October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Using Python to automate forensics

Philip Polstra (Bloomsburg University of Pennsylvania)
1:30pm–5:00pm Monday, 10/31/2016
Tools and processes
Location: Rendezvous Trianon Level: Beginner
Average rating: *****
(5.00, 1 rating)

Prerequisite knowledge

  • Knowledge of basic programming concepts found in C, C++, Java, PERL, PHP, or similar languages
  • Familiarity with Python and Windows filesystems (useful but not required)

Materials or downloads needed in advance

  • Linux laptop with Python 2 and 3 installed. A virtual machine is acceptable for the workshop, but native Linux is preferred.

What you'll learn

  • Understand how Python can be applied to forensics
  • Discover a few things about FAT and NTFS filesystems


Philip Polstra offers an overview of Python basics before walking you through using Python to perform more challenging forensic tasks. You’ll gain a deeper understanding of FAT and NTFS filesystems and see firsthand how to glean pertinent information from a filesystem image in minutes with Python.

Topics include:

  • Interpreting a master boot record
  • Interpreting a volume boot record
  • Mounting a filesystem image on a Linux computer
  • Creating a timeline from filesystem timestamps
  • Locating deleted files and directories
  • Extracting files (including deleted ones) from filesystem images
  • Python variable types
  • Classes in Python
  • Reading files in binary mode
  • Using the struct module
  • Creating CSV files and other structured output
Photo of Philip Polstra

Philip Polstra

Bloomsburg University of Pennsylvania

Philip Polstra (aka Dr. Phil) is an internationally known hardware hacker and forensics specialist. Philip teaches computer security and digital forensics at Bloomsburg University of Pennsylvania, develops new penetration testing and forensics hardware, creates video courses for PentesterAcademy, O’Reilly, PluralSight, and others, and performs penetration tests on a consulting basis. Philip has made repeat performances at top conference around the world, including DEFCON, BlackHat, 44CON, GrrCON, BruCON, BSides, and ForenSecure, to name a few. He is also the author of several books, including Hacking and Penetration Testing with Low Power Devices (Syngress, 2014), Linux Forensics (Pentester Academy, 2015), Windows Forensics (Pentester Academy, 2016), and USB Forensics (Pentester Academy, 2017). When not teaching, pentesting, or speaking at a conference, Philip has been known to fly, teach others to fly, build aircraft, and create electronic devices with his children.

Comments on this page are now closed.


Picture of Philip Polstra
10/27/2016 11:31am EDT

You should be just fine without a gui. Another option that would also work is linux in a virtual machine. The only part of the workshop that specifically needs linux is mounting filesystem images.

Picture of Avi Zajac
10/27/2016 11:05am EDT

Do I need to have a GUI on my linux distro for this class? Unfortunately my main machine went down this last week. I am now using a Chromebook but am having an issue with any linux distro not recognizing the graphics card. If I am unable to troubleshoot prior am I still able to follow the tutorial with just the command line?