EventTranscript.db, a recently discovered Windows 10+ artifact, can track and maintain a wealth of artifacts and data elements. Kroll’s Andrew Rathbun and Josh Mitchell found that Kroll Artifact Parser and Extractor (KAPE), leveraging the EventTranscriptDB Target and SQLECmd Module, will collect the database from any Windows 10+ system if the database is enabled and parse it accordingly.
Join Andrew and Josh for a 30-minute webcast as they walk through the benefits of using the EventTranscriptDB Target using KAPE, parsing EventTranscript.db using !EZParser or SQLECmd Modules and how to set up EventTranscriptDB SQLECmd Map within your local instance of KAPE.
Schedule: 1:00 p.m. – 1:30 p.m. (EST)
Key Takeaways
- Overview of the DiagTrack service
- Ways control mechanisms can impact logging
- Data sampling and how to identify its presence
- EventTranscript.db in everyday analysis
- How EventTranscript.db can be the only location of certain information
- Investigative workflow using the applicable KAPE Target and Module
Tools Used in This Session
- KAPE – free download here
- Eric Zimmerman tools – https://ericzimmerman.github.io/
- SQLECmd
- Timeline Explorer
Speakers
- Andrew Rathbun, Senior Associate, Cyber Risk
- Josh Mitchell, Senior Vice President, Cyber Risk