Download the Full Ebook and Access More Features - ebooknice.

com

(Ebook) Mastering Python forensics : master the

art of digital forensics and analysis with Python
by kan

https://ebooknice.com/product/mastering-python-forensics-
master-the-art-of-digital-forensics-and-analysis-with-
python-50195232

OR CLICK HERE

DOWLOAD EBOOK

Download more ebook instantly today at https://ebooknice.com

 Instant digital products (PDF, ePub, MOBI) ready for you
Download now and discover formats that fit your needs...

Start reading on any device today!

(Ebook) Mastering Python forensics : master the art of

digital forensics and analysis with Python by Uhrmann,
Johann; Spreitzenbarth, Dr Michael ISBN 9781783988044,
1783988045
https://ebooknice.com/product/mastering-python-forensics-master-the-
art-of-digital-forensics-and-analysis-with-python-6661050

ebooknice.com

(Ebook) Python Digital Forensics Cookbook: Effective

Python recipes for digital investigations by Preston
Miller, Chapin Bryce ISBN 9781783987467, 1783987464
https://ebooknice.com/product/python-digital-forensics-cookbook-
effective-python-recipes-for-digital-investigations-20640302

ebooknice.com

(Ebook) doing math with python doing math with python by

kan

https://ebooknice.com/product/doing-math-with-python-doing-math-with-
python-50196050

ebooknice.com

(Ebook) Python Forensics. A Workbench for Inventing and

Sharing Digital Forensic Technology by Chet Hosmer (Auth.)
ISBN 9780124186767, 0124186769
https://ebooknice.com/product/python-forensics-a-workbench-for-
inventing-and-sharing-digital-forensic-technology-4735536

ebooknice.com
(Ebook) The Basics of Digital Forensics: The Primer for
Getting Started in Digital Forensics by John Sammons ISBN
9781597496612, 1597496618
https://ebooknice.com/product/the-basics-of-digital-forensics-the-
primer-for-getting-started-in-digital-forensics-4155398

ebooknice.com

(Ebook) The Basics of Digital Forensics, Second Edition:

The Primer for Getting Started in Digital Forensics by
John Sammons ISBN 9780128016350, 0128016353
https://ebooknice.com/product/the-basics-of-digital-forensics-second-
edition-the-primer-for-getting-started-in-digital-forensics-5138786

ebooknice.com

(Ebook) Digital Forensics with Kali Linux: Enhance your

investigation skills by performing network and memory
forensics with Kali Linux by Parasram, Shiva V. N.;
https://ebooknice.com/product/digital-forensics-with-kali-linux-
enhance-your-investigation-skills-by-performing-network-and-memory-
forensics-with-kali-linux-55948588
ebooknice.com

(Ebook) Digital Forensics Workbook: Hands-on Activities in

Digital Forensics by Michael K Robinson ISBN
9781517713607, 1517713609
https://ebooknice.com/product/digital-forensics-workbook-hands-on-
activities-in-digital-forensics-10446510

ebooknice.com

(Ebook) Mastering Time Series Analysis and Forecasting

with Python: Bridging Theory and Practice Through
Insights, Techniques, and Tools for Effective Time Series
Analysis in Python by Sulekha Aloorravi ISBN
https://ebooknice.com/product/mastering-time-series-analysis-and-
9788196815103, 8196815107
forecasting-with-python-bridging-theory-and-practice-through-insights-
techniques-and-tools-for-effective-time-series-analysis-in-
python-56376378
ebooknice.com
Table of Contents
Mastering Python Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Setting Up the Lab and Introduction to Python ctypes
Setting up the Lab
Ubuntu
Python virtual environment (virtualenv)
Introduction to Python ctypes
Working with Dynamic Link Libraries
C data types
Defining Unions and Structures
Summary
2. Forensic Algorithms
Algorithms
MD5
SHA256
SSDEEP
 Supporting the chain of custody
Creating hash sums of full disk images
Creating hash sums of directory trees
Real-world scenarios
Mobile Malware
NSRLquery
Downloading and installing nsrlsvr
Writing a client for nsrlsvr in Python
Summary
3. Using Python for Windows and Linux Forensics
Analyzing the Windows Event Log
The Windows Event Log
Interesting Events
Parsing the Event Log for IOC
The python-evtx parser
The plaso and log2timeline tools
Analyzing the Windows Registry
Windows Registry Structure
Parsing the Registry for IOC
Connected USB Devices
User histories
Startup programs
System Information
Shim Cache Parser
Implementing Linux specific checks
Checking the integrity of local user credentials
Analyzing file meta information
Understanding inode
Reading basic file metadata with Python
Evaluating POSIX ACLs with Python
Reading file capabilities with Python
Clustering file information
Creating histograms
Advanced histogram techniques
Summary
4. Using Python for Network Forensics
Using Dshell during an investigation
 Using Scapy during an investigation
Summary
5. Using Python for Virtualization Forensics
Considering virtualization as a new attack surface
Virtualization as an additional layer of abstraction
Creation of rogue machines
Cloning of systems
Searching for misuse of virtual resources
Detecting rogue network interfaces
Detecting direct hardware access
Using virtualization as a source of evidence
Creating forensic copies of RAM content
Using snapshots as disk images
Capturing network traffic
Summary
6. Using Python for Mobile Forensics
The investigative model for smartphones
Android
Manual Examination
Automated Examination with the help of ADEL
Idea behind the system
Implementation and system workflow
Working with ADEL
Movement profiles
Apple iOS
Getting the Keychain from a jailbroken iDevice
Manual Examination with libimobiledevice
Summary
7. Using Python for Memory Forensics
Understanding Volatility basics
Using Volatility on Android
LiME and the recovery image
Volatility for Android
Reconstructing data for Android
Call history
Keyboard cache
Using Volatility on Linux
 Memory acquisition
Volatility for Linux
Reconstructing data for Linux
Analyzing processes and modules
Analyzing networking information
Malware hunting with the help of YARA
Summary
Where to go from here
Index
Mastering Python Forensics
Mastering Python Forensics
Copyright © 2015 Packt Publishing All rights reserved. No part of this
book may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, without the prior written permission of the
publisher, except in the case of brief quotations embedded in critical
articles or reviews.

Every effort has been made in the preparation of this book to ensure the
accuracy of the information presented. However, the information
contained in this book is sold without warranty, either express or implied.
Neither the authors, nor Packt Publishing, and its dealers and distributors
will be held liable for any damages caused or alleged to be caused
directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about

all of the companies and products mentioned in this book by the
appropriate use of capitals. However, Packt Publishing cannot guarantee
the accuracy of this information.

First published: October 2015

Production reference: 1261015

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78398-804-4

www.packtpub.com
Credits
Authors

Dr. Michael Spreitzenbarth

Dr. Johann Uhrmann

Reviewers

Richard Marsden

Puneet Narula

Yves Vandermeer

Commissioning Editor

Kartikey Pandey

Acquisition Editor

Sonali Vernekar

Content Development Editor

Shweta Pant

Technical Editor

Pranil Pathare

Copy Editor

Vibha Shukla

Project Coordinator

Shipra Chawhan
Proofreader

Safis Editing

Indexer

Mariammal Chettiyar

Production Coordinator

Arvindkumar Gupta

Cover Work

Arvindkumar Gupta
About the Authors
Dr. Michael Spreitzenbarth holds a degree of doctor of engineering in IT
security from the University of Erlangen-Nuremberg and is a CISSP as
well as a GMOB. He has been an IT security consultant at a worldwide
operating CERT for more than three years and has worked as a
freelancer in the field of mobile phone forensics, malware analysis, and
IT security consultancy for more than six years. Since the last four years,
he has been giving talks and lectures in the fields of forensics and mobile
security at various universities and in the private sector.

I would like to thank everyone who has encouraged me while writing

this book, especially my wife for her great support. I would also like to
thank all the authors of the used open source tools— without your
help, this book wouldn't have been possible.

Dr. Johann Uhrmann holds a degree in computer science from the

University of Applied Sciences Landshut and a doctor of engineering
from the University of the German Federal Armed Forces. He has more
than ten years of experience in software development, which includes
working for start-ups, institutional research, and corporate environment.
Johann has several years of experience in incident handling and IT
governance, focusing on Linux and Cloud environments.

First of all, I would like to thank my wife, Daniela, for her moral
support and willingness to give up on some family time while I was
writing. I also would like to thank my coauthor and colleague, Dr.
Michael Spreitzenbarth, for talking me into writing this book and
handling a great deal of the organizational overhead of such a
project. Furthermore, the great people working on all the open source
software projects that we used and mentioned in this book deserve
credit. You are the guys who keep the IT world spinning.
About the Reviewers
Richard Marsden has over twenty years of professional experience in
software development. After starting in the fields of geophysics and oil
exploration, he has spent the last twelve years running the Winwaed
Software Technology LLC, an independent software vendor. Winwaed
specializes in geospatial tools and applications, which include web
applications, and operates the http://www.mapping-tools.com website for
tools and add-ins for geospatial products, such as Caliper's Maptitude
and Microsoft's MapPoint.

Richard was also a technical reviewer for Python Geospatial

Development, and Python Geospatial Analysis Essentials, both written by
Erik Westra, Packt Publishing.

