Automating DFIR - How to series on programming libtsk with python Part 4

Automating DFIR - How to series on programming libtsk with python Part 4

Hello Reader,

Make sure you have read the prior post in this series before continuing:

Part 1 - Accessing an image and printing the partition table
Part 2 - Extracting a file from an image
Part 3  - Extracting a file from a live system

Following this post the series continues:

Part 5 - Auto escalating your python script to administrator
Part 6 - Accessing an E01 image and extracting files
Part 7 - Taking in command line options with argparse to specify an image
Part 8 - Hashing a file stored in a forensic image
Part 9 - Recursively hashing all the files in an image
Part 10 - Recursively searching for files and extracting them from an image
Part 11 - Recursively searching for files and extracting them from a live system 
Part 12 - Accessing different file systems
Part 13 - Accessing Volume Shadow Copies  

             In the previous post we modified our DFIR Wizard program to run against a live system. Now this is great, but wait... what do we do if the live system we want to run it against does not have python installed?!

While we could install python and the pytsk library on every system we want to access, that's not the best idea for a couple reasons:
1. Larger impact to forensic evidence
2. Production systems tend to be quite restrictive on new program installs
3. Unintended side effects on shared libraries
4. Internal politics

So what if we could take our python script and turn it into a standalone executable? Well you can! I am going to cover the most widely used and known program to do this, py2exe.

Things you'll need to follow along with this post:

1. Py2Exe, download it from If you are doing this on OSX or Linux you most likely will already have python installed if not look into py2app for OSX and pyInstaller for cross platform support.
2. To have your program run on systems without the required msvcr90.dll you'll also need to grab the redistributable package Microsoft provides, you can download it here

Turning your python program into a windows executable

So let's turn into dfirwizard-v3.exe!

The first thing you'll need to do is install py2exe, when you are done continue on to the next step.
The second thing you'll need to do is create a new python script in the same directory where is called

The contents of will be as follows:
from distutils.core import setup
import py2exe setup(console=[''])
We are dong three things in this script. The first thing are doing is importing a single function from the distutils.core package into our local namespace. This means when we call setup we don't have to say distutils.core.setup, instead we can just write setup. Distutils or distribution utilities is a library made for creating packages of python code for installing, packaging or distributing to other python users. 

The second thing we are doing is importing the py2exe library into our program. The last thing we are doing is calling the setup function and passing in the argument console which contains the name of the python script we want to turn into a windows console executable.There are other options available to make windows gui's and windows services but we can talk about that in another post.

To actually get py2exe going we now need to run the program using the following command:
python py2exe

It will create a directory called dist under the directory you ran the script in and contained in that directory will be 9 files that contain all the python libraries we need to run DFIR Wizard on a system without python installed. You'll notice that in the dist directory there is a file called dfirwizard-v3.exe if everything worked right your directory should look like the following:

Automating DFIR - How to series on programming libtsk with python Part 4

Now if you noticed above under 'Things you'll need' the second point talks about a package from Microsoft that contains the file msvcr90.dll. This C++ dll is needed for our py2exe created executable to run on a system where python is not installed. Many systems have this library installed, my system has 29 occurrences of it, but just in case you should make sure to include it in your dist directory before you start deploying this package out to other systems. You can fix this by copying into your dist directory under the directory 'Microsoft.VC90.CRT'. For more about troubleshooting py2exe and dealing with systems who don't have msvcr90.dll read this:

Once you have the dll in place you can zip up the whole dist directory and push out your executable and libraries wherever it needs to be run. Just remember that at this stage our windows executable has to be run from an administrative command prompt or executed remotely with a run as administrator option. You also might want to consider powershell remoting as it won't expose your credentials to the remote system but that is a post for another day.

Making your program a single file for deployment

As an alternative to py2exe you could also try pyInstaller which allows you to bundle all of the files above into one executable. It has a lot of other features as well but that's the one that may interest you the most when pushing this out for remote execution.

First install pyInstaller with pip:
pip install pyinstaller
Next install pywin32 which is needed for the make one file option

Next run pyinstaller as follows:
\python27\scripts\pyinstaller -F

Where -F is telling pyinstaller to generate just one executable that all the rest of the libraries will be extracted from at run time. Your executable will be located in the dist directory under the directory where is located. When run as administrator your single executable will now unpack itself and run on any system you want. An added value here is that you don't have to worry about including the C++ dlls!

Now this will execute slower at first than the py2exe version above but it will only require one file to be pushed/executed. 

In the next part let's talk about how to get our program to elevate its own privileges if they are available to the logged in user and then move onto accessing E01 images. 

To grab the used in this post get it from the series Github here:

Continue Reading: Automating DFIR - How to series on programming libtsk with python Part 3

Post a Comment