Python Programming For Digital Forensics And Security Analysis

0
34152

One of the many uses of the versatile Python programming language is in digital forensics and security analysis. This article covers various aspects like socket programming, port scanning, geo-location and extraction of data from websites like Twitter.

Python is one of the powerful programming languages used in key domains like cloud computing, Big Data analytics, network forensics, mobile app development, Web development and many others.  Python has been in use for more than two decades.

Python code follows and provides support for multiple programming paradigms including imperative, functional, procedural and object oriented. Nowadays, Python is widely used for a variety of high performance computing applications by a number of corporate giants including Microsoft, Google, Red Hat, IBM, Amazon and many others. Python is free and open source, and delivers the implementations and interfaces for many other languages and platforms.

Table 1 displays a list of Python implementations, including the support for different platforms and programming models.

Installing Python

Python is available in two versions — Python 3.5 and Python 2.7 (https://www.python.org). Either of these can be downloaded, depending upon your requirements and type of application.

Python programming works with the IDE platform on which coding can be done. The command shell interface or IDE supports a Python program that is saved with a .py extension and executed at the command shell interface with the following commands:

$ python <filename.py> (For Linux)
DriveLetter:\(Path-To-Python)>python <filename.py> (For Windows)
Figure 1 Python download page from the official portal
Figure 1: Python download page from the official portal
Table 1
Table 1

Figure 2 depicts the execution of Python code on a system in which Python 2.7 is installed in Drive E: of the Windows OS.

IDE based programming with Python can include any IDE to write, debug and execute the code.

Given below is a list of Python IDEs where a graphical user interface is provided for easy programming:
Screenshot from 2016-09-06 14-21-48Digital forensics using Python programming

Whenever the topics of digital forensics, cyber security and penetration testing are discussed, professionals generally depend on a number of third party tools and operating systems. Kali Linux, MetaSploit, Parrot Security OS and many other tools are used for digital forensics. These tools come with in-built applications which the users deploy without real knowledge of the internal architecture and algorithmic approach of implementation.

Python is a widely used programming language for cyber security, penetration testing and digital forensic applications. Using the base programming of Python, any of the following can be performed without using any other third party tool:

  • Web server fingerprinting
  • Simulation of attacks
  • Port scanning
  • Website cloning
  • Load generation and testing of a website
  • Creating intrusion detection and prevention systems
  • Wireless network scanning
  • Transmission of traffic in the network
  • Accessing mail servers…

…and many other implementations related to digital fingerprinting and security applications

Figure 2 Executing Python code at the Windows command shell interface
Figure 2: Executing Python code at the Windows command shell interface
Figure 3 Python IDLE environment 
Figure 3: Python IDLE environment

Socket programming

Socket programming is in-built with Python, similar to Java. To work with socket programming, the package socket is first imported and then the related methods can be called. Python installation comes with the in-built IDLE GUI.

Figure 4 Fetching an IP address of a website from a URL 
Figure 4: Fetching an IP address of a website from a URL
Figure 5 Fetching IP addresses associated with the local system 
Figure 5: Fetching IP addresses associated with the local system

Network port scanning

Generally, the nmap tool is used for the implementation of network port scanning, but using Python socket programming, it can be implemented without any third party tool. In Kali Linux, there are many tools available for digital forensics related to networks, but many of these implementations can be done using Python programming with just a few lines of instruction.

The code for port scanning of any IP address can be downloaded from here. The code checks which particular ports are open from the PortList [20, 22, 23, 80, 135, 445, 912]. Each value in the PortList specifies a particular service associated with the network.

Geolocation extraction

The real-time location of an IP address can be extracted using Python and Google APIs with the use of the pygeoip module. First of all, import the GeoIP database from the URL.

Once the database is loaded and mapped with the Python installation, any IP address can be scanned with global visibility and location.

>>> import pygeoip
>>> myGeoIP = pygeoip.GeoIP(‘GeoIPDataSet.dat’)
>>> myGeoIP.country_name_by_addr(‘<IP Address>’)
 ‘United States‘

To look up the country, use the following commands:

>>> myGeoIP = pygeoip.GeoIP(‘GeoIPDataSet.dat’)
>>> myGeoIP.country_code_by_name(‘google.com’)
‘US’
>>> myGeoIP.country_code_by_addr(‘<IP Address>’)
‘US’
>>> myGeoIP.country_name_by_addr(‘<IP Address>’)
‘United States’

To look up the city, use the following commands:

>>> myGeoIP = pygeoip.GeoIP(‘GeoIPCity.dat’)
>>> myGeoIP.record_by_addr(‘<IP Address>’)
{
    ‘city’: u’Mountain View’,
    ‘region_code’: u’CA’,
    ‘area_code’: 550,
    ‘time_zone’: ‘America/Los_Angeles’,
    ‘dma_code’: 807,
    ‘metro_code’: ‘San Francisco, CA’,
    ‘country_code3’: ‘USA’,
    ‘latitude’: 38.888222,
    ‘postal_code’: u’94043’,
    ‘longitude’: -123.37383,
    ‘country_code’: ‘US’,
    ‘country_name’: ‘United States’,
    ‘continent’: ‘NA’
}
>>> myGeoIP.time_zone_by_addr(‘<IP Address>’)
‘America/Los_Angeles’

Real-time extraction from social media

The live and real-time data from social media platforms can be downloaded using Python scripts. In Python, there are many modules and extensions with which the interfacing with WhatsApp, Twitter, Facebook, LinkedIn and many other platforms can be done.

Figure 6 Downloadable databases for GeoIP mapping 
Figure 6: Downloadable databases for GeoIP mapping
Figure 7 Download links for GeoIP databases with IPv6 compatibility
Figure 7: Download links for GeoIP databases with IPv6 compatibility

Python package index (PyPI)

PyPI (https://pypi.python.org) is the software repository of enormous Python packages for interfacing with other platforms. PyPI is freely available for Python developers without any licensing or subscriptions.

You can download the Python codes for the three actions given below from https://www.opensourceforu.com/article_source_code/sept16/digital_forensic.zip
1. Fetching the list of followers from Twitter about any user
2. Fetching the Twitter timeline for any user name

Real-time extraction of live tweets from Twitter

With the execution of the Python code downloaded from the above link, the live real-time discussion on any topic or keyword can be fetched. With this execution, the real-time discussion on the word ‘India’ will be fetched along with the details on the users involved in the transmission and distribution of tweets. The user data will include the user name, device, tweet, followers’ list, timestamp of the tweet, platform used, etc.

LEAVE A REPLY

Please enter your comment!
Please enter your name here