- Learning Python for Forensics
- Preston Miller Chapin Bryce
- 322字
- 2021-07-02 16:41:13
Introducing our script
The setupapi_parser.py script will be developed to parse the setupapi.dev.log file on Windows 7 and higher. Equipped with only modules from the standard library, we will open and read a setupapi.log file, identify and parse relevant USB information, and display it to the user in the console. As mentioned in the introduction, we will use an iterative build process to mimic a natural development cycle. Each iteration will build upon the previous while we explore new features and methods. We will encourage the development of additional iterations with challenges at the end of the chapter.
Overview
Before developing any code, let's identify the requirements and features our script must possess to accomplish the desired task. We will need to execute the following steps:
- Open the log file and read all lines.
- In each line, check for indicators of USB device entry.
- Parse responsive lines for timestamp and device information.
- Output the result to the user.
Now, let's examine the log file of interest to determine repetitive structures we can use as footholds in our script to parse relevant data. In the sample USB entry below, we see the device information on line 1 following the text "Device Install (Hardware initiated) ". This device information contains the vendor ID, device product ID, device revision, and the Unique ID of the device.
Each of these elements is separated by either an & or \ character and may contain some additional inconsequential characters. The installation time is recorded on line 2 following the ">>> Section start " text. For our purposes, we are only interested in these two lines. All other surrounding lines will be ignored.
001 >>> [Setup online Device Install (Hardware initiated) - pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&18d45aa6&0&a9]
002 >>> Section start 2010/11/10 10:21:12.593
003 ump: Creating Install Process: DrvInst.exe 10:21:12.593
004 ndv: Retrieving device info...
005 ndv: Setting device parameters...
006 ndv: Searching Driver Store and Device Path...
007 dvi: {Build Driver List} 10:21:12.640
- 深入理解Django:框架內(nèi)幕與實(shí)現(xiàn)原理
- Flask Web開(kāi)發(fā)入門(mén)、進(jìn)階與實(shí)戰(zhàn)
- Cassandra Data Modeling and Analysis
- HTML5+CSS3網(wǎng)站設(shè)計(jì)基礎(chǔ)教程
- OpenStack Orchestration
- Java網(wǎng)絡(luò)編程核心技術(shù)詳解(視頻微課版)
- Extending Unity with Editor Scripting
- Instant jQuery Boilerplate for Plugins
- The Statistics and Calculus with Python Workshop
- Pandas 1.x Cookbook
- Tkinter GUI Programming by Example
- 區(qū)塊鏈原理與技術(shù)應(yīng)用
- 數(shù)據(jù)結(jié)構(gòu)案例教程:C語(yǔ)言版
- Python程序設(shè)計(jì)教程
- Play Framework Essentials