digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add AI4Forensics dataset

Browse Source
This commit is contained in:
Frank Xu
2023-10-11 20:01:20 -04:00
parent f23ec4fa5e
commit 580bb6cd0d
12 changed files with 1560 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

344
NIST_Data_Leakage_Case/py_version/pycode/webhistory_python/list_search_keywords_IE11.ipynb
View File

@@ -2,19 +2,19 @@
"cells": [
{
"cell_type": "code",
"execution_count": 7,
"execution_count": 241,
"source": [
"import pandas as pd\r\n",
"\r\n",
"# Set Pandas display options\r\n",
"pd.set_option('display.max_colwidth', 150) # Disable column width truncation\r\n",
"pd.set_option('display.max_rows', 50) # Display the number of rows\r\n",
"pd.set_option('display.max_rows', 20) # Display the number of rows\r\n",
"\r\n",
"# Read the CSV file into a DataFrame\r\n",
"df = pd.read_csv('IE11_container_6_9.csv', delimiter='\\t')\r\n",
"\r\n",
"# Specify the columns you want to display\r\n",
"selected_columns = [ 'Url']\r\n",
"selected_columns = [ 'Url', 'AccessedTime', 'AccessCount']\r\n",
"\r\n",
"# Create a new DataFrame containing only the selected columns\r\n",
"df[selected_columns]"
@@ -24,20 +24,33 @@
"output_type": "execute_result",
"data": {
"text/plain": [
" Url\n",
"0 Visited: informant@http://www.facebook.com/v2.0/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_ar...\n",
"1 Visited: informant@http://www.facebook.com/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter...\n",
"2 NaN\n",
"3 NaN\n",
"4 NaN\n",
".. ...\n",
"184 Visited: informant@http://p4-bx45atk7zyxog-7xw6fdnac2wemijo-if-v6exp3-v4.metric.gstatic.com/v6exp3/redir.html\n",
"185 Visited: informant@http://p4-bx45atk7zyxog-7xw6fdnac2wemijo-if-v6exp3-v4.metric.gstatic.com/v6exp3/iframe.html\n",
"186 Visited: informant@javascript:void(0)\n",
"187 Visited: informant@http://www.wired.com/2015/03/stealing-data-computers-using-heat/\n",
"188 Visited: informant@http://www.wired.com/?p=1756538\n",
" Url \\\n",
"0 Visited: informant@http://www.facebook.com/v2.0/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_ar... \n",
"1 Visited: informant@http://www.facebook.com/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter... \n",
"2 NaN \n",
"3 NaN \n",
"4 NaN \n",
".. ... \n",
"184 Visited: informant@http://p4-bx45atk7zyxog-7xw6fdnac2wemijo-if-v6exp3-v4.metric.gstatic.com/v6exp3/redir.html \n",
"185 Visited: informant@http://p4-bx45atk7zyxog-7xw6fdnac2wemijo-if-v6exp3-v4.metric.gstatic.com/v6exp3/iframe.html \n",
"186 Visited: informant@javascript:void(0) \n",
"187 Visited: informant@http://www.wired.com/2015/03/stealing-data-computers-using-heat/ \n",
"188 Visited: informant@http://www.wired.com/?p=1756538 \n",
"\n",
"[189 rows x 1 columns]"
" AccessedTime AccessCount \n",
"0 Mar 25, 2015 14:48:22.828705500 1 \n",
"1 Mar 23, 2015 20:44:27.994912000 1 \n",
"2 Mar 23, 2015 18:11:13.018592600 1 \n",
"3 Mar 23, 2015 18:11:13.003592400 1 \n",
"4 Mar 23, 2015 18:11:12.988592200 1 \n",
".. ... ... \n",
"184 Mar 25, 2015 14:47:05.361805500 1 \n",
"185 Mar 25, 2015 14:47:05.649305500 1 \n",
"186 Mar 23, 2015 20:44:28.188916000 1 \n",
"187 Mar 23, 2015 20:56:32.855777200 1 \n",
"188 Mar 23, 2015 20:45:22.234227600 1 \n",
"\n",
"[189 rows x 3 columns]"
],
"text/html": [
"<div>\n",
@@ -59,61 +72,356 @@
