DFIR Python Study Group: Class 3 - practice script

At the end of the video, we went over how we could use the python code we have learned so far in “real life” and how it can be used in forensics. Alexis showed us how we could create a simple script using code we had learned. This script could be used if we have a bunch of phone images, and we quickly wanted to see what the phone model and manufacturer are without opening each one.

 

I do not currently have an Android image on my computer, and I do not feel like downloading one as I am working on other large images. So, I will create my own file to play around with what we went over during the last several minutes of the python study group.

 

What helped me by doing this myself is understanding why Alex used {line[x:]}. It was not clear to me what was going on until I wrote it out and ran it myself. What it is doing is going through that line once it matches the statement we added to our loop and displaying the characters from character 31 to the end of the line.

 

This is the file I created:



This is my code:

 

 


And this is the result:


To get rid of the spaces we see in our result, we can go back to that snippet of code that reads the line from characters 24 and 31 and stop not at the end, but one character before by inserting -1. Doing this, stops before we hit the new line indicator which happens to be the last character in the line “list”.

 

 Now we have no space!

 

Alexis finishes this python study group with another way of writing this code and producing the same information. One that is simpler, where we do not have to count the characters to get our code to print the information we need. To accomplish this, we use split. Because the information we need in our file is preceded by an = sign, we can use this to separate the information we don’t want our script to print and the information we want to print.

We do this by creating a new variable in our if statement called “splits” which splits our line/list at the =. Then we pull out the second object in our list with 1.

 

Result:


We are left with the challenge of taking that information and exporting it to a file. We can accomplish this by:

 

This exports our results into a text file and saves it to the location we are currently located:

 

I am not sure how to accomplish this using code but I believe this will be part of the next class.

LINKS

DFIR Python Study Group: Class 3