We as humans are all wired slightly different. We have many outside influences that guide us in a direction to reach a similar goal. Our organization skills start at birth and our parents. The guidance our parents give us, is a foundation for the start of our lives. We all at some point start excepting other guidance, such as our choice in friends as kids. Either way, we all organize life and things in our own way. We will move into organizing the data and files we collect. Remember, the best way to eat the whole pie is one bite at a time.
In our last article we collected data, created a file to dump it in, and a folder to place collected data and files. The issue we face is how do we keep from over writing each file and or folder? So the way we over come this issue is by using the computer name as well as the date and time stamp from the computer itself.
We know from the previous articles that we first have to import modules, before we can access the information we are asking for. If we want to access date and time stamps, we will need to import another module.
Let’s add the module “datetime” and add to our list as follows:
import os
import wmi
import datetime <---
import sys
import platform
import getpass
import socket
from psutil import virtual_memory
import win32file
When we left off in the last article, our code would collect the data requested, create a file to dump collected data into, and a folder named based on the computer name. The first issue we need to fix, is getting our file into the folder or directory we create. Where do we add the code that will achieve this goal for us?
Start at the top of the code where we left off, like so…
# What modules will we be calling upon?
# We need to import them to have access to them within the code
import os
import wmi
import datetime <----New code added from above
import sys
import platform
import getpass
import socket
from psutil import virtual_memory
import win32file
# Varibales
pr = platform.release()
ps = platform.system()
build = platform.version()
mem = virtual_memory()
username = getpass.getuser()
hostname = socket.gethostname()
mType = platform.machine()
pType = platform.processor()
cdir = os.getcwd() <--We need to establish a variable for our current working directory
currentDT = datetime.datetime.now() <--We need to set a variable for date time so we can access later
# Function created at top as python reads top down
def createFolder(directory):
try:
# If the directory is not here
if not os.path.exists(hostname):
# Make the directory
os.makedirs(hostname)
# Unless there is an error creating the directory
except OSError:
# Print to screen the following plus the hostname
return ('Error: Creating directory. ' + hostname)
# Now we call our function from above
createFolder(hostname)
# We created the directory to dump our files in, now we change to that location and set
# that as the current working directory
os.chdir(hostname) <--we are changing the directory to new one created using host or computer name
cdir = os.getcwd() <--we set the variable to the new directory so we can call it later
We are now working in the new directory, so when we execute the next bit of code, it will be created in the working directory. The next issue is, what if we need to run the code more than once on the same computer? This is where our date and time module will come into play. We will attach the date and time to the file name with the next bit of code.
Now that we have changed directories, this file will be created in the current working directory but we need to make a few changes to this code below to make it work better for us. If you are following along in the series here find the code here
sys.stdout = open("HDserial.txt", "w+")
The code above “sys.stdout” is where we are opening our file to write our data we collect. What good is collecting it, if we have no where to store it for later. Our new “sys.stdout” will look like so…
sys.stdout = open("%s %s" % (hostname, (currentDT.strftime("%m%d%Y %H%M%S"))) + ".txt", "w+")
The “%s” is setting our format and you can read more about the use at these two links here:
“currentDT” is our variable we set at the top of our code in the list of variables. So what is “.strftime”?
“The method strftime() converts a tuple or struct_time representing a time as returned by gmtime() or localtime() to a string as specified by the format argument.
If t is not provided, the current time as returned by localtime() is used. format must be a string. An exception ValueError is raised if any field in t is outside of the allowed range.”
Author - Emory Casey Mullis has been in Law Enforcement for roughly 20 plus years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00. Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!