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Url</th>\n",
" <th>AccessedTime</th>\n",
" <th>AccessCount</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>Visited: informant@http://www.facebook.com/v2.0/plugins/like.php?action=like&amp;app_id=&amp;channel=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_ar...</td>\n",
" <td>Mar 25, 2015 14:48:22.828705500</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>Visited: informant@http://www.facebook.com/plugins/like.php?action=like&amp;app_id=&amp;channel=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter...</td>\n",
" <td>Mar 23, 2015 20:44:27.994912000</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>NaN</td>\n",
" <td>Mar 23, 2015 18:11:13.018592600</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>NaN</td>\n",
" <td>Mar 23, 2015 18:11:13.003592400</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>NaN</td>\n",
" <td>Mar 23, 2015 18:11:12.988592200</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>...</th>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" </tr>\n",
" <tr>\n",
" <th>184</th>\n",
" <td>Visited: informant@http://p4-bx45atk7zyxog-7xw6fdnac2wemijo-if-v6exp3-v4.metric.gstatic.com/v6exp3/redir.html</td>\n",
" <td>Mar 25, 2015 14:47:05.361805500</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>185</th>\n",
" <td>Visited: informant@http://p4-bx45atk7zyxog-7xw6fdnac2wemijo-if-v6exp3-v4.metric.gstatic.com/v6exp3/iframe.html</td>\n",
" <td>Mar 25, 2015 14:47:05.649305500</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>186</th>\n",
" <td>Visited: informant@javascript:void(0)</td>\n",
" <td>Mar 23, 2015 20:44:28.188916000</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>187</th>\n",
" <td>Visited: informant@http://www.wired.com/2015/03/stealing-data-computers-using-heat/</td>\n",
" <td>Mar 23, 2015 20:56:32.855777200</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>188</th>\n",
" <td>Visited: informant@http://www.wired.com/?p=1756538</td>\n",
" <td>Mar 23, 2015 20:45:22.234227600</td>\n",
" <td>1</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"<p>189 rows × 1 columns</p>\n",
"<p>189 rows × 3 columns</p>\n",
"</div>"
]
},
"metadata": {},
"execution_count": 7
"execution_count": 241
}
],
"metadata": {}
},
{
"cell_type": "code",
"execution_count": 242,
"source": [
"import re\r\n",
"\r\n",
"# Define the pattern you want to search for\r\n",
"pattern = r\"bing\\.com\\/search\\?q=(.*?)\\&\" \r\n",
"\r\n",
"# Iterate through the 'url' column\r\n",
"for url in df[selected_columns]['Url']:\r\n",
" # Use the re.search() function to find the pattern in the text\r\n",
" match = re.search(pattern, str(url)) \r\n",
"\r\n",
" # Check if a match is found\r\n",
" if match:\r\n",
" matched_substring = match.group() # Get the matched substring\r\n",
" print(matched_substring)"
],
"outputs": [
{
"output_type": "stream",
"name": "stdout",
"text": [
"bing.com/search?q=DLP%20DRM&\n",
"bing.com/search?q=what%20is%20windows%20system%20artifacts&\n",
"bing.com/search?q=Top+Stories&\n",
"bing.com/search?q=external%20device%20and%20forensics&\n",
"bing.com/search?q=external%20device%20and%20forensics&\n",
"bing.com/search?q=Forensic+Email+Investigation&\n",
"bing.com/search?q=cd%20burning%20method&\n",
"bing.com/search?q=e-mail+investigation&\n",
