Python Programming For Digital Forensics And Security Analysis

Python Programming For Digital Forensics And Security Analysis

#cybersecurity #coursera #quiz #solution #network #python

One of the many uses of the versatile Python programming language is digital forensics and security analysis. This article covers various aspects such as socket programming, port scanning, geopositioning, and extracting data from sites such as Twitter.

Python is one of the most powerful programming languages ​​used in key areas such as cloud computing, big data analysis, network forensics, mobile app development and web development. Python has been in use for over 20 years.

Python code follows multiple programming paradigms, including imperative, functional, procedural, and object-oriented, to provide support. Nowadays, Python is widely used for a variety of high performance computing applications by a number of corporate giants including Microsoft, Google, Red Hat, IBM, Amazon and many others. Python is free and open source, and delivers the implementations and interfaces for many other languages and platforms.

This table 1 lists different Python implementations and the platforms and programming models they support.

Table 1

This figure 2 illustrates how Python code is executed on a system with Python 2.7 installed on Drive E: of the Windows operating system. IDE-based programming with Python can include any IDE for writing, debugging, and executing code.

Given below is a list of Python IDEs where a graphical user interface is provided for easy programming:

Digital forensics experts rely on a variety of tools and operating systems when investigating digital crimes. Python is a popular programming language for digital investigations. Many forensic tools are used with Kali Linux, MetaSploit, and Parrot Security OS.These tools come with pre-installed applications that the users deploy without knowing the internal architecture and algorithmic approach of implementation. Python is a widely used programming language for cybersecurity, penetration testing, and digital forensic applications.Using basic Python programming, any of the following can be done without using any third party tools:

Web server fingerprinting

Attack Modeling

Port scanning

Website cloning

Load generation and site testing

Building Intrusion Detection and Prevention Systems

Scanning for a wireless network

Network traffic transmission

Accessing mail servers

Socket programming

Socket programming is in-built with Python, similar to Java. To work with socket programming, the package socket is first imported and then the related methods can be called. Python installation comes with the in-built IDLE GUI.

Network port scanning

Generally, the nmap tool is used for the implementation of network port scanning, but using Python socket programming, it can be implemented without any third party tool. In Kali Linux, there are many tools available for digital forensics related to networks, but many of these implementations can be done using Python programming with just a few lines of instruction.

The code for port scanning of any IP address can be downloaded from here. The code checks which particular ports are open from the PortList [20, 22, 23, 80, 135, 445, 912]. Each value in the PortList specifies a particular service associated with the network.

Geolocation extraction

The real-time location of an IP address can be extracted using Python and Google APIs with the use of the pygeoip module. First of all, import the GeoIP database from the URL.

Once the database is loaded and mapped with the Python installation, any IP address can be scanned with global visibility and location.

>>> import pygeoip >>> myGeoIP = pygeoip.GeoIP(‘GeoIPDataSet.dat’) >>> myGeoIP.country_name_by_addr(‘<IP Address>’)  ‘United States‘

To look up the country, use the following commands:

>>> myGeoIP = pygeoip.GeoIP(‘GeoIPDataSet.dat’) >>> myGeoIP.country_code_by_name(‘google.com’) ‘US’ >>> myGeoIP.country_code_by_addr(‘<IP Address>’) ‘US’ >>> myGeoIP.country_name_by_addr(‘<IP Address>’) ‘United States’

To look up the city, use the following commands:

>>> myGeoIP = pygeoip.GeoIP(‘GeoIPCity.dat’) >>> myGeoIP.record_by_addr(‘<IP Address>’) {     ‘city’: u’Mountain View’,     ‘region_code’: u’CA’,     ‘area_code’: 550,     ‘time_zone’: ‘America/Los_Angeles’,     ‘dma_code’: 807,     ‘metro_code’: ‘San Francisco, CA’,     ‘country_code3’: ‘USA’,     ‘latitude’: 38.888222,     ‘postal_code’: u’94043’,     ‘longitude’: -123.37383,     ‘country_code’: ‘US’,     ‘country_name’: ‘United States’,     ‘continent’: ‘NA’ } >>> myGeoIP.time_zone_by_addr(‘<IP Address>’) ‘America/Los_Angeles’

Real-time extraction from social media

The live and real-time data from social media platforms can be downloaded using Python scripts. In Python, there are many modules and extensions with which the interfacing with WhatsApp, Twitter, Facebook, LinkedIn and many other platforms can be done.

Python package index (PyPI)

PyPI (https://pypi.python.org) is the software repository of enormous Python packages for interfacing with other platforms. PyPI is freely available for Python developers without any licensing or subscriptions.

You can download the Python codes for the three actions given below from https://www.opensourceforu.com/article_source_code/sept16/digital_forensic.zip
1. Fetching the list of followers from Twitter about any user
2. Fetching the Twitter timeline for any user name

Real-time extraction of live tweets from Twitter

With the execution of the Python code downloaded from the above link, the live real-time discussion on any topic or keyword can be fetched. With this execution, the real-time discussion on the word ‘India’ will be fetched along with the details on the users involved in the transmission and distribution of tweets. The user data will include the user name, device, tweet, followers’ list, timestamp of the tweet, platform used, etc.