Puneet Narula is currently working as PPC Data Analyst with

Hostelworld.com Ltd (http://www.hostelworld.com/), Dublin, Ireland,
where he analyzes massive clickstream data from direct and affiliate
sources and provides insight to the digital marketing team. He uses
RapidMiner, R, and Python for the exploratory and predictive analysis.
His areas of expertise are programming in Python and R, machine
learning, data analysis and Tableau.

He started his career in banking and finance and then moved to the ever
growing domain of data and analytics.

He earned MSc in computing (data analytics) from Dublin Institute of

Technology, Dublin, Ireland. He has reviewed the books: Python Data
Analysis, by Ivan Idris, Packt Publishing and Python Geospatial Analysis
Essentials, by Erik Westra, Packt Publishing.

Yves Vandermeer is a police officer working for the Belgian Federal

Police. He has been involved in major investigations since 1997, where
he contributed to recovering digital evidence. Owning a MSc in computer
forensics, Yves is also a trainer on several topics such as filesystems and
network forensics for several law enforcement agencies.

Chairing the European Cybercrime Training and Education Group,

Chairing the European Cybercrime Training and Education Group,
E.C.T.E.G., since 2013, Yves supports the creation of training materials
that are focused on the understanding of the concepts applied in practical
exercises.

Using his experience, he developed forensic software tools for law

enforcement and contributed to several advisory groups related to IT
crime and IT forensics.
www.PacktPub.com
Support files, eBooks, discount offers, and more
For support files and downloads related to your book, please visit
www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published,
with PDF and ePub files available? You can upgrade to the eBook
version at www.PacktPub.com and as a print book customer, you are
entitled to a discount on the eBook copy. Get in touch with us at
<service@packtpub.com> for more details.

At www.PacktPub.com, you can also read a collection of free technical

articles, sign up for a range of free newsletters and receive exclusive
discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's

online digital book library. Here, you can search, access, and read
Packt's entire library of books.

Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser

Free access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use
this to access PacktLib today and view 9 entirely free books. Simply use
your login credentials for immediate access.
Preface
Today, information technology is a part of almost everything that
surrounds us. These are the systems that we wear and that support us in
building and running cities, companies, our personal online shopping
tours, and our friendships. These systems are attractive to use—and
abuse. Consequently, all criminal fields such as theft, fraud, blackmailing,
and so on expanded to the IT. Nowadays, this is a multi-billion, criminal,
global shadow industry.

Can a single person spot traces of criminal or suspicious activity

conducted by a multi-billion, criminal, global shadow industry? Well,
sometimes you can. To analyze the modern crime, you do not need
magnifying glasses and lifting fingerprints off wine bottles. Instead, we
will see how to apply your Python skills to get a close look at the most
promising spots on a file system and take digital fingerprints from the
traces left behind by hackers.

As authors, we believe in the strength of examples over dusty theory.

This is why we provide samples for forensic tooling and scripts, which are
short enough to be understood by the average Python programmer, yet
usable tools and building blocks for real-world IT forensics.

Are you ready to turn suspicion into hard facts?

What this book covers
Chapter 1, Setting Up the Lab and Introduction to Python ctypes, covers
how to set up your environment to follow the examples that are provided
in this book. We will take a look at the various Python modules that
support our forensic analyses. With ctypes, we provide the means to go
beyond Python modules and leverage the capabilities of native system
libraries.

Chapter 2, Forensic Algorithms, provides you with the digital equivalent

of taking fingerprints. Just like in the case of classic fingerprints, we will
show you how to compare the digital fingerprints with a huge registry of
the known good and bad samples. This will support you in focusing your
analysis and providing a proof of forensical soundness.

Chapter 3, Using Python for Windows and Linux Forensics, is the first
step on your journey to understanding digital evidence. We will provide
examples to detect signs of compromise on Windows and Linux systems.
We will conclude the chapter with an example on how to use machine
learning algorithms in the forensic analysis.

Chapter 4, Using Python for Network Forensics, is all about capturing

and analyzing network traffic. With the provided tools, you can search
and analyze the network traffic for signs of exfiltration or signature of
malware communication.

Chapter 5, Using Python for Virtualization Forensics, explains how

modern virtualization concepts can be used by the attacker and forensic
analyst. Consequently, we will show how to find traces of malicious
behavior on the hypervisor level and utilize the virtualization layer as a
reliable source of forensic data.

Chapter 6, Using Python for Mobile Forensics, will give you an insight on
how to retrieve and analyze forensic data from mobile devices. The
examples will include analyzing Android devices as well as Apple iOS
devices.
Chapter 7, Using Python for Memory Forensics, demonstrates how to
retrieve memory snapshots and analyze these RAM images forensically
with Linux and Android. With the help of tools such as LiME and Volatility,
we will demonstrate how to extract information from the system memory.
What you need for this book
All you need for this book is a Linux workstation with a Python 2.7
environment and a working Internet connection. Chapter 1, Setting Up
the Lab and Introduction to Python ctypes, will guide you through the
installation of the additional Python modules and tools. All of our used
tools are freely available from the Internet. The source code of our
samples is available from Packt Publishing.

To follow the examples of Chapter 5, Using Python for Virtualization

Forensics, you may want to set up a virtualization environment with
VMware vSphere. The required software is available from VMware as
time-limited trial version without any functional constraints.

While not strictly required, we recommend trying some of the examples of

Chapter 6, Using Python for Mobile Forensics, on discarded mobile
devices. For your first experiments, please refrain from using personal or
business phones that are actually in use.
Who this book is for
This book is for IT administrators, IT operations, and analysts who want
to gain profound skills in the collection and analysis of digital evidence. If
you are already a forensic expert, this book will help you to expand your
knowledge in new areas such as virtualization or mobile devices.

To get the most out of this book, you should have decent skills in Python
and understand at least some inner workings of your forensic targets. For
example, some file system details.
Conventions
In this book, you will find a number of text styles that distinguish between
different kinds of information. Here are some examples of these styles
and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file
extensions, pathnames, dummy URLs, user input, and Twitter handles
are shown as follows: "Note that in the case of Windows, msvcrt is the
MS standard C library containing most of the standard C functions and
uses the cdecl calling convention (on Linux systems, the similar library
would be libc.so.6)."

A block of code is set as follows:

def multi_hash(filename):
"""Calculates the md5 and sha256 hashes
of the specified file and returns a list
containing the hash sums as hex strings."""

When we wish to draw your attention to a particular part of a code block,

the relevant lines or items are set in bold:

<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events
/event"><System><Provider Name="Microsoft-Windows-
Security-Auditing" Guid="54849625-5478-4994-a5ba-
3e3b0328c30d"></Provider>
<EventID Qualifiers="">4724</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>

Any command-line input or output is written as follows:

user@lab:~$ virtualenv labenv

New python executable in labenv/bin/python
Installing setuptools, pip...done.
New terms and important words are shown in bold. Words that you see
on the screen, for example, in menus or dialog boxes, appear in the text
like this: "When asked to Select System Logs, ensure that all log types
are selected."

Note
Warnings or important notes appear in a box like this.

Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you
think about this book—what you liked or disliked. Reader feedback is
important for us as it helps us develop titles that you will really get the
most out of.

To send us general feedback, simply e-mail <feedback@packtpub.com>,

and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in
either writing or contributing to a book, see our author guide at
www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of
things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files from your account at
http://www.packtpub.com for all the Packt Publishing books you have
purchased. If you purchased this book elsewhere, you can visit
http://www.packtpub.com/support and register to have the files emailed
directly to you.

Errata
Although we have taken every care to ensure the accuracy of our
content, mistakes do happen. If you find a mistake in one of our books—
maybe a mistake in the text or the code—we would be grateful if you
could report this to us. By doing so, you can save other readers from
frustration and help us improve subsequent versions of this book. If you
find any errata, please report them by visiting
http://www.packtpub.com/submit-errata, selecting your book, clicking on
the Errata Submission Form link, and entering the details of your errata.
Once your errata are verified, your submission will be accepted and the
errata will be uploaded to our website or added to any list of existing
errata under the Errata section of that title.

To view the previously submitted errata, go to

https://www.packtpub.com/books/content/support and enter the name of
the book in the search field. The required information will appear under
the Errata section.

Piracy
Piracy of copyrighted material on the Internet is an ongoing problem
across all media. At Packt, we take the protection of our copyright and
across all media. At Packt, we take the protection of our copyright and
licenses very seriously. If you come across any illegal copies of our
works in any form on the Internet, please provide us with the location
address or website name immediately so that we can pursue a remedy.

Please contact us at <copyright@packtpub.com> with a link to the

suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring
you valuable content.

Questions
If you have a problem with any aspect of this book, you can contact us at
<questions@packtpub.com>, and we will do our best to address the
problem.
Chapter 1. Setting Up the Lab and
Introduction to Python ctypes
Cyber Security and Digital Forensics are two topics of increasing
importance. Digital forensics especially, is getting more and more
important, not only during law enforcement investigations, but also in the
field of incident response. During all of the previously mentioned
investigations, it's fundamental to get to know the root cause of a security
breach, malfunction of a system, or a crime. Digital forensics plays a
major role in overcoming these challenges.

