#5 Sucking it all in
top of page
Search

#5 Sucking it all in


Like a black hole, we want to suck it all in. As much information as we can get. We want to learn until there are no more days to learn. Each day affords us an opportunity to learn something new and this day is no different than yesterday. Like the black hole, that seems to never fill up we want to be the same way today. Same could be said about a live computer forensics analysis. Get what you can the first time and all you can, in hopes you will not have to go back. Plan for the worse and hope for the best!

 

We will be starting where we left off in “Shooting for the stars”. We have at this point collected hard drive information and wrote it out to a text file for later reference and or validation. The information can also be used to verify later if the hard drive had been changed, if one ends up having to go back for more data and or information. We will be creating Variables this time. If you are not familiar with these and have not read the first article in this series, we suggest you check out Corey M Schafer on YouTube. Corey does an awesome job explaining a lot of these things in his “how to” videos.

If you have been with us from the start, then your python code should now look something like this:

# What modules will we be calling upon?

# We need to import them to have access to them within the code

import wmi

import sys

import win32file

# lets open our text file in the same location as our python script

sys.stdout = open("HDserial.txt", "w+")

# what are we writing to file?

# the hard drive serial numbers, as called below

HDs = wmi.WMI()

for hdSerialnum in HDs.Win32_PhysicalMedia():

print(hdSerialnum.Tag.strip("\\.\\PHYSICAL"), hdSerialnum.SerialNumber)

# Lets put a space between the above data collected and the data below.

print("")

w = wmi.WMI()

for drive in w.Win32_LogicalDisk():

print ("Drive Letter: " + drive.Caption, "HD Size: " + str(drive.Size), "Free: " + str(drive.FreeSpace))

isNetworkDrive = win32file.GetDriveType(drive.Caption) == win32file.DRIVE_REMOTE

print("Network Drive: " + str(isNetworkDrive), "\n")

# lets close our text doc as we are done with it

sys.stdout.close()

We put the code in bold lettering and left comments as standard text. We like and encourage comments in your code for referencing later as you build your code. One day we might have to go back and need to know what that code was for. Makes it easier to edit down the road and understand what we were doing. We would like to point out as we learn together here, this code may not be in the most effective form and could be done easier and or neater. If so, please feel free to share in a comment below. This will help us all to learn better.

As we said before Python reads from the top down. At this point we have our modules imported first. The next step is to create some variables, so we can call them later. What is a variable, you ask?

“Python is dynamically typed, which means that you don't have to declare what type each variable is. In Python, variables are a storage placeholder for texts and numbers. It must have a name so that you are able to find it again. The variable is always assigned with the equal sign, followed by the value of the variable.”

Now that you know what a variable is and a link to go research later let’s move on with our code starting first with our modules.

# Modules

import wmi

import sys

import win32file

import os

from psutil import virtual_memory

import platform

import getpass

import socket

# Variables

The first variable we will collect is the “Installed Operating System”. What OS is running on the system we are collecting from? We have to give the variable a name. We went with the initial’s of the module we are calling “platform.system”, which is “ps”. Remember K.I.S.S. (Keep It Simple, Stupid). So, our first variable will be:

ps = platform.system()

The second variable we will collect is the “Build Version”. Is it Windows 7, 8, or 10? Remember we are working this code at this point for Windows systems. We will call for the “platform.release” and as you can see Python code has a easy readability to it. We will not bore you with the rest as you now see how it works.

pr = platform.release()

build = platform.version()

mem = virtual_memory()

username = getpass.getuser()

hostname = socket.gethostname()

adapters = ifaddr.get_adapters()

mType = platform.machine()

pType = platform.processor()

Moving right along, we now put our code together to printout the above variables to our text file, along with the hard drive serial numbers and hard drive types. First, we will add a comment or two, then to printout the information to file.

