- Learning Python for Forensics
- Preston Miller Chapin Bryce
- 322字
- 2021-07-02 16:41:13
Introducing our script
The setupapi_parser.py script will be developed to parse the setupapi.dev.log file on Windows 7 and higher. Equipped with only modules from the standard library, we will open and read a setupapi.log file, identify and parse relevant USB information, and display it to the user in the console. As mentioned in the introduction, we will use an iterative build process to mimic a natural development cycle. Each iteration will build upon the previous while we explore new features and methods. We will encourage the development of additional iterations with challenges at the end of the chapter.
Overview
Before developing any code, let's identify the requirements and features our script must possess to accomplish the desired task. We will need to execute the following steps:
- Open the log file and read all lines.
- In each line, check for indicators of USB device entry.
- Parse responsive lines for timestamp and device information.
- Output the result to the user.
Now, let's examine the log file of interest to determine repetitive structures we can use as footholds in our script to parse relevant data. In the sample USB entry below, we see the device information on line 1 following the text "Device Install (Hardware initiated) ". This device information contains the vendor ID, device product ID, device revision, and the Unique ID of the device.
Each of these elements is separated by either an & or \ character and may contain some additional inconsequential characters. The installation time is recorded on line 2 following the ">>> Section start " text. For our purposes, we are only interested in these two lines. All other surrounding lines will be ignored.
001 >>> [Setup online Device Install (Hardware initiated) - pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&18d45aa6&0&a9]
002 >>> Section start 2010/11/10 10:21:12.593
003 ump: Creating Install Process: DrvInst.exe 10:21:12.593
004 ndv: Retrieving device info...
005 ndv: Setting device parameters...
006 ndv: Searching Driver Store and Device Path...
007 dvi: {Build Driver List} 10:21:12.640
- Java系統(tǒng)分析與架構(gòu)設(shè)計(jì)
- Learning Real-time Processing with Spark Streaming
- Learning RxJava
- .NET 4.0面向?qū)ο缶幊搪劊夯A(chǔ)篇
- RTC程序設(shè)計(jì):實(shí)時(shí)音視頻權(quán)威指南
- Oracle從入門到精通(第5版)
- Learning OpenStack Networking(Neutron)
- Windows內(nèi)核編程
- Spring技術(shù)內(nèi)幕:深入解析Spring架構(gòu)與設(shè)計(jì)原理(第2版)
- Django實(shí)戰(zhàn):Python Web典型模塊與項(xiàng)目開(kāi)發(fā)
- Python計(jì)算機(jī)視覺(jué)和自然語(yǔ)言處理
- Python函數(shù)式編程(第2版)
- After Effects CC案例設(shè)計(jì)與經(jīng)典插件(視頻教學(xué)版)
- Python計(jì)算機(jī)視覺(jué)與深度學(xué)習(xí)實(shí)戰(zhàn)
- 現(xiàn)代C++語(yǔ)言核心特性解析