Year of Python (YOP) – Week Two

11Jan15

Hello reader!

So far so good.  I’ve made it to my second week, and a second snippet of code….

This week, I’m starting to put together a script I’ve been wanting to create for a few months.  I use X-Ways Forensics (http://www.x-ways.net/forensics/) as my primary forensics tool.  And along with the NIST hashes that are available for examiners to use, i like to use the hashes that are available from VXShare.  But normally the process I use is to download the file, edit the header of the file (X-Ways hash files have to have “MD5” as the header of the file), and then import it into X-Ways.

Now when I’m setting up a new instance of X-Ways, it’s not always practical to copy the hash database from one machine to another (or I might have hashes in one hash database that I don’t want to include in a fresh install).  So what I wanted to do was create a script that could download all the hash files, edit the header, and then move it to a location of my choosing so I can import it into X-Ways.

For this week, I’ve put together the code to download all the hash files from the site to a specific location.  I’m using the Requests module with Python because I’ve played around with it and it’s a nice alternative to the built in urllib module that comes with Python.

So the first thing the script does is set some baseline items.  I create a config file that we’ll use to track the next MD5 hash file to check for on each run. Then we put together the URL that we’re going to be pulling the data from.  One point to note is the VXShare file names have a 5 digit numeric value at the end, so when we put together the actual file name we want to look for, we need to add the 5 digit padding, which is what this line:

vxshare_file_name = "VirusShare_{:05d}.md5".format(vxshare_no)

Takes care of.  We also set a flag (file_is_valid) to True so that as long as there is a valid file on the VXShare site that we can download, keep increasing the value of vxshare_no.

So then we come to this piece of code:

 if vxshare_requests.status_code == 200:
    with open(vxshare_file_name, "w") as hash_file:
        print "Downloading {}...\n".format(vxshare_file_name)
        hash_file.write(vxshare_requests.content)
else:
    file_is_valid = False
    vxshare_config.write(str(vxshare_no))
vxshare_no += 1

This section handles most of the work.  It goes through and looks at the return code from each request for a hash file we make.  If it’s a file that exists (200) then we notify the user we’re downloading the file, and then we actually pull the file down.  If we get anything other than a return code of 200, we assume that the file does not exist, we set our file_is_valid variable to False, write the next number that we’ll need to check for the next time we run the script to the config file, and then exit out of the loop.  At that point, we notify the user that all the files have been pulled down, close the config file, and then exit.

See you all next week!

https://github.com/CdtDelta/YOP

Advertisements


One Response to “Year of Python (YOP) – Week Two”


  1. 1 Year of Python (YOP) – Week Six | RAM Slack - Random Thoughts from a Computer Forensic Examiner

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: