Python Forensics


What makes an excellent digital forensics investigator, is to have the knowledge and skill to automate forensics stages using the power of Python programming language. Many laboratories rely on Python to build basic models for predictions and to run experiments. It also helps to control critical operational systems. Python has built-in capabilities to support the digital investigation and protect the integrity of evidence during an investigation. This training will provide the student with steppingstones on how to take forensics skills to the next level, combining them with powerful Python scripting.

Duration: 40 Hours

Target Audience

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators
  • IT security personnel
  • Junior-Cyber forensics analysts


  • ThinkCyber Level-1 Courses


  • Learning to work with different modules to accomplish tasks
  • Analyzing artifacts left on a compromised system using Python
  • Performing network traffic monitoring and analyzing logs


Module 1: Introduction To Python

During this module, students will be introduced to the world of Python. Students will learn to install Python and its additional modules, write basic scripts, create clients and servers socket, and to work with files.

  • Introduction to Python Scripting
    o Installing of Python
    o Python Basics
  • Variables and Booleans
  • Dictionaries and Tuples
  • Conditional Statements
  • While and For Loops
  • Scoping and Subroutines
  • Exceptions, Testing, Comprehensions
  • Files I/O
  • OS and Networks
    o Using PIP to Install Additional Modules
    o The OS Module
  • os.stat()
  • os.walk()
  • os.environ()
    o Sockets
  • Simple HTTP Request
  • Network Client and Server

Module 2: Basic Python Network Forensics

This module will cover the subject of network forensics; students will learn to install and work with a variety of network frameworks and tools, as well as network trace analyzes and capturing, recovering, and visualizing the traffic.

  • Pandas and Scapy
    o Introduction to Scapy
    o Crafting Raw Packets with Scapy
  • Sending DNS Requests
  • Replacing the Default ICMP Payload
  • ARP Packets
    o Communicating with SSL
    o Introduction to Numpy
  • Numpy Basics
  • Universal Functions
  • Boolean Indexing
    o Panda Basics
  • Vector Operations
  • String Operations
    o Panda Dataframe Basics
  • Analyzing Network Traces
    o DSHELL Framework
    o Network Traces Statistics
    o Visualizing Network Traces
    o Converting Pcap to Pandas DataFrame
    o Basic Payload Investigation

Module 3: Python OS Forensics

Python OS Forensics is a core essential of Python forensics; this module will cover forensics in both of the primary operating systems today, image manipulation, and metadata analysis.

  • Python Forensics in Windows
    o Basic File Metadata
    o Data Representation
    o Carving Data and Metadata
    o Analyzing Windows Artifacts
    o Windows Event Logs Handling
  • Python Forensics in Linux
    o The Linux Filesystem
  • Understanding inode
  • File Capabilities
  • Basic File Metadata
    o Analyzing User’s Command-Histories
    o Capturing Images
    o Extracting Object from Image
    o Memory Capture and Analyzes

Module 4: Advanced Forensics

During this module, students will learn to deal with advanced networking.

  • Advanced Forensics
    o Advanced Networking
  • Replaying Network Traces
  • Preforming Basic Attacks
    o Working with Data
    o TWISTED Python
  • TWISTED Reactor
  • TWISTED Deferreds
  • TWISTED Transport
    o Footprinting Applications