The field of information security is constantly changing, and keeping up with it is quite fun and interesting. The below project reflect some of the publications & development projects I have worked on in an effort to share back with the community. Since they are all side projects, they do not get the attention they deserve to be used in production environments or casework. Please treat them as experimental.
An online e-book full of tried and tested snippets useful in
handling small yet common tasks encountered in script for
DFIR. This repository is open source and is continuously
growing to include examples for writing CSV report, parsing
Registry hives, analyzing Windows event logs, and more.
Open for the community to contribute new approaches and
leverage the existing snippets in their custom scripting
exercises.
Updated version of the introductory Learning Python for Forensics book, moving scripts to Python 3.7 and introducing the latest libraries. This book features a new chapter, focused on leveraging Python and Windows libraries to collect volitile information from a host. This book is available for Paperback & E-Book orders.
This Mastodon/Twitter bot reports on the RDP scanning
activity against an RDP honeypot. The daily statistics
include GeoIP, user account, and more datapoints that are
summarized and publicly shared in pastes.
Additionally the process of setting up your own snitch is
documented in a blog series, below.
In this book, Preston Miller and I exhibit many of the Python libraries commonly used in digital forensics through small scripts (or recipes). Across the 60+ recipes, we explore how to process files with embedded metadata, parsing common file and registry artifacts, processing evidence stored as E01 files, integrating Python with common tools such as Axiom, EnCase, and Cellebrite, and much more. This book is available for Paperback & E-Book orders.
Co-authored a book on the use of Python in Forensics at an introductory level with Preston Miller. This book teaches the art of designing, developing, and deploying innovative forensic solutions through Python. Available as Paperback & E-Book.
Chickadee provides a command line interface for extracting,
enriching, and reporting on contextualized GeoIP data. This
tool is meant to provide a library, for use in other
applications, but also an extensible framework to support
other enrichment sources.
The Python version is being actively replaced by a similar
Rust based version, in order to increase performance and
reliability. See
chickadee-rs.
Mantech's Triage and Analysis System automates many open source forensic tools to provide insight to points of analysis available within an unknown data set.
Developed a set of 3 notebooks to work through to step through the basics required to build Python tools for Forensics. The 3 examples include the basic introduction to Python, creating a simple timeline, and parsing the registry.