Monday, October 24, 2005

Perl for Forensics

Perl is freely available, and Perl scripts are essentially open source. Perl is used by forensics products such as The Sleuthkit and ProDiscover. Perl is used in the Metasploit framework. Perl is great for automating repetitive tasks, parsing files...and it's free. Perl runs on Windows, most Unices, the Mac, and a plethora of other platforms.

O'Reilly has a ton of books on Perl...from how to program to how to use Perl for a variety of tasks.

So my question is, how useful would a book on using Perl for forensics be to you? Say, a reference tome that discusses:
  • Collecting live/volatile data using Perl
  • Correlating data from multiple sources using Perl
  • Analyzing data, or presenting data for analysis
  • Analyzing file formats (retrieving metadata, etc.)

Obviously, a book like this should include copies of all code used or mentioned in the book. As ProDiscover uses Perl as it's scripting language, a book such as this should also include a variety of "ProScripts". The book should also include not only the files analyzed in the book, but additional example files that the reader can explore and practice on...perhaps even an image of drive to examine.

Is this a book you'd be interested in? If so, what would you like to see? What topics do you think should be covered? How would you envision such a book, particularly as something that you'd pick up off of a shelf at a bookstore and decide to purchase? What do you see as the market for such a book?

3 comments:

DJ said...

Definitely would be interested! I'd like to see a book about using Perl to fire off dd (or dcfldd i think it is) / md5sum scripts for imaging and/or detection of ATA parameters to squeeze out the fastest performance possible

Also would like to have a collection of scripts that automatically grabs data if possible from an image and puts into a single report. Things like event logs, deleted files, registry, etc.

Keydet89 said...

I'd like to see a book about using Perl to fire off dd...

Something this narrow in scope wouldn't require a book...and a book on that subject wouldn't be something publishers would be interested in.

Also would like to have a collection of scripts that automatically grabs data if possible from an image and puts into a single report. Things like event logs, deleted files, registry, etc.

I've been collecting scripts and bits of code as I've worked with ProDiscover.

The most important question is...what would you want to see? I can't believe that you'd want all of the Event Logs and the entire Registry simply dumped into a report. Can you be more specific about the types of things you'd like to see?

Mark McKinnon said...

ALong with the ProDiscover Stuff it would be interestering so see how a database could be generated (ie: SQLite) that could augment the current Open source tools to store information like event logs, mactimes, etc You could then use perl to parse this database and report off of it. Writing reports in XML and excel formats etc..