#7 Moving along...

We have a couple sayings that we love here. First is “Life is but a journey, so let’s make it a good one!” The second one is “There is no such thing as a problem, only solutions!” We get one life, so why not make it a good one? Many see the problem but can’t see past it to get to the solution. Did you do something today that made this day worth living, for yourself or someone else? Did you solve a problem that needed solving, for yourself or someone else? If no, then why not? We all have it in us to do these things, if we choose to do so. Moving along…

We have a few problems with our code so far. The first being, what if we need to run this code form USB on multiple computers at a scene? The way it is right now, we would just over write the file each time we ran it. So, what could be a solution for this problem? What if we create a directory aka folder on the root of our USB drive? Sounds like a solution but how will we know which directory belongs to what computer? What if we create a directory or folder with the assigned computer name of the system that the code is being run on? Sounds plausible, so let’s take a look at what we will need to do to make that happen.

We introduced variables in “Sucking it all in” and this time we will be introducing “Functions” in to our code. What is a function you may ask, well let’s see:

“A function is a block of organized, reusable code that is used to perform a single, related action. Functions provide better modularity for your application and a high degree of code reusing. As you already know, Python gives you many built-in functions like print(), etc. but you can also create your own functions.”

Ref: https://www.tutorialspoint.com/python/python_functions.htm

Let’s take a quick view of our code so far with comments (comments start with # in this code) in it:

# What modules will we be calling upon?

# We need to import them to have access to them within the code

import wmi

import sys

import win32file

import os

from psutil import virtual_memory

import platform

import getpass

import socket

# Varibales

pr = platform.release()

ps = platform.system()

build = platform.version()

mem = virtual_memory()

username = getpass.getuser()

hostname = socket.gethostname()

mType = platform.machine()

pType = platform.processor()

cdir = os.getcwd()

# lets open our text file in the same location as our python script

sys.stdout = open("HDserial.txt", "w+")

# what are we writing to file?

# the hard drive serial numbers, as called below

HDs = wmi.WMI()

for hdSerialnum in HDs.Win32_PhysicalMedia():

print(hdSerialnum.Tag.strip("\\.\\PHYSICAL"), hdSerialnum.SerialNumber)

# Add a line space for readability

print("")

# Lets print out the drive assigned letters, size, free space, and if network or not

w = wmi.WMI()

for drive in w.Win32_LogicalDisk():

print ("Drive Letter: " + drive.Caption, "HD Size: " + str(drive.Size), "Free: " + str(drive.FreeSpace))

isNetworkDrive = win32file.GetDriveType(drive.Caption) == win32file.DRIVE_REMOTE

print("Network Drive: " + str(isNetworkDrive))

# Add a line space for readability

print("")

# Lets call upon our variables we created above and add some text for readability later

print("Installed OS: " + ps + '\n' + "OS Version: " + pr + '\n' + "OS Build: " + build + '\n' +

"Current Dir: " + cdir + '\n' + "Machine Type: " + mType + '\n' + "Processor: " +

pType + '\n' + "RAM Total: " + str(mem.total) + '\n' + "Current User Name: "

+ username + '\n' + "Computer Name: " + hostname + '\n')

# lets close our text doc as we are done with it for now

sys.stdout.close()

As we can now see what each piece of code is for or what it is doing. It is a good practice to add comments in your code so others who may be helping on the project, will know what you were doing. It is not just good for others but yourself also. What happens when you put the project on the back burners and a month or few later you go back to it? It will save you time trying to figure out what you were doing or where you left off. Comments do not hurt anything, unless you do not use them.

We now will create our first function to create our directory, like so:

# Function created at top as python reads top down

def createFolder(directory):

try:

# If the directory is not here

if not os.path.exists(hostname):

# Make the directory

os.makedirs(hostname)

# Unless there is an error creating the directory

except OSError:

# Print to screen the following plus the hostname

return ('Error: Creating directory. ' + hostname)

# Now we call our function from above

createFolder(hostname)

We will need to place this code below Variables in our code. As you may have guessed, we are calling on a variable called “hostname” but we do not have it yet. So, make sure to put under variables the following:

hostname = socket.gethostname()

Your code should look like this at this point in time:

# What modules will we be calling upon?

# We need to import them to have access to them within the code

import os

import wmi

import sys

import platform

import getpass

import socket

from psutil import virtual_memory

import win32file

# Varibales

pr = platform.release()

ps = platform.system()

build = platform.version()

mem = virtual_memory()

username = getpass.getuser()

hostname = socket.gethostname()

mType = platform.machine()

pType = platform.processor()

cdir = os.getcwd()

# Function created at top as python reads top down

def createFolder(directory):

try:

# If the directory is not here

if not os.path.exists(hostname):

# Make the directory

os.makedirs(hostname)

# Unless there is an error creating the directory

except OSError:

# Print to screen the following plus the hostname

return ('Error: Creating directory. ' + hostname)

# Now we call our function from above

createFolder(hostname)

# lets open our text file in the same location as our python script

sys.stdout = open("HDserial.txt", "w+")

# what are we writing to file?

# the hard drive serial numbers, as called below

HDs = wmi.WMI()

for hdSerialnum in HDs.Win32_PhysicalMedia():

print(hdSerialnum.Tag.strip("\\.\\PHYSICAL"), hdSerialnum.SerialNumber)

# Add a line space for readability

print("")

# Lets print out the drive assigned letters, size, free space, and if network or not

w = wmi.WMI()

for drive in w.Win32_LogicalDisk():

print ("Drive Letter: " + drive.Caption, "HD Size: " + str(drive.Size), "Free: " + str(drive.FreeSpace))

isNetworkDrive = win32file.GetDriveType(drive.Caption) == win32file.DRIVE_REMOTE

print("Network Drive: " + str(isNetworkDrive))

# Add a line space for readability

print("")

# Lets call upon our variables we created above and add some text for readability later

print("Installed OS: " + ps + '\n' + "OS Version: " + pr + '\n' + "OS Build: " + build + '\n' +

"Current Dir: " + cdir + '\n' + "Machine Type: " + mType + '\n' + "Processor: " +

pType + '\n' + "RAM Total: " + str(mem.total) + '\n' + "Current User Name: "

+ username + '\n' + "Computer Name: " + hostname + '\n')

# lets close our text doc as we are done with it for now

sys.stdout.close()

If we run our code at this point, we will see that all works as it should, as in the screen shot below:

As we can see, our text file was created as coded and our directory/folder was created as coded. We now have to work on the code to move our text file to our directory/folder. We will work on this in the next article as well as giving our text file a unique name, so we don’t over write it each time we run the code.

Thanks for stopping by and checking us out and as always, we hope this helps someone on their journey learning Python forensics. Please keep a check back as we will keep this series going until we have a great tool for live capture.

Author - Emory Casey Mullis has been in Law Enforcement for roughly 20 plus years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00. Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

#emorycmullis #python #pythonforensics #datarecovery