In this book, we will teach you how to build your own lab and perform
profound digital forensic investigations, which originate from a large
range of platforms and systems, with the help of Python. We will start
with common Windows and Linux desktop machines, then move forward
to cloud and virtualization platforms, and end up with mobile phones. We
will not only show you how to examine the data at rest or in transit, but
also take a deeper look at the volatile memory.

Python provides an excellent development platform to build your own

investigative tools because of its decreased complexity, increased
efficiency, large number of third-party libraries, and it's also easy to read
and write. During the journey of reading this book, you will not only learn
how to use the most common Python libraries and extensions to analyze
the evidence, but also how to write your own scripts and helper tools to
work faster on the cases or incidents with a huge amount of evidence
that has to be analyzed.

Let's begin our journey of mastering Python forensics by setting up our

lab environment, followed by a brief introduction of the Python ctypes.

If you have already worked with Python ctypes and have a working lab
environment, feel free to skip the first chapter and start directly with one
of the other chapters. After the first chapter, the other chapters are fairly
independent of each other and can be read in any order.
Setting up the Lab
As a base for our scripts and investigations, we need a comprehensive
and powerful lab environment that is able to handle a large number of
different file types and structures as well as connections to mobile
devices. To achieve this goal, we will use the latest Ubuntu LTS version
14.04.2 and install it in a virtual machine (VM). Within the following
sections, we will explain the setup of the VM and introduce Python
virtualenv, which we will use to establish our working environment.

Ubuntu
To work in a similar lab environment, we suggest you to download a copy
of the latest Ubuntu LTS Desktop Distribution from
http://www.ubuntu.com/download/desktop/, preferably the 32-bit version.
The distribution provides a simple-to-use UI and already has the Python
2.7.6 environment installed and preconfigured. Throughout the book, we
will use Python 2.7.x and not the newer 3.x versions. Several examples
and case studies in this book will rely on the tools or libraries that are
already a part of the Ubuntu distribution. When a chapter or section of the
book requires a third-party package or library, we will provide the
additional information on how to install it in the virtualenv (the setup of
this environment will be explained in the next section) or on Ubuntu in
general.

For better performance of the system, we recommend that the virtual

machine that is used for the lab has at least 4 GB of volatile memory and
about 40 GB of storage.
 Figure 1: The Atom editor

To write your first Python script, you can use a simple editor such as vi or
a powerful but cluttered IDE such as eclipse. As a really powerful
alternative, we would suggest you to use atom, a very clean but highly
customizable editor that can be freely downloaded from https://atom.io/.

Python virtual environment (virtualenv)

According to the official Python documentation, Virtual Environment is a
tool to keep the dependencies required by different projects in separate
places by creating virtual Python environments for them. It solves the
"Project X depends on version 1.x, but Project Y needs 4.x" dilemma and
keeps your global site-packages directory clean and manageable.

This is also what we will use in the following chapters to keep a common
environment for all the readers of the book and not run into any
compatibility issues. First of all, we have to install the virtualenv
package. This is done by the following command:

user@lab:~$ pip install virtualenv

We will now create a folder in the users' home directory for our virtual
Python environment. This directory will contain the executable Python
files and a copy of the pip library, which can be used to install other
packages in the environment. The name of the virtual environment (in our
case, it is called labenv) can be of your choice. Our virtual lab
environment can be created by executing the following command:

user@lab:~$ virtualenv labenv

New python executable in labenv/bin/python
Installing setuptools, pip...done.

To start working with the new lab environment, it first needs to be

activated. This can be done through:

user@lab:~$ source labenv/bin/activate

(labenv)user@lab:~$

Now, you can see that the command prompt starts with the name of the
virtual environment that we activated. From now on, any package that
you install using pip will be placed in the labenv folder, isolated from the
global Python installation in the underlying Ubuntu.

Throughout the book, we will use this virtual python environment and
install new packages and libraries in it from time to time. So, every time
you try to recap a shown example remember or challenge to change into
the labenv environment before running your scripts.

If you are done working in the virtual environment for the moment and
you want to return to your "normal" Python environment, you can
deactivate the virtual environment by executing the following command:

(labenv)user@lab:~$ deactivate
user@lab:~$

This puts you back in the system's default Python interpreter with all its
installed libraries and dependencies.

If you are using more than one virtual or physical machine for the
investigations, the virtual environments can help you to keep your
libraries and packages synced with all these workplaces. In order to
ensure that your environments are consistent, it's a good idea to "freeze"
the current state of environment packages. To do this, just run:

(labenv)user@lab:~$ pip freeze > requirenments.txt

This will create a requirements.txt file, which contains a simple list of all
the packages in the current environment and their respective versions. If
you want to now install the same packages using the same version on a
different machine, just copy the requirements.txt file to the desired
machine, create the labenv environment as described earlier and
execute the following command:

(labenv)user@lab:~$ pip install -r requirements.txt

Now, you will have consistent Python environments on all the machines
and don't need to worry about different library versions or other
dependencies.

After we have created the Ubuntu virtual machine with our dedicated lab
environment, we are nearly ready to start our first forensic analysis. But
before that, we need more knowledge of the helpful Python libraries and
backgrounds. Therefore, we will start with an introduction to the Python
ctypes in the following section.
Introduction to Python ctypes
According to the official Python documentation, ctypes is a foreign
function library that provides C compatible data types and allows calling
functions in DLLs or shared libraries. A foreign function library means that
the Python code can call C functions using only Python, without requiring
special or custom-made extensions.

This module is one of the most powerful libraries available to the Python
developer. The ctypes library enables you to not only call functions in
dynamically linked libraries (as described earlier), but can also be used
for low-level memory manipulation. It is important that you understand the
basics of how to use the ctypes library as it will be used for many
examples and real-world cases throughout the book.

In the following sections, we will introduce some basic features of Python

ctypes and how to use them.

Working with Dynamic Link Libraries

Python ctypes export the cdll and on Windows windll or respectively
oledll objects, to load the requested dynamic link libraries. A
dynamically linked library is a compiled binary that is linked at runtime to
the executable main process. On Windows platforms, these binaries are
called Dynamic Link Libraries (DLL) and on Linux, they are called
shared objects (SO). You can load these linked libraries by accessing
them as the attributes of the cdll, windll or oledll objects. Now, we will
demonstrate a very brief example for Windows and Linux to get the
current time directly out of the time function in libc (this library defines
the system calls and other basic facilities such as open, printf, or exit).

Note that in the case of Windows, msvcrt is the MS standard C library

containing most of the standard C functions and uses the cdecl calling
convention (on Linux systems, the similar library would be libc.so.6):

C:\Users\Admin>python
 >>> from ctypes import *
>>> libc = cdll.msvcrt
>>> print libc.time(None)
1428180920

Windows appends the usual .dll file suffix automatically. On Linux, it is

required to specify the filename, including the extension, to load the
chosen library. Either the LoadLibrary() method of the DLL loaders
should be used or you should load the library by creating an instance of
CDLL by calling the constructor, as shown in the following code:

(labenv)user@lab:~$ python

>>> from ctypes import *

>>> libc = CDLL("libc.so.6")
>>> print libc.time(None)
1428180920

As shown in these two examples, it is very easy to be able to call to a

dynamic library and use a function that is exported. You will be using this
technique many times throughout the book, so it is important that you
understand how it works.

C data types
When looking at the two examples from the earlier section in detail, you
can see that we use None as one of the parameters for a dynamically
linked C library. This is possible because None, integers, longs, byte
strings, and unicode strings are the native Python objects that can be
directly used as the parameters in these function calls. None is passed as
a C, NULL pointer, byte strings, and unicode strings are passed as
pointers to the memory block that contains their data (char * or wchar_t
*). Python integers and Python longs are passed as the platform's
default C int type, their value is masked to fit into the C type. A complete
overview of the Python types and their corresponding ctype types can be
seen in Table 1:
ctypes type C type

c_bool _Bool
(https://docs.python.org/2/library/ctypes.html#ctypes.c_bool)

c_char char
(https://docs.python.org/2/library/ctypes.html#ctypes.c_char)

c_wchar wchar_t
(https://docs.python.org/2/library/ctypes.html#ctypes.c_wchar)

c_byte char
(https://docs.python.org/2/library/ctypes.html#ctypes.c_byte)

c_ubyte unsigned
(https://docs.python.org/2/library/ctypes.html#ctypes.c_ubyte) char

c_short short
(https://docs.python.org/2/library/ctypes.html#ctypes.c_short)

c_ushort unsigned
(https://docs.python.org/2/library/ctypes.html#ctypes.c_ushort) short

c_int (https://docs.python.org/2/library/ctypes.html#ctypes.c_int) int

c_uint (https://docs.python.org/2/library/ctypes.html#ctypes.c_uint) unsigned
int

c_long long
(https://docs.python.org/2/library/ctypes.html#ctypes.c_long)

c_ulong unsigned
(https://docs.python.org/2/library/ctypes.html#ctypes.c_ulong) long

c_longlong __int64 or
(https://docs.python.org/2/library/ctypes.html#ctypes.c_longlong) long long

c_ulonglong unsigned
(https://docs.python.org/2/library/ctypes.html#ctypes.c_ulonglong) __int64 or
unsigned
long long

c_float float
(https://docs.python.org/2/library/ctypes.html#ctypes.c_float)

c_double double
(https://docs.python.org/2/library/ctypes.html#ctypes.c_double)

c_longdouble long
(https://docs.python.org/2/library/ctypes.html#ctypes.c_longdouble) double

c_char_p char *
(https://docs.python.org/2/library/ctypes.html#ctypes.c_char_p) (NUL
terminated)
 terminated)

c_wchar_p wchar_t *
(NUL
(https://docs.python.org/2/library/ctypes.html#ctypes.c_wchar_p) terminated)

c_void_p void *
(https://docs.python.org/2/library/ctypes.html#ctypes.c_void_p)

