Skip to content

Latest commit

 

History

History
104 lines (65 loc) · 3.1 KB

README.md

File metadata and controls

104 lines (65 loc) · 3.1 KB

logo

About

EventTranscriptParser is python based tool to extract forensically useful details from EventTranscript.db (Windows Diagnostic Database).

The database is found in Windows 10 systems and present at C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db.

The tool currently supports the following features.

  • Extracts Microsoft Edge browsing history
  • Extracts application inventory
  • Extracts Wireless scan results.
  • Extracts successful WiFi connection events
  • Extracts User's default preferences (Video player, default browser etc...)
  • Extracts SRUM information
    • Application execution
    • Application network usage
  • Extracts Application execution activity

Requirements

Python 3.8 or above. The older versions of Python 3.x should work fine as well.

Dependencies

These are the required python libraries/modules needed to run the script

  • json
  • os
  • sqlalchemy
  • csv
  • argparse

All the above modules are available by default in python3. Incase one or the other is missing, you can install by

pip install <package-name>

Usage

Tip: Before running the tool against the database, make sure that the -wal (Write Ahead Log) file data is merged with the original database. Because you might miss out on crucial/juicy data.

The tool is completely CLI based and there are 2 ways to use it.

Using Python

python3 EventTranscriptParser.py -f <Path-To-EventTranscript.db> -o <Path-To-Output-Directory>

usage

To view help,

python3 EventTranscriptParser.py -h

help

Using Executable

If you do not have python pre-installed in you system or have issues with the running the script, you can use the compiled executable. The executable is also CLI based.

Download the executable from https://github.com/stuxnet999/EventTranscriptParser/releases

.\EventTranscriptParser.exe -f .\EventTranscript.db -o .\CSV-Output\

The executable was compiled using pyinstaller.

Compiling on your own

If you wish to compile on your own, use the commands below in any command prompt/terminal window.

pip install pyinstaller
pyinstaller --onefile EventTranscriptParser.py

You will find the compiled executable in the dist directory.

Demo video

Here is a demo video of the usage of the tool.

video.mp4

Acknowledgements

This tool wouldn't have been possible without the excellent research & hard work put in by my colleagues Andrew Rathbun & Josh Mitchell in investigating the Windows Diagnostic Data.

Read more about their research here - https://github.com/rathbuna/EventTranscript.db-Research

Follow the investigative series at Kroll on EventTranscript.db - https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript

Author

Abhiram Kumar