"bing.com/search?q=investigation%20on%20windows%20machine&\n",
"bing.com/search?q=eraser&\n",
"bing.com/search?q=windows%20event%20logs&\n",
"bing.com/search?q=anti-forensic+tools&\n",
"bing.com/search?q=e-mail%20investigation&\n",
"bing.com/search?q=cd%20burning%20method%20in%20windows&\n",
"bing.com/search?q=ccleaner&\n",
"bing.com/search?q=file+sharing+and+tethering&\n"
]
}
],
"metadata": {}
},
{
"cell_type": "code",
"execution_count": 243,
"source": [
"filtered_df=df[selected_columns].dropna(subset=['Url'])\r\n",
"results=filtered_df[filtered_df['Url'].str.contains(pattern, regex=True)]\r\n",
"results"
],
"outputs": [
{
"output_type": "stream",
"name": "stderr",
"text": [
"C:\\Users\\student\\AppData\\Local\\Temp\\ipykernel_12068\\2406131133.py:2: UserWarning: This pattern is interpreted as a regular expression, and has match groups. To actually get the groups, use str.extract.\n",
" results=filtered_df[filtered_df['Url'].str.contains(pattern, regex=True)]\n"
]
},
{
"output_type": "execute_result",
"data": {
"text/plain": [
" Url \\\n",
"148 Visited: informant@http://www.bing.com/search?q=DLP%20DRM&qs=n&form=QBRE&pq=dlp%20drm&sc=8-7&sp=-1&sk=&cvid=6e206ee8751e4ad89f882ed52daf3aea&sid=B... \n",
"153 Visited: informant@http://www.bing.com/search?q=what%20is%20windows%20system%20artifacts&qs=n&form=QBRE&pq=what%20is%20windows%20system%20artifact... \n",
"158 Visited: informant@http://www.bing.com/search?q=Top+Stories&FORM=HDRSC1 \n",
"161 Visited: informant@http://www.bing.com/search?q=external%20device%20and%20forensics&qs=n&form=QBRE&pq=external%20device%20and%20forensics&sc=8-9&s... \n",
"163 Visited: informant@http://www.bing.com/search?q=external%20device%20and%20forensics&qs=n&form=QBRE&pq=external%20device%20and%20forensics&sc=8-9&s... \n",
"164 Visited: informant@http://www.bing.com/search?q=Forensic+Email+Investigation&FORM=QSRE1&sid=BE5E388F8757406CAA32E58334719A20&format=jsonv2&jsoncbid=3 \n",
"165 Visited: informant@http://www.bing.com/search?q=cd%20burning%20method&qs=n&form=QBRE&pq=cd%20burning%20method&sc=8-2&sp=-1&sk=&cvid=b7dbe6fb67424c... \n",
"166 Visited: informant@http://www.bing.com/search?q=e-mail+investigation&qs=n&pq=e-mail+investigation&sc=8-7&sp=-1&sk=&cvid=fe1c3738d8c747128473172416... \n",
"167 Visited: informant@http://www.bing.com/search?q=investigation%20on%20windows%20machine&qs=n&form=QBRE&pq=investigation%20on%20windows%20machine&sc... \n",
"170 Visited: informant@http://www.bing.com/search?q=eraser&qs=n&form=QBRE&pq=eraser&sc=8-6&sp=-1&sk=&cvid=e3b983fe889944179093ff5199b2eac4&sid=C7E8F37... \n",
"171 Visited: informant@http://www.bing.com/search?q=windows%20event%20logs&qs=n&form=QBRE&pq=windows%20event%20logs&sc=0-32&sp=-1&sk=&cvid=36b33ac5151... \n",
"175 Visited: informant@http://www.bing.com/search?q=anti-forensic+tools&qs=n&form=QBLH&pq=anti-forensic+tools&sc=8-13&sp=-1&sk=&cvid=e799e715fa2244a5a... \n",
"176 Visited: informant@http://www.bing.com/search?q=e-mail%20investigation&qs=n&form=QBRE&pq=e-mail%20investigation&sc=8-7&sp=-1&sk=&cvid=fe1c3738d8c7... \n",
"179 Visited: informant@http://www.bing.com/search?q=cd%20burning%20method%20in%20windows&qs=n&form=QBRE&pq=cd%20burning%20method%20in%20windows&sc=0-0... \n",
"180 Visited: informant@http://www.bing.com/search?q=ccleaner&qs=n&form=QBRE&pq=ccleaner&sc=8-8&sp=-1&sk=&cvid=d434736d4e514ad497f68734a6779104&sid=C7E... \n",