Table 1: Fundamental Data Types

This table is very helpful because all the Python types except integers,
strings, and unicode strings have to be wrapped in their corresponding
ctypes type so that they can be converted to the required C data type in
the linked library and not throw the TypeError exceptions, as shown in the
following code:

(labenv)user@lab:~$ python

>>> from ctypes import *

>>> libc = CDLL("libc.so.6")
>>> printf = libc.printf

>>> printf("An int %d, a double %f\n", 4711, 47.11)

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ctypes.ArgumentError: argument 3: <type
'exceptions.TypeError'>: Don't know how to convert
parameter 3

>>> printf("An int %d, a double %f\n", 4711,

c_double(47.11))
An int 4711, a double 47.110000

Defining Unions and Structures

Unions and Structures are important data types because they are
frequently used throughout the libc on Linux and also in the Microsoft
Win32 API.

Unions are simply a group of variables, which can be of the same or

different data types, where all of its members share the same memory
location. By storing variables in this way, unions allow you to specify the
same value in different types. For the upcoming example, we will change
from the interactive Python shell to the atom editor on our Ubuntu lab
environment. You just need to open atom editor, type in the following
code, and save it under the name new_evidence.py:

from ctypes import

class case(Union):
fields = [
("evidence_int", c_int),
("evidence_long", c_long),
("evidence_char", c_char 4)
]

value = raw_input("Enter new evidence number:")

new_evidence = case(int(value))
print "Evidence number as a int: %i" %
new_evidence.evidence_int
print "Evidence number as a long: %ld" %
new_evidence.evidence_long
print "Evidence number as a char: %s" %
new_evidence.evidence_char

If you assign the evidence union's member variable evidence_int a value

of 42, you can then use the evidence_char member to display the
character representation of that number, as shown in the following
example:

(labenv)user@lab:~$ python new_evidence.py

Enter new evidence number:42

Evidence number as a long: 42

Evidence number as a int: 42
Evidence number as a char: *
As you can see in the preceding example, by assigning the union a single
value, you get three different representations of that value. For int and
long, the displayed output is obvious but for the evidence_char variable, it
could be a bit confusing. In this case, '*' is the ASCII character with the
value of the equivalent of decimal 42. The evidence_char member
variable is a good example of how to define an array in ctypes. In ctypes,
an array is defined by multiplying a type by the number of elements that
you want to allocate in the array. In this example, a four-element
character array was defined for the member variable evidence_char.

A structure is very similar to unions, but the members do not share the
same memory location. You can access any of the member variables in
the structure using dot notation, such as case.name. This would access
the name variable contained in the case structure. The following is a very
brief example of how to create a structure (or struct, as they are often
called) with three members: name, number, and investigator_name so that
all can be accessed by the dot notation:

from ctypes import

class case(Structure):
fields = [
("name", c_char 16),
("number", c_int),
("investigator_name", c_char * 8)
]

Tip
Downloading the example code

You can download the example code files from your account at
http://www.packtpub.com for all the Packt Publishing books you have
purchased. If you purchased this book elsewhere, you can visit
http://www.packtpub.com/support and register to have the files e-
mailed directly to you.
Summary
In the first chapter, we created our lab environment: a virtual machine
running Ubuntu 14.04.2 LTS. This step is really important as you can
now create snapshots before working on real evidence and are able to
roll back to a clean machine state after finishing the investigation. This
can be helpful, especially, when working with compromised system
backups, where you want to be sure that your system is clean when
working on a different case afterwards.

In the second part of this chapter, we demonstrated how to work with

Python's virtual environments (virtualenv) that will be used and
extended throughout the book.

In the last section of this chapter, we introduced the Python ctypes to

you, which is a very powerful library available to the Python developer.
With those ctypes, you are not only able to call functions in the
dynamically linked libraries (available Microsoft Win32 APIs or common
Linux shared objects), but they can also be used for low-level memory
manipulation.

After completing this chapter, you will have a basic environment created
to be used for the rest of the book, and you will also understand the
fundamentals of Python ctypes that will be helpful in some of the
following chapters.
Chapter 2. Forensic Algorithms
Forensic algorithms are the building blocks for a forensic investigator.
Independent from any specific implementation, these algorithms describe
the details of the forensic procedures. In the first section of this chapter,
we will introduce the different algorithms that are used in forensic
investigations, including their advantages and disadvantages.

Algorithms
In this section, we describe the main differences between MD5, SHA256,
and SSDEEP—the most common algorithms used in the forensic
investigations. We will explain the use cases as well as the limitations
and threats behind these three algorithms. This should help you
understand why using SHA256 is better than using MD5 and in which
cases SSDEEP can help you in the investigation.

Before we dive into the different hash functions, we will give a short
summary of what a cryptographic hash function is.

A hash function is a function that maps an arbitrarily large amount of

data to a value of a fixed length. The hash function ensures that the
same input always results in the same output, called the hash sum.
Consequently, a hash sum is a characteristic of a specific piece of data.

A cryptographic hash function is a hash function that is considered

practically impossible to invert. This means that it is not possible to create
the input data while having a pre-defined hash sum value by any other
means than trying all the possible input values, that is brute force.
Therefore, this class of algorithms is known as one-way cryptographic
algorithm.

The ideal cryptographic hash function has four main properties, as

follows:

1. It must be easy to compute the hash value for any given input.
 2. It must be infeasible to generate the original input from its hash.
3. It must be infeasible to modify the input without changing the hash.
4. It must be infeasible to find two different inputs with the same hash
(collision-resistant).

In the ideal case, if you create a hash of the given input and change only
one bit of this input, the newly calculated hash will look totally different,
as follows:

user@lab:~$ echo -n This is a test message | md5sum

fafb00f5732ab283681e124bf8747ed1

user@lab:~$ echo -n This is A test message | md5sum

aafb38820e0a3788eb41e9f5805e088e

If all of the previously mentioned properties are fulfilled, the algorithm is a

cryptographically correct hash function and can be used to compare, for
example, files with each other to prove that they haven't been tampered
with during analysis or by an attacker.

MD5
The MD5 message-digest algorithm was the most commonly used (and
is still a widely used) cryptographic hash function that produces a 128-bit
(16-byte) hash value, typically expressed in the text format as a 32-digit
hexadecimal number (as shown in the previous example). This message
digest has been utilized in a wide variety of cryptographic applications
and is commonly used to verify data integrity in forensic investigations.
This algorithm was designed by Ronald Rivest in 1991 and has been
heavily used since then.

A big advantage of MD5 is that it calculates faster and produces small

hashes. The small hashes are a major point of interest when you need to
store thousands of these hashes in a forensic investigation. Just imagine
how many files a common PC will have on its hard drive. If you need to
calculate a hash of each of these files and store them in a database, it
would make a huge difference if each of the calculated hash has 16 byte
or 32 byte of size.
Nowadays, the major disadvantage of MD5 is the fact that it is no longer
considered to be collision-resistant. This means that it is possible to
calculate the same hash from two different inputs. Keeping this in mind, it
is not possible anymore to guarantee that a file hasn't been modified just
by comparing its MD5 hash at two different stages of an investigation. At
the moment it is possible to create a collision very fast, (refer to
http://www.win.tue.nl/hashclash/On%20Collisions%20for%20MD5%20-
%20M.M.J.%20Stevens.pdf) but it is still difficult to modify a file in a way,
which is now a malicious version of that benign file, and keep the MD5
hash of the original file.

The very famous cryptographer, Bruce Schneier, once wrote that

(https://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html):

"We already knew that MD5 is a broken hash function" and that "no
one should be using MD5 anymore".

We would not go that far (especially because a lot of tools and services
still use MD5), but you should try switching to SHA256 or at least double-
check your results with the help of different hash functions in cases
where it is critical. Whenever the chain of custody is crucial, we
recommend using multiple hash algorithms to prove the integrity of your
data.

SHA256
SHA-2 is a set of cryptographic hash functions designed by the NSA
(U.S. National Security Agency) and stands for Secure Hash Algorithm
2nd Generation. It has been published in 2001 by the NIST as a U.S.
federal standard (FIPS). The SHA-2 family consists of several hash
functions with digests (hash values) that are between 224 bits and 512
bits. The cryptographic functions SHA256 and SHA512 are the most
common versions of SHA-2 hash functions computed with 32-bit and 64-
bit words.

Despite the fact that these algorithms calculate slower and that the
calculated hashes are larger in size (compared to MD5), they should be
the preferred algorithms that are used for integrity checks during the
the preferred algorithms that are used for integrity checks during the
forensic investigations. Nowadays, SHA256 is a widely used
cryptographic hash function that is still collision-resistant and entirely
trustworthy.

