EventTranscriptParser
EventTranscriptParser is python based tool to extract forensically useful details from EventTranscript.db (Windows Diagnostic Database).
The database is found in Windows 10 systems and present at C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
.
The tool currently supports the following features.
- Extracting MS Edge browser history.
- Extracting list of software/programs installed on the host system.
- Extracting Wireless Scan results.
- Extracting WiFi connection details (SSIDs, device manufacturers etc...)
- Extracting Physical Disk information (Disk size, No. of partitions etc...)
- Extracting PnP device installation information (Install time, Model, Manufacturer etc...)
- MORE COMING SOON!!
Requirements
Python 3.8 or above. The older versions of Python 3.x should work fine as well.
Dependencies
These are the required libraries/modules needed to run the script
- json
- sqlite3
- pandas
- os
- argparse
Usage
The tool is completely CLI based.
python EventTranscriptParser.py -f <Path-To-EventTranscript.db>
Tip: Before running the tool against the database, make sure that the -wal (Write Ahead Log) file data is merged with the original database. Because you might miss out on crucial/juicy data.
Acknowledgements
This tool wouldn't have been possible without the excellent research & hard work put in by my colleagues Andrew Rathbun & Josh Mitchell in investigating the Windows Diagnostic Data.
Read more about their research here - https://github.com/rathbuna/EventTranscript.db-Research
Follow the investigative series at Kroll on EventTranscript.db - https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript
Author
Abhiram Kumar
- Twitter: @_abhiramkumar
- Personal blog: https://stuxnet999.github.io