python script triag...
 
Notifications
Clear all

python script triage tool help  

Ceci N Pipe
(@ceci)
New Member

I've been tasked with developing a triage script in python (mostly just because that's what I'm familiar with).

The main purpose is for use on .e01 images from device with bitlocker partitions. I want the tool to be light weight, basically be pointed at the target image and tell me what keys are present, so further decryption can be directed. This is fairly straight forward if you can read the raw hex and scan through metadata entries.

The main problem I'm having is reading the hex from the image in the first place due to the compression present in the .e01 format.

Does anyone know how to extract the raw hex data from an .e01 image to present it to script in a convenient way?

Would it be easier to access the keys in an alternate method all together?

I'd prefer not to have to mount the image at all and obviously avoid anything that might change any of the data since this is for use in a forensic environment.

 

any help appreciated, thanks.

 

Quote
Topic starter Posted : 12/11/2020 5:19 pm
jaclaz
(@jaclaz)
Community Legend

Libewf has python bindings, cannot say if they provide what you need.

https://github.com/libyal/libewf/

https://pypi.org/project/libewf-python/

jaclaz

ReplyQuote
Posted : 13/11/2020 6:33 pm
Share: