When the process is repeatable and labor intensive, it’s a great opportunity to make use of scripts. There will be times when applications don’t get parsed by the tools you are using to examine them, and when this happens, assisting your analysis with scripts becomes very valuable and time-saving.

Download and install Python on your processing machine. Upon successful installation, the Python directory will be created in the root of the C:\ drive. To operate, both the script (*.py) and the file being parsed should be copied to the Python directory. The script can then be run directly from the command line.

Navigate to the Python27 directory:

From the C:\>
TYPE: cd Python27

Run the script by:

1) Executing Python

2) Telling it which script to use (which is located in the same Python27 directory)

3) And telling it where to output the file

TYPE: python.exe fb-msg-blob-dumper.py testmsgr output.html

Where:

1) python.exe is the executable

2) fb-msg-blob-dumper.py is the script

3) testmsgr output.html is the output file containing the results

The script will go through each message and look for relevant data, which it then outputs to an HTML file.

Python output can be customized based on the user’s needs. This sample Python script was shared by fellow SANS FOR585 student Adrian Leong, who shares his findings on his forensics blog, https://for585.com/cheekymonkeyblog.