Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)

Last update: Nov 18, 2022

Overview

EventTranscriptParser

EventTranscriptParser is python based tool to extract forensically useful details from EventTranscript.db (Windows Diagnostic Database).

The database is found in Windows 10 systems and present at C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db.

The tool currently supports the following features.

Extracting MS Edge browser history.
Extracting list of software/programs installed on the host system.
Extracting Wireless Scan results.
Extracting WiFi connection details (SSIDs, device manufacturers etc...)
Extracting Physical Disk information (Disk size, No. of partitions etc...)
Extracting PnP device installation information (Install time, Model, Manufacturer etc...)
MORE COMING SOON!!

Requirements

Python 3.8 or above. The older versions of Python 3.x should work fine as well.

Dependencies

These are the required libraries/modules needed to run the script

json
sqlite3
pandas
os
argparse

Usage

The tool is completely CLI based.

python EventTranscriptParser.py -f <Path-To-EventTranscript.db>

Tip: Before running the tool against the database, make sure that the -wal (Write Ahead Log) file data is merged with the original database. Because you might miss out on crucial/juicy data.

Acknowledgements

This tool wouldn't have been possible without the excellent research & hard work put in by my colleagues Andrew Rathbun & Josh Mitchell in investigating the Windows Diagnostic Data.

Read more about their research here - https://github.com/rathbuna/EventTranscript.db-Research

Follow the investigative series at Kroll on EventTranscript.db - https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript

Author

Abhiram Kumar

Twitter: @_abhiramkumar
Personal blog: https://stuxnet999.github.io

Extract XML from the OS X dictionaries.

13 Dec 11, 2022

Program to extract signatures from documents.

Extracting Signatures from Bank Checks Introduction Ahmed et al. [1] suggest a connected components-based method for segmenting signatures in document

9 Jan 26, 2022

extract gene TSS/TES site form gencode/ensembl/gencode database GTF file and export bed format file.

GetTsite python Package extract gene TSS/TES site form gencode/ensembl/gencode database GTF file and export bed format file. Install $ pip install Get

7 Nov 21, 2022

pydsinternals - A Python native library containing necessary classes, functions and structures to interact with Windows Active Directory.

pydsinternals - Directory Services Internals Library A Python native library containing necessary classes, functions and structures to interact with W

36 Dec 14, 2022

WindowsDebloat - Windows Debloat with python

Windows Debloat 🗑️ Quickly and easily configure Windows 10. Disclaimer I am NOT

1 Mar 26, 2022

Keval allows you to call arbitrary Windows kernel-mode functions from user mode, even (and primarily) on another machine.

Keval Keval allows you to call arbitrary Windows kernel-mode functions from user mode, even (and primarily) on another machine. The user mode portion

42 Dec 17, 2022

Releases(v1.0)

v1.0(Sep 16, 2021)

This release contains the executable - EventTranscriptParser.exe. For more details visit - https://github.com/stuxnet999/EventTranscriptParser#using-executable

Download the file EventTranscriptParser.zip to get only the standalone executable.
Source code(tar.gz)
Source code(zip)
EventTranscriptParser.zip(27.21 MB)

Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)

Related tags

Overview

EventTranscriptParser

Requirements

Dependencies

Usage

Acknowledgements

Author

You might also like...

Extract XML from the OS X dictionaries.

Program to extract signatures from documents.

extract gene TSS/TES site form gencode/ensembl/gencode database GTF file and export bed format file.

pydsinternals - A Python native library containing necessary classes, functions and structures to interact with Windows Active Directory.

WindowsDebloat - Windows Debloat with python

Keval allows you to call arbitrary Windows kernel-mode functions from user mode, even (and primarily) on another machine.

Group imports from Windows binaries

🚧Useful shortcuts for simple task on windows

SH-PUBLIC is a python based cloning script. You can clone unlimited UID facebook accounts by using this tool.

Releases(v1.0)

v1.0(Sep 16, 2021)

Owner

P. Abhiram Kumar

Simple tool for creating changelogs

Shut is an opinionated tool to simplify publishing pure Python packages.

This is discord nitro code generator and checker made with python. This will generate nitro codes and checks if the code is valid or not. If code is valid then it will print the code leaving 2 lines and if not then it will print '*'.

Brainfuck rollup scaling experiment for fun

A simple example for calling C++ functions in Python by `ctypes`.

Group imports from Windows binaries

This project is a set of programs that I use to create a README.md file.

Link-tree - Script that iterate over the links found in each page

JavaScript to Python Translator & JavaScript interpreter written in 100% pure Python🚀

A clock app, which helps you with routine tasks.

A collection of custom scripts for working with Quake assets.

A way to write regex with objects instead of strings.

Find unused resource keys in properties files in a Salesforce Commerce Cloud project and get rid of them.

A python script to generate wallpaper

Functional UUIDs for Python.

Early version for manipulate Geo localization data trough API REST.

.bvh to .mcfunction file converter.

Run functions in parallel easily, with their results typed correctly!

Modeling Category-Selective Cortical Regions with Topographic Variational Autoencoders

A primitive Python wrapper around the Gromacs tools.