First Book: (Mastering) Python Forensics

Beginning of 2015 PackPub came to Johann and me and ask us if we would like to write a book about Python-based forensic investigations. The idea of writing a book was really interesting for both of us, so we started to work on an agenda and outline. After several discussions with the publisher we created an outline that was acceptable for all of us and less than a year later (since October 2015) the book is available on Amazon and PackPub.

Mastering Python Forensics

What is the book about:

Digital forensic analysis is the process of examining and extracting data digitally and examining it. Python has the combination of power, expressiveness, and ease of use that makes it an essential complementary tool to the traditional, off-the-shelf digital forensic tools. This book will teach you how to perform forensic analysis and investigations by exploring the capabilities of various Python libraries. The book starts by explaining the building blocks of the Python programming language, especially ctypes in-depth, along with how to automate typical tasks in file system analysis, common correlation tasks to discover anomalies, as well as templates for investigations. Next, we’ll show you cryptographic algorithms that can be used during forensic investigations to check for known files or to compare suspicious files with online services such as VirusTotal or Mobile-Sandbox. Moving on, you’ll learn how to sniff on the network, generate and analyze network flows, and perform log correlation with the help of Python scripts and tools. You’ll get to know about the concepts of virtualization and how virtualization influences IT forensics, and you’ll discover how to perform forensic analysis of a jailbroken/rooted mobile device that is based on iOS or Android. Finally, the book teaches you how to analyze volatile memory and search for known malware samples based on YARA rules.

Our thoughts on it:

Writing a book is something totally different to anything else you have ever written before. Johann and me had a lot of experience in writing scientific papers, assessment reports as well as our dissertation, but – to be honest – that didn’t help as much as we thought.

The outcome is a book with about 190 pages full of practical Python code-snippets and explanations for various platforms (like Android and vSphere). We still think, that “Mastering” is a bit too high and something like “Advanced” would fit better – but this wasn’t our decision.

For the next book project we would definitely make things different, but nevertheless, the outcome is nice.


If you are interested in the book and want to get some more insights, Half Full of Security did a very good review of it – Many thanks again!

Where to get it:

We hope that this book will be of value for a larger amount of people in the DFIR community!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.