SSDEEP
The biggest difference between MD5, SHA256, and SSDEEP is the fact
that SSDEEP is not considered to be a cryptographic hash function as
it only changes slightly when the input is changed by one bit. For
example:

user@lab:~$ echo -n This is a test message | ssdeep

ssdeep,1.1--blocksize:hash:hash,filename
3:hMCEpFzA:hurs,"stdin"

user@lab:~$ echo -n This is A test message | ssdeep

ssdeep,1.1--blocksize:hash:hash,filename
3:hMCkrzA:hOrs,"stdin"

The SSDEEP packages can be downloaded and installed as described in

the following URL: http://ssdeep.sourceforge.net/usage.html#install

This behavior is not a weakness of SSDEEP, it is a major advantage of

this function. In reality, SSDEEP is a program to compute and match the
Context Triggered Piecewise Hashing (CTPH) values. CTPH is a
technique that is also known as Fuzzy Hashing and is able to match
inputs that have homologies. Inputs with homologies have sequences of
identical bytes in a given order with totally different bytes in between.
These bytes in between can differ in content and length. CTPH, originally
based on the work of Dr. Andrew Tridgell, was adapted by Jesse
Kornblum and published at the DFRWS conference in 2006 in a paper
called Identifying Almost Identical Files Using Context Triggered
Piecewise Hashing; refer to http://dfrws.org/2006/proceedings/12-
Kornblum.pdf.

SSDEEP can be used to check how similar the two files are and in which
part of the file the difference is located. This feature is often used to
check if two different applications on the mobile devices have a common
code base, as shown in the following:

user@lab:~$ ssdeep -b malware-sample01.apk >

signature.txt

user@lab:~$ cat signature.txt

Ssdeep,1.1--blocksize:hash:hash,filename
49152:FTqSf4xGvFowvJxThCwSoVpzPb03++4zlpBFrnInZWk:JqSU
4ldVVpDIcz3BFr8Z7,"malware-sample01.apk"

user@lab:~$ ssdeep –mb signature.txt malware-

sample02.apk
malware-sample02.apk matches malware-sample01.apk (75)

In the previous example, you can see that the second sample matches
the first one with a very high likelihood. These matches indicate the
potential source code reuse or at least a large number of files inside the
apk file are identical. A manual examination of the files in question is
required to tell exactly which parts of the code or files are identical;
however, we now know that both the files are similar to each other.
Supporting the chain of custody
The outcomes of forensic investigations can have a severe impact on
organizations and individuals. Depending on your field of work, your
investigation can become evidence in the court.

Consequently, the integrity of forensic evidence has to be ensured not

just when collecting the evidence, but also throughout the entire handling
and analysis. Usually, the very first step in a forensic investigation is
gathering the evidence. Normally, this is done using a bitwise copy of the
original media. All the subsequent analysis is performed on this forensic
copy.

Creating hash sums of full disk images

To ensure that a forensic copy is actually identical to the original media,
hash sums of the media and from the forensic copy are made. These
hash sums must match to prove that the copy is exactly like the original
data. Nowadays, it has become common to use at least two different
cryptographic hash algorithms to minimize the risk of hash collisions and
harden the overall process against hash collision attacks.

With Linux, one can easily create MD5 and SHA256 hashes from a drive
or multiple files. In the following example, we will calculate MD5 sums
and SHA256 sums for two files to provide a proof of identical content:

user@lab:~$ md5sum pathto/originalfile

pathto/forensic_copy_of_sdb.img

user@lab:~$ sha256sum pathto/originalfile

pathto/forensic_copy_of_sdb.img

This proof of identical content is required to support the chain of custody,

that is, to show that the analyzed data is identical to the raw data on the
disk. The term sdb refers to a drive attached to the forensic workstation
(in Linux, the second hard drive is called sdb). To further support the
chain of custody, it is highly recommended to use a write-block device
between the evidence and forensic workstation to avoid any accidental
change of the evidence. The second argument represents the location of
a bitwise copy of the evidence. The commands output the hash sums for
the original drive and the copy. The copy can be considered forensically
sound if both the MD5 sums match and both the SHA256 sums match.

While the method shown in the previous example works, it has a big
disadvantage, the evidence and its copy have to be read twice to
calculate the hash sums. If the disk is a 1 TB hard drive, it can slow down
the overall process by several hours.

The following Python code reads the data only once and feeds it into two
hash calculations. Therefore, this Python script is almost twice as fast as
running md5sum followed by sha256sum and produces exactly the same
hash sums as these tools:

#!/usrbinenv python

import hashlib
import sys

def multi_hash(filename):
"""Calculates the md5 and sha256 hashes
of the specified file and returns a list
containing the hash sums as hex strings."""

md5 = hashlib.md5()
sha256 = hashlib.sha256()

with open(filename, 'rb') as f:

while True:
buf = f.read(2**20)
if not buf:
break
md5.update(buf)
sha256.update(buf)

return [md5.hexdigest(), sha256.hexdigest()]

if __name__ == '__main__':
hashes = []
print '---------- MD5 sums ----------'
 for filename in sys.argv[1:]:
h = multi_hash(filename)
hashes.append(h)
print '%s %s' % (h[0], filename)

print '---------- SHA256 sums ----------'

for i in range(len(hashes)):
print '%s %s' % (hashes[i][1], sys.argv[i+1])

In the following call of the script, we calculate the hash sums of some of
the common Linux tools:

user@lab:~$ python multihash.py bin{bash,ls,sh}

---------- MD5 sums ----------
d79a947d06958e7826d15a5c78bfaa05 binbash
fa97c59cc414e42d4e0e853ddf5b4745 binls
c01bc66da867d3e840814ec96a137aef binsh
---------- SHA256 sums ----------
cdbcb2ef76ae464ed0b22be346977355c650c5ccf61fef638308b8
da60780bdd binbash
846ac0d6c40d942300de825dbb5d517130d8a0803d22115561dcd8
5efee9c26b binls
e9a7e1fd86f5aadc23c459cb05067f49cd43038f06da0c1d9f67fb
cd627d622c binsh

It is crucial to document the hash sums of the original data and the
forensic copy in the forensic report. An independent party can then read
the same piece of evidence and confirm that the data that you analyzed
is exactly the data of the evidence.

Creating hash sums of directory trees

Once the full image is copied, its contents should be indexed and the
hash sums should be created for every file. With the support of the
previously defined multi_hash function and Python standard libraries, a
report template containing a list of all file names, sizes, and hash values
can be created, as shown in the following:

#!/usrbinenv python

from datetime import datetime

Random documents with unrelated
content Scribd suggests to you:
Dorothy was thankful again; this time for the darkness which hid the
hot blushes. For she remembered how ready she had been to read
quite a different meaning into all of his sayings and doings.
And the little sister of fickleness? Dorothy was loyal after her kind,
and she quickly found excuses for Isabel. Was it not what always
happens when a man of the world and a stranger is pitted against a
playmate lover?
So the pyramid of misapprehension was builded course by course
until it lacked only the capstone, and this was added in the answer to
Dorothy’s question:
“When did all this happen, Bella, dear?”
“The last time he was here; years ago, it seems to me—but perhaps
it is only months or weeks.”
This was the capstone, and there was now no room for doubt. It was
nearly two weeks since Brant had stopped coming, and there had
been no intermission in Harry’s visits. Indeed, it was only a few days
since he had taken Isabel to the opera. Dorothy choked down a little
sigh, put herself and her own dream of happiness aside, and
became from that moment her sister’s loyal and loving ally.
“Don’t be discouraged, dear,” she said caressingly. “You must learn
to wait and be patient. I know him—better, perhaps, than you do—
and I say he will come back. He will never take ‘No’ for an answer
while you and he live.”
Isabel got up and felt under her sister’s pillow for a handkerchief.
“You are good and comforting, Dothy,” she whispered, “and I think I
am happy in spite of my misery.” She bent to leave a kiss on the
cheek of goodness and comfort. “I am going to bed now; good night.
Why, how hot your face is!”
“How cold your lips are, you mean,” said Dorothy playfully. “Go to
bed, dear, and don’t worry any more. You will make yourself sick.”
But when her sister was gone she lay very still, with closed eyes and
trembling lips, and so fought her small battle to the bitter end,
winning finally the victory called self-abnegation, together with its
spoils, the mask of cheerfulness and the goodly robe of serenity.
 CHAPTER XIV
THE ANCHOR COMES HOME

