Python Forensics – Python Overview

Code written in Python looks very similar to code written in other traditional programming languages, such as C or Pascal. It is said that Python’s syntax borrows heavily from C, including many Python keywords that are similar to C.

Python includes conditional and loop statements, which can be used to accurately extract data for forensics. For flow control, it provides if/else, while, and a high-level for statement that can loop over any “iterable” object.

if a <b:
max = b
else:
max = a

The main way Python differs from other programming languages is its use of dynamic typing. It uses variable names to refer to objects. These variables do not need to be declared.

Data Types

Python includes a set of built-in data types, such as strings, Booleans, and numbers. There are also some immutable types, meaning values that cannot be changed during execution.

Python also has complex built-in data types, including primitives, which are immutable arrays, lists, and dictionaries, which are hash tables. All of these are used in digital forensics to store values while collecting evidence.

Third-Party Modules and Packages

Python supports grouping modules and/or packages, also known as third-party modules (related code grouped in a single source file), to organize programs.

Python includes an extensive standard library, which is one of the main reasons for its popularity in computational forensics.

The Lifecycle of Python Code

• Initially, when you execute Python code, the interpreter checks the code for syntax errors. If the interpreter finds any syntax errors, they are immediately displayed as error messages.

• If there are no syntax errors, the code is compiled into bytecode and sent to the PVM (Python Virtual Machine).

• The PVM checks the bytecode for any runtime or logic errors. If the PVM finds any runtime errors, they are immediately reported as error messages.

• If the bytecode is error-free, the code is processed and you get its output.

The following diagram graphically shows how Python code is first interpreted to produce bytecode, and then how the bytecode is processed by the PVM to produce the output.