#2 One step at a time...

Many will go through life trying to accomplish things on an individual level. This way of life is OK and can be fruitful for that one person, but one may find it limits his or her true potential. We believe that life is a team effort and working as well as sharing in ideas will take us further than one can do alone. No matter where we are going, in the end we have to take that first step to get there. Do not stand back and wait for it to come to you, start walking toward your goal and soon you will find it right in front of you.

With all that being said, we are here to move to step two in the introduction to Python Forensics. We hope you enjoyed or at least read the first, called “Where Should I Start?”. In “Where Should I Start?” we gave some good links on where to start learning Python as well as downloads and modules for Python Forensics.

Let me preface this with “We are not Python guru’s or master’s!”. What we are good at is the art of Googling. We run in to an issue and what we find is more times than not, someone else or others have had the same issue. When this happens most likely there is already a solution to the question or problem that we have run in to.

We assume at this point you already have the understanding about modules and have them installed aka Imported, either locally or in Python portable. We will start with a basic question which would be needed in a live forensic analysis of a computer system. What is the hard drive serial numbers attached to said suspect machine? We will work this question at this point assuming we are going to be getting the information from a Windows OS machine. We will work later on checking for the OS installed and running the right code from there later on in this series.

We completed a quick Google search for “read hard drive serial numbers with python 2.7”. The first link led us to this page https://mail.python.org/pipermail/python-list/2009-June/539245.html. We were able to test in Sublime the first code on the page of:

import wmi

c = wmi.WMI()

for pm in c.Win32_PhysicalMedia():

print pm.Tag, pm.SerialNumber

What we did is copy and paste the code above in to Sublime text editor and saved it as “read HD Serial.py”. Once it was saved, we ran the code and this was returned:

\\.\PHYSICALDRIVE1 B9E7B7654321

\\.\PHYSICALDRIVE0 0000_0000_0000_0010_0008_0D02_0049_203A.

[Finished in 0.2s]

We plugged a 128 GB Scandisk in to another USB port and ran the code again to make sure it was returning correctly. What we got back was the following:

\\.\PHYSICALDRIVE2 4C531001520426114423

\\.\PHYSICALDRIVE1 B9E7B7654321

\\.\PHYSICALDRIVE0 0000_0000_0000_0010_0008_0D02_0049_203A.

[Finished in 0.2s]

We have now found Python code and tested the code in less than a minute, to achieve our goal. Please do not fall in to the mind-boggling trap we did when it comes to the code. What are we talking about? An Algebra teacher once said “Don’t ask why, just do and it will come out correctly in the end.” One can lose the correct focus if they start asking why, when it comes to the code. For instance, does “c” have to be “c” in the code and why is it called “c” in the first place? We tell you now that “c” could just as well be “HD” if you like and you will get the same results. Do not lose yourself down the rabbit hole of “why”.

We never just take the code and assume it works. The first thing we should always do is run a test to validate the code is working as needed. Then and only then can we move forward to the next step like maybe writing the returned information out to a text file or document. What we want to do is save time in the coding process for us non-coders. Granted there are great masterful coders out there and know this stuff like the back of their hand. Yet there are many of us who get the idea but are not so great at the whole coding aspect. So why reinvent the wheel per say. Let’s work smarter, not harder!

This was number two in a series we are doing on Python forensics. So keep a check for number three, coming soon. Until next time, have a great day and happy coding! Thanks for stopping by and checking us out.

Author - Emory Casey Mullis has been in Law Enforcement for roughly 20 plus years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00. Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

#emorycmullis #pythonforensics #python #datarecovery