Brant awoke on the morning following his excommunication with

one idea dominant, and that pointed to flight. Whatever he might be
able to do with his life elsewhere, it was evident that the Denver
experiment was a pitiful failure. This he said, cursing the fatuous
assurance which had kept him from flying to the antipodes at the
outset. The city of the plain was merely a clearing house for the
mining camps, and sooner or later his story would have found him
out, lacking help from Harding or any other personal enemy.
“Anybody but a crazy fool would have known that without having to
wait for an object lesson; but, of course, I had to have it hammered
into me with blows,” was the way he put it to himself on the walk
downtown. “Well, I have had the lesson, and I’ll profit by it and move
on—like little Joey. If they would give me the chance I’d rather be a
sheep dog than a wolf; but it seems that the world at large hasn’t
much use for the wolf who turns collie—damn the world at large! If I
hadn’t given my word to Hobart I’d be tempted to go back and join
the fighting minority. As it is, I’ll run for it.”
So he said, and so he meant to do; but a small thing prevented.
Colonel Bowran was away, and he could not well desert in his chief’s
absence. But this need no more than delay the flight. The chief
engineer’s absences were usually short, and a day or two more or
less would neither make nor mar the future.
So ran the prefigurings, but the event was altogether different from
the forecasting, as prefigured events are prone to be. For three days
Brant made shift to sink his trouble in a sea of hard work, but on the
fourth he had a note from the front, saying that the chief engineer’s
absence would be extended yet other days. At the same time,
lacking the data contained in the field notes carried off by the
colonel, he ran out of work. After that the days were empty miseries.
In the first idle hour he began to brood over the peculiar hardness of
his lot, as a better man might, and with the entrance of the
remorseless devil of regret such poor forgetfulness as he had been
able to wring out of hard work spread its wings and fled away.
At the end of twenty-four hours he was fairly desperate, and on the
second day of enforced idleness he wrote a long letter to Hobart:
“The devil has another job for me,” he began, “and if it wasn’t for my
promise to you I should take it. Things have turned out precisely as I
knew they would, and you are to blame; first, for dragging me out of
the pit when I wasn’t worth saving, and next, for telling me that I
might come to Denver when I should have gone to the ends of the
earth. By which you will understand that my sins have found me out.
I don’t know that you care to hear the story, but I do know that I shall
presently go mad if I don’t tell it to somebody. If it bores you, just
remember what I say—that you are to blame.
“Before I begin I may as well tell you that it is about a woman, so you
can swear yourself peaceful before you come at the details. I met
her on the train the day I came down from the Colorow district—the
day of my return to civilization. Nothing came of that first meeting,
save that I got a glimpse of the gulf that separates a good woman
from a bad man; but later, after I had begun to look ahead a little to
the things that might be, we met again—this time in her own home,
and I with an introductory godfather.
“That was two months ago. Up to last Wednesday everything went
as merry as a marriage bell. The father liked me, the mother
tolerated me, and the young woman—but let that pass. I was
welcome enough, and sufficient unto the day was the good thereof.
As a matter of course, I was living in a fool’s paradise, walking daily
over a mine that any chance spark might explode. I knew all that,
and yet I was happy till last Wednesday. That was when the mine
was fired.
“It came about in the most natural way, but the story is too long to
write out, and I don’t mean to weary you needlessly. It is enough to
say that the mother found me out. You can guess what happened. I
went to the house, knowing nothing of what was in store for me.
There was a little scene in which I played the heavy villain to the
mother’s part of outraged virtue—and the end of it is that I am once
more a pariah.
“I didn’t see the young woman; that wasn’t permitted, of course. But I
suppose she knows all about it, and the thought makes me want to
run amuck. In the whole dreary business there is only this single
grain of comfort: I know who gave me away. And when I meet that
man, God do so to me and more if I don’t send him where he
belongs, and that without benefit of clergy. And you won’t say me
nay when I tell you that his name is Harding.
“I suppose you will want to know what I am going to do next. I don’t
know, and that is God’s truth. The day after the thing happened I
meant to vanish; but the chief was away and I couldn’t very well shut
up the office and walk out. Since then the mill has been grinding until
I don’t know what I want to do. Sometimes I am tempted to throw the
whole thing overboard and go back to the hog wallow. It is about all I
am fit for; and nobody cares—unless you do.
“For pity’s sake write me a letter and brace me up if you can; I never
needed it worse. The chief is still away; I can’t do another stroke of
work till he comes back with the field books, and there isn’t a soul
here that I can talk to. Consequently I’m going mad by inches. I
suppose you have taken it for granted that I love the young woman,
though I believe I haven’t said so in so many words. I do, and that is
what racks me. If I go away, I give her up for good and all. If I stay I
can’t get her. If I go to the devil again—but we won’t discuss that
phase of it now. Write, and hold me to my word, if you love me.”
This letter was mailed on the train Wednesday evening, and in the
ordinary course of events it should have brought an answer by the
Saturday. This Brant knew, and he set himself to wear out the
interval with what constancy there was in him, doing nothing more
irrational than the devoting of two of the evenings to aimless
trampings in the Highlands, presumably in the unacknowledged
hope that he might chance to see Dorothy at a distance. He did not
see her, did not venture near enough to Altamont Terrace to stand
any chance of seeing her, and when the Saturday passed without
bringing a letter from Hobart, hope deferred gave birth to heaviness.
“He is disgusted, I suppose, and I can’t blame him,” was his
summing up of it when the postman had made his final round. “God
in heaven, I wish the colonel would come back and give me my
quittance! If I have to sit here and grill through many more days I
shall be ripe for any devil’s sickle of them all!”
By which it will appear that despairing impulse was already straining
at the bit. None the less, when six o’clock came he went home, ate
his supper, read till midnight, and then went to bed, though not to
sleep. On the morrow, which was the Sunday, he set on foot a little
emprise the planning of which had eased him through the wakeful
hours of the night. It was this: Dorothy had a class in a mission
school, and this he knew, and the place, but not the hour. For the
latter ignorance he was thankful, since it gave him an excuse for
haunting the neighbourhood of the mission chapel during the better
part of the day. Late in the afternoon he was rewarded by catching a
glimpse of her as she went in, and, heartened by this, he did sentry
duty on the opposite side of the street until the school was
dismissed.
She came out among the last with a group of children around her,
and Brant’s heart went warm at the sight. “God bless her!” he said
under his breath; and then he crossed the street to put his fate to the
touch. If she knew—if her mother had told her—her greeting would
show it forth, and he would know then that the worst had befallen.
They met at the corner, and Dorothy looked up as she was bidding
her children good-bye. He made sure she saw him, though there
was no sign of recognition in her eyes. Then she bent over one of
the little ones as if to avoid him, and he went on quickly with rage
and shame in his heart, and the devil’s sickle gathering in the
harvest which had been ripening through the days of bitterness.
That night he went to his room as usual after supper, but not to stay.
At eight o’clock he flung down the book he had been trying to read,
slipped the weapon which had once been James Harding’s into the
pocket of his overcoat, and left the house. Half an hour later he was
standing at the bar in the Draconian kennel, and Tom Deverney was
welcoming him with gruff heartiness.
“Well, say! I thought you’d got lost in the shuffle, sure. Where have
you been—over the range again?”
“No, I haven’t been out of town.”
“You took blame’ good care not to show up here, then,” retorted
Deverney. “First you know you’ll have to be packing a card case;
that’s about what you’ll have to do.”
“I have been busy,” said Brant. Then the smell of the liquor got into
his nostrils and he cut himself adrift with a word. “Shall we have a
drink together, and call it square, Tom?”
Deverney spun a glass across the polished mahogany and reached
for a conical bottle in the cooler. “I don’t know as I ought to drink with
you—you wouldn’t drink with me the last time you showed up. What
shall it be—a little of the same?”
“Always,” said Brant. “I don’t mix.” He helped himself sparingly and
touched glasses with the bartender.
“Here’s how.”
“Looking at you.”
Brant paid, and the bartender dipped the glasses. “Going to try your
luck a while this evening?” he asked.
The backslider glanced at the tables and shook his head. “No, I
guess not. I’m a little off to-night, and I’d be pretty sure to go in the
hole.”
Deverney laughed. “That’s what they all say when they are broke. I’ll
stake you.”
“No—thanks; I didn’t mean that. I have money enough.”
He strolled down the long room toward the faro table, turning the
matter over in his mind. He had left Mrs. Seeley’s with madness in
his heart, and with a fell determination to go and do something
desperate—something that would make Dorothy’s heart ache if she
could know of it. But now that he was on the brink of the pool of ill-
doing the stench of it sickened him. Calling the plunge revenge, it
seemed very mean and despicable.
Halfway down the room he faced about, and but for the drink he had
taken would have gone home. But the liquor tipped the scale. It was
adulterated poison, as it was bound to be in such a place, and Brant
—at his worst the most temperate of men on the side of appetite—
had neither touched nor tasted since turning the new leaf. So the
decent prompting passed, and he wheeled and went back to watch
the game.
After that the descent was easy. A dollar ventured became two, the
two four, and the four eight; Presently one of the sitters rose, and
Brant dropped into the vacant chair, lighted a fresh cigar, and
ordered another drink. It was what he used to do in the old days
when his conscience stirred uneasily, and now, as then, the
intoxicant had the desired effect. It slew the man in him without
unstringing the steady nerve of the gamester.
Since he cared not whether he lost or won, luck was with him from
the first and throughout. Play as he might, he could not lose; and
when he rose at midnight, Draco, who acted as his own banker, had
to stop the game and go to his safe for more money before he could
declare the dividend.
“There are your ducats,” he said, tossing a thick roll of bills across
the table. “It’s an open game, and I haven’t anything to say; all the
same, I’m willing to see you pull out. This outfit isn’t any blooming
gold mine.”
Brant unrolled the money, twisted it into a spill, and handed it back.
“Keep it, if you like; I haven’t any use for it.” Draco laughed. “Yes, I
will!—and have you charging back here with a gun when you’re sob
—when you’ve had time to think about it? Not much! I haven’t got
any time to open up a shooting gallery and play bow-and-arrow with
you, George.”
Brant stuffed the money into his pocket and went his way. As he was
going out, Deverney beckoned him.
“Say, I heard two fellows talking about the way you were winning,” he
said, leaning across the bar and lowering his voice. “I didn’t know
either one of them, but they’re a hard-looking lot—the kind that waits
for you at the mouth of a dark alley. Are you fixed?”
Brant nodded. “You say you don’t know them?”
“Only by sight. They’ve both been here before; though not together
till to-night.”
“Talk as if they knew me?”
“Yes. They do know you by name. One of them said something
about ‘spotting’ you to-night.”
Now, when one has scattered the seed of enmity impartially in all
soils a goodly crop of ill-wishers may be looked for in any harvest
field however well inclosed. Since he had never turned aside to
avoid a quarrel in any one of the ill-starred years, Brant had enemies
a-plenty; but holding his own life lightly he had never let the fact
trouble him. None the less, he was curious enough to ask Deverney
if he could describe the two men. The bartender could and did.
“One of them is tall and rather thin, about the size and shape of the
Professor, only he has a beard like a billy goat, and a shock of red
hair that looks as if it hadn’t been cut for a month of Sundays. The
other is—well, I should say he looks like a chunky man gone thin, if
you can savez that; smooth face, with a sort of bilious look, and the
wickedest eye you ever saw in a man’s head.”
Brant shook his head slowly. “I don’t recall either of them,” he said.
Then the Berserker in him came to the surface, and he took the
pistol from his pocket and twirled the chambers to see that they were
all filled. “If they know me, they know what to expect, and I’ll try and
see that they are not disappointed. Much obliged for the hint. Good
night, Tom.”
He went out with his head up and his hands in his pockets, bearing
himself as if he would as soon end the bad day with a battle to the
death as otherwise. At the corner above he saw the two men
standing in a doorway on the opposite side of the street, recognised
them at once from Deverney’s description, and, giving place to a
sudden impulse of recklessness, went straight across to them. They
paid no attention to him, not even when he stopped and looked them
over with a cool glance of appraisal that was little less than a
challenge. But when he went on they followed leisurely and at a safe
distance. Brant knew they were dogging him, but he neither loitered
nor hastened. If they chose to overtake and waylay him he would
know what to do. If they did not, the morning newspapers would lack
a stirring item, and two footpads would have a longer lease of life.
In the challenging glance he had passed the taller man by as a
stranger, but the face of the other haunted him. There was
something exasperatingly familiar about it, and yet no single feature
by which it could be identified. Analyzed in detail, the puzzle
arranged itself above and below a line drawn across the upper lip of
the half-familiar face. The broad flat nose, high cheek bones, and
sunken eyes were like those of some one he had seen before. But
the hard mouth with the lines of cruelty at the corners, and the
projecting lower jaw, seemed not to belong to the other features.
“It’s a freak, and nothing more or less,” he told himself, when he had
reasoned out so much of the puzzle. “The fellow has the top of
somebody else’s head—somebody I have known. I wonder how he
got it?”
There was an easy answer to the query, and if Brant had guessed it
he would have been careful to choose the well-lighted streets on the
way up town. If he had chanced to remember that a thick curling
beard, unkempt and grizzled, would mask the cruel mouth and ugly
jaw, he would have recognised the face though it chanced that he
had seen it but once, and then in a moment of fierce excitement. And
if he had reflected further that a beard may be donned as well as
doffed, and that the wig-maker’s art still flourishes, he would have
realized that out of a very considerable collection of enemies made
in the day of wrath none were more vindictive or desperate than the
two who kept him in sight as he made his way back to Mrs. Seeley’s.
They closed upon him, or made as if they would, when he reached
the gate, and he fingered his pistol and waited. The few hours which
overlaid his late meeting with Dorothy had gone far toward undoing
the good work of the preceding months of right living. While he
waited, the man-quelling fiend came and sat in the seat of reason,
and it was Plucky George of the mining camps rather than Colonel
Bowran’s draughtsman who stood at Mrs. Seeley’s gate and fingered
the lock of the ready weapon.
As if they had some premonition of what was lying in wait for them,
the two men veered suddenly and crossed the street. Had Brant
known who they were and why they had followed him, it is
conceivable that their shadows would never have darkened the
opposite sidewalk. As it was, he opened the gate and went in with a
sneer at their lack of courage in the last resort.
“Two to one, and follow a man a mile at midnight without coming to
the scratch,” he scoffed. “I have a good mind to go over and call their
bluff alone. It would serve them right to turn the tables on them, and
I’d do it if I thought they had anything worth the trouble of holding
them up.”
 CHAPTER XV
WHEN HATE AND FEAR STRIKE HANDS