# Print OS and machine information below

# There is most likely a neater way to do this but this is how we got it to work

print("Installed OS: " + ps + '\n' + "OS Version: " + pr + '\n' + "OS Build: " + build + '\n' +

"Current Dir: " + cdir + '\n' + "Machine Type: " + mType + '\n' + "Processor: " +

pType + '\n' + "RAM Total: " + str(mem.total) + '\n' + "Current User Name: "

+ username + '\n' + "Computer Name: " + hostname + '\n')

In the code above, we want to not just printout the data but we want it to be easy for an end user to read as they are looking at the text file. We have added some code as you see in quotations. Let’s look at the first one “Installed OS: “. After “:” we put a space then the closing quote. We want this to be joined with the data collected so we add “+”, to be followed by our variable “ps”. Please note “ps” is not in quotes in our code. If you put your variable name in quotes, then Python will think you want to print ps to the file and not the data you want to collect.

We want to keep the code readable for end users, so we will put each piece of data we collect on its own line. This is where the next “+” comes in to play. We will add a new line before the next variable is called. To add the new line, we simply put ‘\n’ before the next line of code. You must use single quotes here because we used double quote for the text we want to printout. If you used double quotes on the new line code, Python would get confused and spit an error at you. You should see the pattern in this block of code by now, so we will not go in to each piece at this time.

At this point your code should look like this:

# What modules will we be calling upon?

# We need to import them to have access to them within the code

import wmi

import sys

import win32file

import os

from psutil import virtual_memory

import platform

import getpass

import socket

# Variables

pr = platform.release()

ps = platform.system()

build = platform.version()

mem = virtual_memory()

username = getpass.getuser()

hostname = socket.gethostname()

mType = platform.machine()

pType = platform.processor()

cdir = os.getcwd()

# lets open our text file in the same location as our python script

sys.stdout = open("HDserial.txt", "w+")

# what are we writing to file?

# the hard drive serial numbers, as called below

HDs = wmi.WMI()

for hdSerialnum in HDs.Win32_PhysicalMedia():

print(hdSerialnum.Tag.strip("\\.\\PHYSICAL"), hdSerialnum.SerialNumber)

# Add a line space

print("")

w = wmi.WMI()

for drive in w.Win32_LogicalDisk():

print ("Drive Letter: " + drive.Caption, "HD Size: " + str(drive.Size), "Free: " + str(drive.FreeSpace))

isNetworkDrive = win32file.GetDriveType(drive.Caption) == win32file.DRIVE_REMOTE

print("Network Drive: " + str(isNetworkDrive))

# Add a line space

print("")

print("Installed OS: " + ps + '\n' + "OS Version: " + pr + '\n' + "OS Build: " + build + '\n' +

"Current Dir: " + cdir + '\n' + "Machine Type: " + mType + '\n' + "Processor: " +

pType + '\n' + "RAM Total: " + str(mem.total) + '\n' + "Current User Name: "

+ username + '\n' + "Computer Name: " + hostname + '\n')

# lets close our text doc as we are done with it

sys.stdout.close()

When we run the code on our system, we get the following information printed in to our text document “HDserial.txt”:

(u'DRIVE1', u'B9E7B7654321')

(u'DRIVE0', u'0000_0000_0000_0010_0008_0D02_0049_203A.')

(u'Drive Letter: C:', 'HD Size: 1008621056000', 'Free: 827596435456')

Network Drive: False

(u'Drive Letter: D:', 'HD Size: 500088438784', 'Free: 375200677888')

Network Drive: False

Installed OS: Windows

OS Version: 10

OS Build: 10.0.17134

Current Dir: D:\myPython

Machine Type: AMD64

Processor: Intel64 Family 6 Model 158 Stepping 10, GenuineIntel

RAM Total: 34082058240

Current User Name: Emory Mullis

Computer Name: Casey

We will end it here and hope that it helps someone on their journey to learning Python and or Python forensics. Happy coding and until next time, keep learning!

 

Author - Emory Casey Mullis has been in Law Enforcement for roughly 20 plus years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00. Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

63 views
bottom of page