#4 Shooting for the stars

The only limitation one has in this world, is one’s self. Yes, we will all have obstacles that slow us down or even people who tell us we can’t do that. We can find work a rounds for these types of things. In the end, the only reason we don’t reach our goal is due to our own limitations we put on ourselves. We end up settling instead of going the distance. We will not settle and will push forward here.

We started with a brief introduction to Python and or Python forensics. We moved to retrieving information from a Windows system by retrieving the hard drive serial numbers. We left off on creating a text file and writing our retrieved hard drive serial numbers to said text file. Let’s continue from here with collecting more information from the Windows system.

In a live system investigation, what other information might we need to retrieve while we are in said system? We know that collecting the complete system and imaging the hard drive(s) back at the lab, would be the ideal answer. We don’t always have the ideal situation, so we have to improvise, overcome, and adapt. We just need to be able to explain and reproduce the actions we took. When you walk in to a crime scene, you make changes just by being in the crime scene. What do you do? You document the steps you took and why you took them. Computer forensics is not much different, you still have a crime scene just not in the realm of say a murder scene.

We know our hard drive serial number(s) but do we know if these drives are physically connected or network connected (aka Network Drives)? There is a way to collect this information and store it for later.

We will need to import a third module for this to work. Remember we originally imported wmi and sys. We now will add to the list win32file. So the top of your code should now look like this:

import wmi

import sys

import win32file

We will move to the code that opens our text file as follows:

sys.stdout = open("HDserial.txt", "w+")

We will change up the hard drive serial number code to the following but you will see the similarities from the original code.

HDs = wmi.WMI()

for hdSerialnum in HDs.Win32_PhysicalMedia():

print(hdSerialnum.Tag.strip("\\.\\PHYSICAL"), hdSerialnum.SerialNumber)

What we are doing above is collecting the same hard drive serial numbers but we have added some code to get rid of things we do not need that is where the .strip comes in to play. The items after that in the code, located in (“”) will be removed and not printed out to file.

Moving forward we need to check to see if these hard drives are network drives or internal/external drives. Before we do that, we need to make sure that the text we export to file is readable so we will put below the code above, the following:

print("")

What this will do is print a blank line between the hard drive serial numbers and the next bit of information we are going to collect. Not only do we want to find out if the hard drives are network drives but we want to get the assigned letters for the drives.

w = wmi.WMI()

for drive in w.Win32_LogicalDisk():

print ("Drive Letter: " + drive.Caption, "HD Size: " + str(drive.Size), "Free: " + str(drive.FreeSpace))

isNetworkDrive = win32file.GetDriveType(drive.Caption) == win32file.DRIVE_REMOTE

print("Network Drive: " + str(isNetworkDrive), "\n")

Remember, Python reads the code from the top down and we are now calling on wmi.WMI() as w. In the code for the hard drive serial number we called on wmi.WMI() as HDs. The code was ran and now complete so we want to use the same module for our next line of code. “Drive Letter: “ and others a like will be printed or sent to the text file as text. We will call upon the true or false statement when checking to see if the hard drive is a network drive or a physical hard drive. We have to convert that to a string to get it to print out or not scream ERROR at us when we run the code. So you see at the end of the code "Network Drive: " + str(isNetworkDrive) and we added str to the isNetworkDrive. The same goes for the hard drive size and free space on said drives. Do not forget to close the file you created by adding this code at the end:

sys.stdout.close()

So now when we run the code, we get the following in the text file created:

(u'DRIVE1', u'B9E7B7654321')

(u'DRIVE0', u'0000_0000_0000_0010_0008_0D02_0049_203A.')

(u'Drive Letter: C:', 'HD Size: 1008621056000', 'Free: 848159027200')

('Network Drive: False', '\n')

(u'Drive Letter: D:', 'HD Size: 500088438784', 'Free: 382506237952')

('Network Drive: False', '\n')

We can now see that not only do we have the hard drive serial numbers but a few more items related to each hard drive. We know each assigned drive letter and if it is a network drive or not by a TRUE or FALSE statement in our text file.

At this point your code should look like this:

# What modules will we be calling upon?

# We need to import them to have access to them within the code

import wmi

import sys

import win32file

# lets open our text file in the same location as our python script

sys.stdout = open("HDserial.txt", "w+")

# what are we writing to file?

# the hard drive serial numbers, as called below

HDs = wmi.WMI()

for hdSerialnum in HDs.Win32_PhysicalMedia():

print(hdSerialnum.Tag.strip("\\.\\PHYSICAL"), hdSerialnum.SerialNumber)

#Lets put a line space between the text

print("")

# We are collecting hard drive assigned letter, size, and free space

w = wmi.WMI()

for drive in w.Win32_LogicalDisk():

print ("Drive Letter: " + drive.Caption, "HD Size: " + str(drive.Size), "Free: " + str(drive.FreeSpace))

isNetworkDrive = win32file.GetDriveType(drive.Caption) == win32file.DRIVE_REMOTE

print("Network Drive: " + str(isNetworkDrive), "\n")

# lets close our text doc as we are done with it

sys.stdout.close()

We will end it here and hope that it helps someone on their journey to learning Python and or Python forensics. Happy coding and until next time, keep learning! Stay tuned for number five in the series, as we keep building upon our code.

Author - Emory Casey Mullis has been in Law Enforcement for roughly 20 plus years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00. Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

#emorycmullis #python #pythonforensics #datarecovery