"182 Visited: informant@http://www.bing.com/search?q=file+sharing+and+tethering&qs=n&form=QBLH&pq=file+sharing+and+tethering&sc=0-18&sp=-1&sk=&cvid=171... \n",
"\n",
" AccessedTime AccessCount \n",
"148 Mar 23, 2015 18:08:31.817280200 1 \n",
"153 Mar 23, 2015 18:10:27.643461700 1 \n",
"158 Mar 23, 2015 18:07:54.981192800 1 \n",
"161 Mar 23, 2015 20:43:47.512480900 1 \n",
"163 Mar 23, 2015 18:14:11.977428300 1 \n",
"164 Mar 23, 2015 18:10:03.820421400 1 \n",
"165 Mar 23, 2015 18:13:20.892344100 1 \n",
"166 Mar 23, 2015 18:09:31.496373300 1 \n",
"167 Mar 23, 2015 18:11:50.582692100 1 \n",
"170 Mar 25, 2015 14:46:54.471205500 1 \n",
"171 Mar 23, 2015 18:12:35.567263800 1 \n",
"175 Mar 25, 2015 14:46:44.752905500 1 \n",
"176 Mar 23, 2015 18:08:54.101318800 1 \n",
"179 Mar 23, 2015 18:13:37.494372000 1 \n",
"180 Mar 25, 2015 14:47:51.248205500 1 \n",
"182 Mar 23, 2015 18:07:59.890207200 2 "
],
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Url</th>\n",
" <th>AccessedTime</th>\n",
" <th>AccessCount</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>148</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=DLP%20DRM&amp;qs=n&amp;form=QBRE&amp;pq=dlp%20drm&amp;sc=8-7&amp;sp=-1&amp;sk=&amp;cvid=6e206ee8751e4ad89f882ed52daf3aea&amp;sid=B...</td>\n",
" <td>Mar 23, 2015 18:08:31.817280200</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>153</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=what%20is%20windows%20system%20artifacts&amp;qs=n&amp;form=QBRE&amp;pq=what%20is%20windows%20system%20artifact...</td>\n",
" <td>Mar 23, 2015 18:10:27.643461700</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>158</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=Top+Stories&amp;FORM=HDRSC1</td>\n",
" <td>Mar 23, 2015 18:07:54.981192800</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>161</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=external%20device%20and%20forensics&amp;qs=n&amp;form=QBRE&amp;pq=external%20device%20and%20forensics&amp;sc=8-9&amp;s...</td>\n",
" <td>Mar 23, 2015 20:43:47.512480900</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>163</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=external%20device%20and%20forensics&amp;qs=n&amp;form=QBRE&amp;pq=external%20device%20and%20forensics&amp;sc=8-9&amp;s...</td>\n",
" <td>Mar 23, 2015 18:14:11.977428300</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>164</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=Forensic+Email+Investigation&amp;FORM=QSRE1&amp;sid=BE5E388F8757406CAA32E58334719A20&amp;format=jsonv2&amp;jsoncbid=3</td>\n",
" <td>Mar 23, 2015 18:10:03.820421400</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>165</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=cd%20burning%20method&amp;qs=n&amp;form=QBRE&amp;pq=cd%20burning%20method&amp;sc=8-2&amp;sp=-1&amp;sk=&amp;cvid=b7dbe6fb67424c...</td>\n",
" <td>Mar 23, 2015 18:13:20.892344100</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>166</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=e-mail+investigation&amp;qs=n&amp;pq=e-mail+investigation&amp;sc=8-7&amp;sp=-1&amp;sk=&amp;cvid=fe1c3738d8c747128473172416...</td>\n",
