Python Tutorial w/Forensics Emphasis

In all of these cases, the second value in the bitwise operation is known as the "bit mask".

Introduction to the Language

The Interpreter

Because it is an interpreted language, Python code doesn't need to be compiled. Using the interpreter allows you to test code snippets quickly.

Some useful tools in the interpreter:

• dir() Lists all variables and functions in an object.
• help() Shows the embedded help for any object, function, or variable... as long as it was written.

Variables

In Python:

• Variables are "dynamically typed"
• Everything is an object and has callable functions (use dir to list them)

String formatting information: https://docs.python.org/3/library/string.html#format-string-syntax

Control Flow Tools

Slicing

A technique for selecting subsections of an array-like structure (strings, lists, tuples):

• Indexing with brackets [i]
• Indexing from the end [-1]
• Basic slicing [0:3] or [:3]
• Slice all [:]
• Slicing with skips [0:6:2] or [:6:2]
• Crazy combo [-1:1:-2]

Remember:

[start:stop:skip]

Uses

Python 3

Indentation

Usually the hardest thing for new Python programmers to get used to...

Blocks of code in Python are identified by indentation, not by curly braces.

if True:

print("Python rocks!")

The best practice is to use 4 spaces, not tabs. Either will do, just don't mix them!

Off on a Tangent:

Bitmasking

Bitwise operations can be used in ways you may not be familiar with! You can use OR, AND, and XOR to compose, extract, and toggle specific bit values, respectively.

Introduction to Using Python for Forensics

Bitwise XOR

Bitwise AND

Bitwise OR

Bitwise XOR can be used to toggle specific bit positions:

Bitwise AND can be used to set specific bit positions to 0:

Bitwise OR can be used to set specific bit positions to 1:

Consider starting with a 8-bit long bit string representing 96d and we want to switch all the bit values:

01100000

XOR 11111111

------------------

10011111

An interesting consequence of this is that we can extract the values of bits at certain positions by placing 1's in the bit mask:

11101110

AND 01111000

------------------

01101000

Consider starting with a 8-bit long bit string representing 239d and we want to set the last bit to 0b (make the number 238d):

11101111

AND 11111110

------------------

11101110

So we can use this to combine two bit strings into a single one:

01100000

OR 10000110

----------------

11100110

Consider starting with a 8-bit long bit string representing 96d and we want to set the last bit to 1b (make the number 97d):

01100000

OR 00000001

----------------

01100001

A fast, easy, expressive, and concise way to work with data

Taking Things to the Next Level

Dealing with Data Types

isinstance(X, str)

Is True if X is a string, works with all types and classes, including inherited classes (works like you'd think)

Checking Type

type(a_variable)

Shows the type in the interpreter

Binary:

>>>int('101', 2)

5

>>>"{0:b}".format(13)

'1101'

Files

Hex:

>>> import codecs

>>> codecs.encode(b'hello', 'hex')

b'68656c6c6f'

>>> codecs.decode('776f726c64', 'hex')

'world'

See https://docs.python.org/3/library/codecs.html#standard-encodings

for more encodings

Opening

fin = open(name[, mode])

where

name is the file

mode is 'r', 'w', 'a'

binary with 'rb', 'wb', 'ab'

Data Extraction

with open("spam.txt") as fin:

# Do stuff

pass

Exception handling and closing the file are automatically done with "with"

Structs

Struct objects allow you to "pack" and "unpack" binary data (just like you can with a struct in C) using a format string.

import struct

my_struct = struct.Struct("ii10s")

mydata = my_struct.unpack(byte_data)

Struct objects support many different data types in the format string. For the complete list, see https://docs.python.org/3/library/struct.html#format-strings

Example

Working with Bits

Scenario

A database has a number of fields in the following format:

• 4 byte index (int)
• 25 byte address (str)
• 3 byte zip code (int)
• 21 byte name (str)
• 10 byte phone # (str)
• 1 byte newline (\n)

Quick Side Note:

Options for Parsing Command Line Arguments

Shifting

argparse and optparse: Both are an object-oriented approach to the whole process of specifying and retrieving arguments. This makes them a little complex and hard to remember. Both are part of the Python standard library.

X >> Y

Shift X right by Y bits

X << Y

Shift X left by Y bits

n = 0

with open('file_test2.binary', 'rb') as fin:

bits = 0

while True:

b = fin.read(1)

if not b:

break

n = n | (int.from_bytes(b, "big") << bits)

bits += 8

print(n)

docopt: Follows the POSIX standard for program usage specification, and takes the script's "docstring" as input. Automatically checks that the combination of arguments is correct. Provides a dictionary as output. Has to be installed manually. Used to be my favorite. http://docopt.org

Can you figure out how to do this in only 2 lines of code?

click: Brought to you by the same people that created Flask, the web micro-framework. Uses decorators to route commands to the functions that handle them. Pretty easy to get up and running. Currently my favorite.

https://click.palletsprojects.com/

Have fun getting to know Python!

Any questions?

Feel free to email me at:

mmabey@asu.edu