Chapter 3. Using Python for Windows and Linux Forensics
In this chapter, we will focus on the parts of the forensic investigation that are specific to the operating systems. We chose the most widely used operating systems on the desktop and server systems—Microsoft Windows and Linux.
For both operating systems, we selected examples of interesting evidence and how to automate its analysis using Python. Consequently, in this chapter, you will learn the following:
- Analyzing the foundations of the Windows event log, selecting interesting parts, and automatically parsing them
- Organizing the Windows Registry and efficiently searching for Indicators of Compromise (IOC)
- Searching Linux local account information for IOC
- Understanding, using, and parsing Linux file metadata with POSIX ACL and file based capabilities as the most prominent extensions to the standard metadata