" <td>Mar 23, 2015 18:09:31.496373300</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>167</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=investigation%20on%20windows%20machine&amp;qs=n&amp;form=QBRE&amp;pq=investigation%20on%20windows%20machine&amp;sc...</td>\n",
" <td>Mar 23, 2015 18:11:50.582692100</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>170</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=eraser&amp;qs=n&amp;form=QBRE&amp;pq=eraser&amp;sc=8-6&amp;sp=-1&amp;sk=&amp;cvid=e3b983fe889944179093ff5199b2eac4&amp;sid=C7E8F37...</td>\n",
" <td>Mar 25, 2015 14:46:54.471205500</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>171</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=windows%20event%20logs&amp;qs=n&amp;form=QBRE&amp;pq=windows%20event%20logs&amp;sc=0-32&amp;sp=-1&amp;sk=&amp;cvid=36b33ac5151...</td>\n",
" <td>Mar 23, 2015 18:12:35.567263800</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>175</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=anti-forensic+tools&amp;qs=n&amp;form=QBLH&amp;pq=anti-forensic+tools&amp;sc=8-13&amp;sp=-1&amp;sk=&amp;cvid=e799e715fa2244a5a...</td>\n",
" <td>Mar 25, 2015 14:46:44.752905500</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>176</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=e-mail%20investigation&amp;qs=n&amp;form=QBRE&amp;pq=e-mail%20investigation&amp;sc=8-7&amp;sp=-1&amp;sk=&amp;cvid=fe1c3738d8c7...</td>\n",
" <td>Mar 23, 2015 18:08:54.101318800</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>179</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=cd%20burning%20method%20in%20windows&amp;qs=n&amp;form=QBRE&amp;pq=cd%20burning%20method%20in%20windows&amp;sc=0-0...</td>\n",
" <td>Mar 23, 2015 18:13:37.494372000</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>180</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=ccleaner&amp;qs=n&amp;form=QBRE&amp;pq=ccleaner&amp;sc=8-8&amp;sp=-1&amp;sk=&amp;cvid=d434736d4e514ad497f68734a6779104&amp;sid=C7E...</td>\n",
" <td>Mar 25, 2015 14:47:51.248205500</td>\n",
" <td>1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>182</th>\n",
" <td>Visited: informant@http://www.bing.com/search?q=file+sharing+and+tethering&amp;qs=n&amp;form=QBLH&amp;pq=file+sharing+and+tethering&amp;sc=0-18&amp;sp=-1&amp;sk=&amp;cvid=171...</td>\n",
" <td>Mar 23, 2015 18:07:59.890207200</td>\n",
" <td>2</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
]
},
"metadata": {},
"execution_count": 243
}
],
"metadata": {}
},
{
"cell_type": "code",
"execution_count": 244,
"source": [
"# Extract and display matched strings\r\n",
"results['Url'].str.extract(pattern, expand=False)"
],
"outputs": [
{
"output_type": "execute_result",
"data": {
"text/plain": [
"148 DLP%20DRM\n",
"153 what%20is%20windows%20system%20artifacts\n",
"158 Top+Stories\n",
"161 external%20device%20and%20forensics\n",
"163 external%20device%20and%20forensics\n",
"164 Forensic+Email+Investigation\n",
"165 cd%20burning%20method\n",
"166 e-mail+investigation\n",
"167 investigation%20on%20windows%20machine\n",
"170 eraser\n",
"171 windows%20event%20logs\n",
"175 anti-forensic+tools\n",
"176 e-mail%20investigation\n",
"179 cd%20burning%20method%20in%20windows\n",
"180 ccleaner\n",
"182 file+sharing+and+tethering\n",
"Name: Url, dtype: object"
]
},
"metadata": {},
"execution_count": 244
}
],
"metadata": {}