When he was suffered to escape after his attempt upon Brant’s life
in the private room at Elitch’s, James Harding tarried in Denver only
so long as the leaving time of the first westward bound train
constrained him. Nevertheless, he went as one driven, and with
black rage in his heart, adding yet another tally to the score of his
account against the man who had banished him.
But, like Noah’s dove, he was destined to find no rest for the sole of
his foot. Having very painstakingly worn out his welcome in the
larger mining camps, he was minded to go to Silverette, hoping to
pick a living out of the frequenters of Gaynard’s. Unluckily, he was
known also in Silverette; and unluckily again, word of his coming
preceded him from Carbonado, the railway station nearest to the
isolated camp at the foot of Jack Mountain. Harding walked up from
Carbonado, was met at a sharp turn in the wagon road by a
committee from the camp above, and was persuaded by arguments
in which levelled rifles played a silent but convincing part to retrace
his steps.
Returning to Carbonado, his shrift was but a hand’s breadth longer.
On the second day, when he was but barely beginning to draw
breath of respite, he was recognised as the slayer of one William
Johnson, was seized, dragged into the street, and after an
exceedingly trying half hour was escorted out of camp and across
the range by a guard of honour with drawn weapons.
Under such discouragements he promptly determined to face the ills
he knew, drank deeply at the well of desperation, and, making a
forced march to the nearest railway station, boarded the first train for
Denver. It was a hazardous thing to do. Brant was a man of his word,
and the banished one had known him to go to extremities upon
slighter provocation. But, on the other hand, Denver was a
considerable city, and their ways might easily lie apart in it.
Moreover, if the worst should come, it was but man to man, with
plenty of old scores to speed the bullet of self-defence.
So reasoning, Harding stepped from the train at the Denver Union
Station in the gray dawn of an October morning, Argus-eyed, and
with his hand deep buried in the pocket of his ulster. The time was
auspicious, and he reached a near-by lodging house without mishap.
Through one long day he remained in hiding, but after dark, when
the prowling instinct got the better of prudence, he ventured out. In a
kennel some degrees lower in the scale descending than Draco’s he
met a man of his own kidney whom he had once known in the
camps, and who was but now fresh from the Aspen district and from
an outpost therein known as Taggett’s Gulch.
This man drank with Harding, and when his tongue was a little
loosened by the liquor grew reminiscent. Did the Professor recall the
killing of a man in the Gulch a year or so back—a man named
Benton, or Brinton? Harding had good cause to remember it, and he
went gray with fear and listened with a thuggish demon of
suffocation waylaying his breath. Assuredly, everybody remembered.
What of it? Nothing much, save that the brother of the murdered man
was in Colorado with the avowed intention of finding and hanging the
murderer, if money and an inflexible purpose might contribute to that
end.
That was the gist of the matter, and when Harding had pumped his
informant dry, he shook the man off and went out to tramp the streets
until he had fairly taken the measure of the revived danger. Summed
up, it came to this: sooner or later the avenger of blood would hear of
Brant, and after that the end would come swiftly and the carpenters
might safely begin to build the gallows for the slayer of Henry
Brinton. Harding had a vivid and disquieting picture of the swift
sequence of events. The brother would find Brant, and the latter
would speedily clear up the mystery and give the avenger the proofs.
Then the detective machinery would be set in motion, and thereafter
the murderer would find no lurking place secret enough to hide him.
Clearly something must be done, and that quickly. Concealment was
the first necessity; James Harding must disappear at once and
effectually. That preliminary safely got over, two sharp corners
remained to be turned at whatever cost. The incriminating evidence
now in Brant’s hands must be secured and destroyed, and Brant
himself must be silenced before the avenger of blood should find and
question him.
The disguise was a simple matter. At one time in his somewhat
checkered career Harding had been a supernumerary in a Leadville
variety theatre. Hence, the smooth-shaven, well-dressed man who
paid his bill at the Blake Street lodging house at ten o’clock that night
bore small likeness to the bearded and rather rustic-looking person
who engaged a room a few minutes later at a German Gasthaus in
West Denver. The metamorphosis wrought out in artistic detail,
Harding put it at once to the severest test. Going out again, he
sought and found the man from Taggett’s Gulch, and was
unrecognised. Introducing himself as a farmer from Iowa, he
persuaded the man to pilot him through the mazes of the Denver
underworld, and when he had met and talked with a dozen others
who knew the Professor rather better than he knew himself, he went
back to the West Side Gasthaus with a comforting abatement of the
symptoms of strangulation.
Having thus purchased temporary safety, the castaway began
presently to look about him for the means to the more important end.
Night after night he haunted the purlieus, hoping that a lucky chance
might reveal Brant’s whereabouts. But inasmuch as Brant was yet
walking straitly, nothing came of this, and in his new character
Harding could not consistently ask questions. Twice he met William
Langford face to face, and, knowing that the boy could probably give
him Brant’s street and number, he was about to risk an interview with
his protégé in his proper person when the god of evil-doers gave him
a tool exactly fitted to his hand.
It was on the Sunday evening of Brant’s relapse. Harding had been
making his usual round, and at Draco’s he met a man whose face he
recognised despite its gauntness and the change wrought by the
razor. A drink or two broke the ice of unfamiliarity, and then Harding
led the way to a card room in the rear on the pretext of seeking a
quiet place where they might drink more to their better acquaintance.
In the place of withdrawal Harding kept up the fiction of bucolic
simplicity only while the waiter was bringing a bottle and glasses.
Then he said: “I reckon you’d be willing to swear you had never seen
me before, wouldn’t you, Gasset?”
The big man gone thin was in the act of pouring himself another
drink, but he put the bottle down and gave evidence of a guilty
conscience by starting from his chair, ready for flight or fight as the
occasion might require.
“Who the blazes are you, anyway?” he demanded, measuring the
distance to the door in a swift glance aside.
Harding pulled off the wig and beard and leered across at him. “Does
that help you out any?”
Gasset sprang to his feet with a terror-oath choking him and
retreated backward to the door, hand on weapon.
“Don’t you do it, Jim!” he gasped. “Don’t, I say. I never meant to hurt
her—any of ’em will swear to that!”
Harding struck a match and relighted his cigar. He did it with leisurely
thoroughness, turning the match this way and that and ignoring his
quarry much as a cat ignores a mouse which can by no means
escape. Gasset stood as one fascinated, watching every movement
of the slim fingers and feeling blindly behind him for the knob of the
door. Whereat Harding laughed mockingly and pointed to the bottle
on the table.
“You had better come back here and take a little more of the same to
stiffen your nerve, Ike. You couldn’t hit the broad side of a barn just
now.”
Gasset found the doorknob finally and breathed freer when it yielded
under his hand. “Give me a show for my life, Jim!” he begged,
widening the opening behind him by stealthy half inches. “It ain’t
worth much, but, by God, I want it for a little while yet!”
Harding laughed again. “What is the matter with you? You would
have been a dead man long ago if I had wanted to drop you. Come
back here and finish your drink.”
Having more than once set his life over against his thirst, Gasset did
it once again, filling his glass with hands that shook, and swallowing
the drunkard’s portion at a gulp. The liquor steadied him a little and
he sat down.
“Then you ain’t out gunning for me?” he ventured.
“No; what made you think I was?”
Gasset scratched his head and tilted the bottle again. “I don’t know, if
you don’t. But it appears like to me, if anybody had killed a sister of
mine I’d want to get square. And I reckon I wouldn’t split any hairs
about his being drunk or sober at the time, nor yet about whether he
went for to do it meaningly or just did it by happen-so.”
Harding ignored the implied reproach and went on to the more
important matter:
“Damn that! It is enough for me to know that you were trying to kill
George Brant,” he said coolly. “Do you still feel that way?”
Gasset rose unsteadily and the dull eyes of him glowed in their
sockets. “Look at me now, Jim, and then recollect, if you can, what-
all I used to be. You know what that was; not any man in the camp
could put me on my back unless I was drunk. And now look at me—
a poor, miser’ble, broke-up wrack, just out o’ the horspital! He done it
—filled me plum full of lead when I was too crazy drunk to see
single; that’s what he done!”
“Then I suppose you wouldn’t be sorry if you had the chance to even
up with him,” said Harding, hastily building up a plan which would
enable him to make use of this opportune ally.
“Now you are talking! Say, Jim, I’m hanging on to what little scrap of
life he has left me for just nothing else. Understand?”
“Good; that is business,” quoth Harding. “I am with you to stay. Find
him for me, and I’ll help you square the deal.”
“Find him?” echoed Gasset. “Why, man alive, he is right out yonder
at the faro table! You rubbed up against him coming in here!”
“The devil you say!” Harding hastily resumed the wig and the false
beard, with a word explanatory. “He mustn’t recognise me, or the
game will be up before it begins. Pull up your chair and we’ll talk this
thing over.”
Half an hour later the two conspirators left the card room and made
their way singly through the crowd in the game room to meet at the
bar. Gasset had lingered a moment at Brant’s elbow, and, having
seen the winnings, incautiously spoke of them to Harding in Tom
Deverney’s hearing. Harding shook his head, and dragged his
companion out to the sidewalk.
“You will have to look out for Deverney—the barkeeper,” he said. “He
is Brant’s friend. The first thing is to find out where he sleeps. We’ll
go over to the other corner and wait for him till he comes out.”
 CHAPTER XVI
THE GOODLY COMPANY OF MISERY

