"""Extract information from Windows Registry."""

import datetime

from dfwinreg import definitions as dfwinreg_definitions
from dfwinreg import registry as dfwinreg_registry
from dfwinreg import winregistry

# Path to the Windows Registry file.
windows_path = '/mnt/win7/image/Windows/System32/config/SYSTEM'

# Create a Windows Registry object and parse the file.
registry = winregistry.WinRegistry(
    backend=dfwinreg_registry.WinRegistryFileEntry(
        codepage='cp1252', file_entry_type=dfwinreg_definitions.FILE_ENTRY_TYPE_FILE,
        file_object=None, file_size=None, file_system=None,
        location=None, name='system', offset=None, parent=None))

registry.OpenFile(windows_path)

# Get the key containing information about the current control set.
control_set_key = registry.GetKeyByPath('\\Select').GetSubkeyByName('Current')

# Get the name of the key containing the Windows start-up programs.
value_name = (
    r'Software\Microsoft\Windows\CurrentVersion\Explorer'
    r'\Shell Folders\Startup')

start_up_key = control_set_key.GetSubkeyByPath(value_name)

# Get the current data of the key that contains the start-up programs.
current_control_set_value = (
    control_set_key.GetValueByName('Current').GetDataAsObject())
control_set_number = current_control_set_value.get('data')

values = []
for registry_value in start_up_key.GetValues():
    data = registry_value.GetDataAsObject()
    names = registry_value.name.split('\\')
    names.append(registry_value.data_type_string)
    values.append([
        names[-1], names[-2], '\\'.join(names[:-2]), data.get('data', ''),
        registry_value.offset, registry_value.last_written_time.timestamp()])

# Create a Pandas dataframe of the extracted information.
dataframe = pandas.DataFrame(
    values, columns=['Value name', 'Data type', 'Key path', 'Value data',
                     'Offset', 'Last written time'])

# Set the data type of the timestamps.
dataframe['Last written time'] = pandas.to_datetime(
    dataframe['Last written time'], unit='s')