USING PYTHON

We have seen how fsstat and other tools can be used to get metadata from an image file. We will now turn our attention to using Python to extract this information. Some of you might question going to the trouble of creating some Python code when tools already exist for this purpose. This is certainly a fair question.

I do think developing some Python modules is a good idea for a number of reasons. First, I have found that tools such as The Sleuth Kit (TSK) do not appear to be completely up to date. As you will see when running the Python scripts from this section, there are several features in use on the PFE subject filesystem that are not reported by TSK.

Second, it is useful to have some Python code that you understand in your toolbox. This allows you to modify the code as new features are added. It also allows you to integrate filesystem data into other scripts you might use.

Third, walking through these structures in order to develop the Python code helps you to better understand and learn how the extended filesystems work. If you are new to Python, you might also learn something new along the way. We begin our journey by creating code to read the superblock.