GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → stuxnet999 → EventTranscriptParser

stuxnet999 / EventTranscriptParser

Licence: MIT license
Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)

Programming Languages

python
139335 projects - #7 most used programming language

Labels

windowsforensicsdfircybersecurityeventtranscriptdiagnostic-data

Projects that are alternatives of or similar to EventTranscriptParser

ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: ✭ 42 (+90.91%)
Mutual labels:  forensics, dfir, cybersecurity
Ir Rescue
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Stars: ✭ 311 (+1313.64%)
Mutual labels:  forensics, dfir, cybersecurity
RdpCacheStitcher
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
Stars: ✭ 176 (+700%)
Mutual labels:  forensics, dfir, cybersecurity
Memlabs
Educational, CTF-styled labs for individuals interested in Memory Forensics
Stars: ✭ 696 (+3063.64%)
Mutual labels:  forensics, dfir, cybersecurity
urlRecon
📝 urlRecon - Info Gathering or Recon tool for Urls -> Retrieves * Whois information of the domain * DNS Details of the domain * Server Fingerprint * IP geolocation of the server
Stars: ✭ 31 (+40.91%)
Mutual labels:  forensics, cybersecurity
marcellelee.github.io
No description or website provided.
Stars: ✭ 27 (+22.73%)
Mutual labels:  forensics, cybersecurity
GetConsoleHistoryAndOutput
An Incident Response tool to extract console command history and screen output buffer
Stars: ✭ 41 (+86.36%)
Mutual labels:  forensics, dfir
Blue-Team-Notes
You didn't think I'd go and leave the blue team out, right?
Stars: ✭ 899 (+3986.36%)
Mutual labels:  dfir, cybersecurity
Adtimeline
Timeline of Active Directory changes with replication metadata
Stars: ✭ 252 (+1045.45%)
Mutual labels:  forensics, dfir
MEAT
This toolkit aims to help forensicators perform different kinds of acquisitions on iOS devices
Stars: ✭ 101 (+359.09%)
Mutual labels:  forensics, dfir
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (+45.45%)
Mutual labels:  forensics, dfir
DFIR-O365RC
PowerShell module for Office 365 and Azure log collection
Stars: ✭ 158 (+618.18%)
Mutual labels:  forensics, dfir
Packrat
Live system forensic collector
Stars: ✭ 16 (-27.27%)
Mutual labels:  forensics, dfir
CCXDigger
The CyberCX Digger project is designed to help Australian organisations determine if they have been impacted by certain high profile cyber security incidents. Digger provides threat hunting functionality packaged in a simple-to-use tool, allowing users to detect certain attacker activities; all for free.
Stars: ✭ 45 (+104.55%)
Mutual labels:  forensics, dfir
CDIR
CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library
Stars: ✭ 122 (+454.55%)
Mutual labels:  forensics, dfir
hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Stars: ✭ 908 (+4027.27%)
Mutual labels:  forensics, dfir
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (+918.18%)
Mutual labels:  forensics, dfir
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: ✭ 260 (+1081.82%)
Mutual labels:  forensics, dfir
Pypowershellxray
Python script to decode common encoded PowerShell scripts
Stars: ✭ 192 (+772.73%)
Mutual labels:  forensics, dfir
Userline
Query and report user logons relations from MS Windows Security Events
Stars: ✭ 221 (+904.55%)
Mutual labels:  forensics, dfir
View All Similar Projects ➔

logo

About

EventTranscriptParser is python based tool to extract forensically useful details from EventTranscript.db (Windows Diagnostic Database).

The database is found in Windows 10 systems and present at C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db.

The tool currently supports the following features.

  • Extracting MS Edge browser history.
  • Extracting list of software/programs installed on the host system.
  • Extracting Wireless Scan results.
  • Extracting WiFi connection details (SSIDs, device manufacturers etc...)
  • Extracting Physical Disk information (Disk size, No. of partitions etc...)
  • Extracting PnP device installation information (Install time, Model, Manufacturer etc...)
  • MORE COMING SOON!!

Requirements

Python 3.8 or above. The older versions of Python 3.x should work fine as well.

Dependencies

These are the required python libraries/modules needed to run the script

  • json
  • sqlite3
  • pandas
  • os
  • argparse

All the above modules are available by default in python3 except Pandas.

To install pandas, use pip via command prompt/terminal.

pip install pandas

Usage

Tip: Before running the tool against the database, make sure that the -wal (Write Ahead Log) file data is merged with the original database. Because you might miss out on crucial/juicy data.

The tool is completely CLI based and there are 2 ways to use it.

Using Python

python EventTranscriptParser.py -f <Path-To-EventTranscript.db> -o <Path-To-Output-Directory>

usage

To view help,

python EventTranscriptParser.py -h

help

Using Executable

If you do not have python pre-installed in you system or have issues with the running the script, you can use the compiled executable. The executable is also CLI based.

Download the executable from https://github.com/stuxnet999/EventTranscriptParser/releases

.\EventTranscriptParser.exe -f .\EventTranscript.db -o .\CSV-Output\

exe-usage

The executable was compiled using pyinstaller version 4.5.1.

Compiling on your own

If you wish to compile on your own, use the commands below in any command prompt/terminal window.

pip install pyinstaller
pyinstaller --onefile EventTranscriptParser.py

You will find the compiled executable in the dist directory.

Acknowledgements

This tool wouldn't have been possible without the excellent research & hard work put in by my colleagues Andrew Rathbun & Josh Mitchell in investigating the Windows Diagnostic Data.

Read more about their research here - https://github.com/rathbuna/EventTranscript.db-Research

Follow the investigative series at Kroll on EventTranscript.db - https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript

Author

Abhiram Kumar

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].