Having gone so far astray on the Sunday, it was inevitable that Brant
should awake repentant and remorseful on the Monday. He slept
late, and when he had breakfasted like a monk and had gone
downtown to face another day of enforced idleness in his office,
conscience rose up and began to ply its many-thonged whip.
What a thrice-accursed fool he had made of himself, and how
completely he had justified Mrs. Langford’s opinion of him! How
infinitely unworthy the love of any good woman he was, and how
painstakingly he had put his future beyond the hope of redemption! If
Colonel Bowran would only come back and leave him free to go and
bury himself in some unheard-of corner of the world! This was the
burden of each fresh outburst of self-recrimination.
So much by way of remorse, but when he thought of Dorothy,
something like a measure of dubious gratitude was mingled
therewith—a certain thankfulness that the trial of his good
resolutions had come before he had been given the possible chance
of free speech with her—a chance which might have involved her
happiness as well as his own peace of mind.
“Good Lord!” he groaned, flinging himself into a chair and tossing his
half-burned cigar out of the window. “I ought to be glad that I found
myself out before I had time to pull her into it. If they had let me go
on, and she would have listened to me, I should have married her
out of hand—married an angel, and I with a whole nest of devils
asleep in me waiting only for a chance to come alive! God help me!
I’m worse than I thought I was—infinitely worse.—Come in!” This last
to some one at the door.
It was only the postman, and Brant took the letters eagerly, hoping to
find one from Hobart. He was disappointed, but there was another
note from the end-of-track on the Condorra Extension, setting forth
that the chief engineer’s home-coming would be delayed yet other
days.
Brant read the colonel’s scrawl, and what was left of his endurance
took flight in an explosion of bad language. A minute later he burst
into Antrim’s office.
“Where is Mr. Craig?” he demanded.
“He has gone to Ogden,” said Antrim, wondering what had happened
to disturb the serenity of the self-contained draughtsman.
“The devil he has! When will he be back?”
“I don’t know—the last of the week, maybe.”
“Damn!”
Antrim laughed. “What ails you this morning? You look as if you’d
had a bad night. Come inside and sit down—if you’re not too busy.”
Brant let himself in at the wicket in the counter-railing and drew up a
chair.
“I am not busy enough—that is one of the miseries. And I want you
to help me out, Harry. You have full swing here when the old man is
away, haven’t you?”
“Why—yes, after a fashion. What has broke loose?”
Brant looked askance at the stenographer, and the chief clerk rightly
interpreted the glance.
“O John,” he said, “I wish you would take these letters down and put
them on No. 3. Hand them to the baggageman yourself, and then
you’ll be sure they have gone.” And when the door closed behind the
young man he turned back to Brant. “Was that what you wanted?”
“Yes, but I don’t know as it was necessary. There is nothing
particularly private about what I want to say. You see, it is this way:
Colonel Bowran is out on the Extension, and Grotter is with him. I am
alone here in the office, and I’ve got to leave town suddenly. What I
want you to do is to put somebody in there to keep house till the
colonel returns.”
The chief clerk smiled. “It must be something pretty serious to rattle
you that way,” was his comment. “You are a good enough railroad
man to know that my department has nothing to do with yours,
except to ask questions of it. And that reminds me: here is a letter
from the general manager asking if we have a late map of the
Denver yards. The president is coming west in a day or two, and
there is a plan on foot for extensions, I believe.”
“Well?” said Brant.
“It isn’t well—it’s ill. We haven’t any such map, and I don’t see but
what you will have to stay and make one.”
Now, to a man in Brant’s peculiar frame of mind employment was
only one degree less welcome than immediate release. Wherefore
he caught at the suggestion so readily that Antrim was puzzled.
“I thought you had to go away, whether or no,” he said curiously.
“Oh, I suppose I can put it off if I have to,” Brant rejoined, trying to
hedge.
“Which is another way of telling me to mind my own business,”
retorted Antrim good-naturedly. “That’s all right; only, if you have
struck a bone, you can comfort yourself with the idea that you have
plenty of good company. No one of us has a monopoly of all the
trouble in the world.”
“No, I suppose not.” Brant said so much, and then got far enough
away from his own trouble to notice that the chief clerk was looking
haggard and seedy.
“You look as if you had been taking a turn at the windlass yourself,
Harry. Have you?”
“Yes, something of that sort,” replied Antrim, but he turned quickly to
the papers on his desk.
“Nothing that I can help you figure out, is it?”
“No,” said the chief clerk, so savagely that Brant smiled.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com