PowerShell and Python Together: Targeting Digital Investigations
By Chet Hosmer
()
About this ebook
You will learn how to join PowerShell's robust set of commands and access to the internals of both the MS Windows desktop and enterprise devices and Python's rich scripting environment allowing for the rapid development of new tools for investigation, automation, and deep analysis.
PowerShell and Python Together takes a practical approach that provides an entry point and level playing field for a wide range of individuals, small companies, researchers, academics, students, and hobbyists to participate.
What You’ll Learn
- Leverage the internals of PowerShell for: digital investigation, incident response, and forensics
- Leverage Python to exploit already existing PowerShell CmdLets and aliases to build new automation and analysis capabilities
- Create combined PowerShell and Python applications that provide: rapid response capabilities to cybersecurity events, assistance in the precipitous collection of critical evidence (from the desktop and enterprise), and the ability to analyze, reason about, and respond to events and evidence collected across the enterprise
Who This Book Is For
System administrators, IT personnel, incident response teams, forensic investigators, professors teaching in undergraduate and graduate programs in cybersecurity, students in cybersecurity and computer science programs, and software developers and engineers developing new cybersecurity defensesChet Hosmer
Chet Hosmer serves as an Assistant Professor of Practice at the University of Arizona in the Cyber Operations program, where he is teaching and researching the application of Python and Machine Learning to advanced cybersecurity challenges. Chet is also the founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using Python and other popular scripting languages. Chet has made numerous appearances to discuss emerging cyber threats including NPR, ABC News, Forbes, IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com, and Wired Magazine. He has 7 published books with Elsevier and Apress that focus on data hiding, passive network defense strategies, Python Forensics, PowerShell, and IoT.
Read more from Chet Hosmer
Python Forensics: A Workbench for Inventing and Sharing Digital Forensic Technology Rating: 4 out of 5 stars4/5Executing Windows Command Line Investigations: While Ensuring Evidentiary Integrity Rating: 0 out of 5 stars0 ratingsPython Passive Network Mapping: P2NMAP Rating: 4 out of 5 stars4/5Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols Rating: 5 out of 5 stars5/5Integrating Python with Leading Computer Forensics Platforms Rating: 0 out of 5 stars0 ratingsDefending IoT Infrastructures with the Raspberry Pi: Monitoring and Detecting Nefarious Behavior in Real Time Rating: 0 out of 5 stars0 ratings
Related to PowerShell and Python Together
Related ebooks
Splunk Certified Study Guide: Prepare for the User, Power User, and Enterprise Admin Certifications Rating: 0 out of 5 stars0 ratingsEssential Computer Science: A Programmer’s Guide to Foundational Concepts Rating: 0 out of 5 stars0 ratingsPowerShell Troubleshooting Guide Rating: 0 out of 5 stars0 ratingsModern Front-end Architecture: Optimize Your Front-end Development with Components, Storybook, and Mise en Place Philosophy Rating: 0 out of 5 stars0 ratingsSolving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 Rating: 0 out of 5 stars0 ratingsBuilding Virtual Pentesting Labs for Advanced Penetration Testing Rating: 0 out of 5 stars0 ratingsGetting Started with tmux Rating: 0 out of 5 stars0 ratingsPython for Cybersecurity Cookbook: 80+ practical recipes for detecting, defending, and responding to Cyber threats (English Edition) Rating: 0 out of 5 stars0 ratingsBuilding Better PowerShell Code: Applying Proven Practices One Tip at a Time Rating: 0 out of 5 stars0 ratingsWindows PowerShell for .NET Developers - Second Edition Rating: 4 out of 5 stars4/5Practical Git: Confident Git Through Practice Rating: 0 out of 5 stars0 ratingsLearn Windows Subsystem for Linux: A Practical Guide for Developers and IT Professionals Rating: 0 out of 5 stars0 ratingsPractical PowerShell Security and Compliance Center Rating: 0 out of 5 stars0 ratingsBeginning Git and GitHub: A Comprehensive Guide to Version Control, Project Management, and Teamwork for the New Developer Rating: 0 out of 5 stars0 ratingsPowerShell in Depth Rating: 0 out of 5 stars0 ratingsEssential ASP.NET Web Forms Development: Full Stack Programming with C#, SQL, Ajax, and JavaScript Rating: 0 out of 5 stars0 ratingsLearn Windows IIS in a Month of Lunches Rating: 0 out of 5 stars0 ratingsRelayd and Httpd Mastery: IT Mastery, #11 Rating: 0 out of 5 stars0 ratingsHack the Airwaves: Advanced BLE Exploitation Techniques Rating: 0 out of 5 stars0 ratingsPowerShell and WMI Rating: 0 out of 5 stars0 ratingsLeveraging WMI Scripting: Using Windows Management Instrumentation to Solve Windows Management Problems Rating: 5 out of 5 stars5/5HTML5 and JavaScript Projects: Build on your Basic Knowledge of HTML5 and JavaScript to Create Substantial HTML5 Applications Rating: 0 out of 5 stars0 ratingsWindows Server 2012 Automation with PowerShell Cookbook Rating: 0 out of 5 stars0 ratingsRed Hat Enterprise Linux Server Cookbook Rating: 2 out of 5 stars2/5PowerShell A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSSH Mastery: OpenSSH, PuTTY, Tunnels and Keys - 2nd edition: IT Mastery, #12 Rating: 0 out of 5 stars0 ratingsComplete Guide to Test Automation: Techniques, Practices, and Patterns for Building and Maintaining Effective Software Projects Rating: 0 out of 5 stars0 ratingsCyber Security on Azure: An IT Professional’s Guide to Microsoft Azure Security Rating: 0 out of 5 stars0 ratings
Security For You
Hacking For Dummies Rating: 4 out of 5 stars4/5Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming Rating: 3 out of 5 stars3/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Game Console Hacking: Xbox, PlayStation, Nintendo, Game Boy, Atari and Sega Rating: 0 out of 5 stars0 ratingsIAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsNetwork+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Blockchain Basics: A Non-Technical Introduction in 25 Steps Rating: 5 out of 5 stars5/5Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1 Rating: 0 out of 5 stars0 ratingsHow to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsDark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5Codes and Ciphers Rating: 5 out of 5 stars5/5
Reviews for PowerShell and Python Together
0 ratings0 reviews
Book preview
PowerShell and Python Together - Chet Hosmer
© Chet Hosmer 2019
Chet HosmerPowerShell and Python Togetherhttps://doi.org/10.1007/978-1-4842-4504-0_1
1. An Introduction to PowerShell for Investigators
Chet Hosmer¹
(1)
Longs, SC, USA
PowerShell provides a great acquistion engine for obtaining a vast array of information from live systems, servers, peripherals, mobile devices, and data-driven applications like Active Directory.
Because of Microsoft’s decision to open PowerShell and provide the ability to acquire information from other non-Microsoft platforms such as Mac and Linux, the breadth of information that can be accessed is virtually limitless (with the proper credentials). Combine that with a plethora of built-in and third-party CmdLets (pronounced command let
) that can be filtered, sorted, and piped together, and you have the ultimate acquistion engine.
By adding a bridge from PowerShell to Python, we can now leverage the rich logical machine learning and deep analysis of the raw information acquired by PowerShell. Figure 1-1 depicts the core components that we will integrate in this book. The result will be a workbench for developing new innovative approaches to live investigations and incident response applications.
../images/448944_1_En_1_Chapter/448944_1_En_1_Fig1_HTML.jpgFigure 1-1
PowerShell and Python
A Little PowerShell History
PowerShell is a Microsoft framework that includes a command shell and a scripting language. PowerShell has traditionally been used by system administrators, IT teams, incident response groups, and forensic investigators to gain access to operational information regarding the infrastructures they manage. Signifcant evolution has occurred over the past decade as depicted in Figure 1-2.
../images/448944_1_En_1_Chapter/448944_1_En_1_Fig2_HTML.jpgFigure 1-2
PowerShell evolution
How Is PowerShell Used Today?
PowerShell is most typically used to automate administrative tasks and examine the details of running desktops, servers, and mobile devices. It is used to examine both local and remote systems using the Common-Object-Model (COM) and the Windows Management Interface (WMI). Today, it can be used to examine and manage remote Linux, Mac, and Network devices using the Common Information Model (CIM).
How Do You Experiment with PowerShell?
PowerShell is typically already installed on modern Windows desktop and server platforms. If not, you can simply open your favorite browser and search for Windows Management Framework 5
and then download and install PowerShell. PowerShell and PowerShell ISE (the Integrated Scripting Environment) are free.
I prefer using PowerShell ISE as it provides:
1.
An integrated environment that aids in the discovery and experimentation with CmdLets
2.
The ability to write, test, and debug scripts
3.
Easy access to context-sensitive help
4.
Automatic completion of commands that speed both the development and learning
Navigating PowerShell ISE
Once you have PowerShell ISE installed, you can launch it on a Windows Platform by clicking the Start Menu (bottom left corner for Windows 8-10) and then search for PowerShell ISE and click the App as shown in Figure 1-3.
../images/448944_1_En_1_Chapter/448944_1_En_1_Fig3_HTML.jpgFigure 1-3
Launching PowerShell on Windows 10
Note
You can run PowerShell and PowerShell ISE with User privledge; however, to gain access to many of the rich acquisition functions needed, running PowerShell as Administrator is required. A word of caution as well. Running as Adminstrator or User and executing CmdLets can damage your system or delete important files! Proceed with caution!
I typically add this to my Windows Taskbar for easy access as shown in Figure 1-4. I have added both PowerShell and PowerShell ISE. The icon on the right in the highlighted box is ISE, and the one on the left is PowerShell. By right-clicking the PowerShell ISE icon, then right-clicking again on the Windows PowerShell ISE selection you can choose to run PowerShell ISE as administrator. By doing so, you will have the ability to execute the widest range of PowerShell CmdLets and scripts.
../images/448944_1_En_1_Chapter/448944_1_En_1_Fig4_HTML.jpgFigure 1-4
Windows taskbar launching PowerShell ISE as administrator
Once launched, ISE has three main windows as shown in Figure 1-5. Note that the scripting pane is not displayed by default but can be selected for view from the toolbar. I have annotated the three main sections of the application:
1.
Scripting Panel: This panel provides the ability to create PowerShell Scripts that incorporate multiple commands using the included PowerShell scripting language. Note that this is not where we typically start when developing PowerShell Scripts. Rather, we experiment in the Direct Command Entry Panel first; then once we have perfected our approach, we can then create scripts.
2.
Direct Command Entry Panel: This panel is used to execute PowerShell CmdLets. The commands entered here are much more powerful than the ancestor Windows Command Line or DOS commands. In addition, the format and structure of these commands is much different and follows some strict rules. I will be explaining the verb–noun format and structure and providing more details and some examples in the next section.
3.
Command Help Panel: This panel provides detailed help and information regarding every CmdLet available to us. However, I rarely use this area and instead request direct help using the Get-Help CmdLet to get information regarding CmdLets of interest, to learn how they operate, get examples of their use, and get details of all the options that are available.