Fri, Jul 9, 2021

EventTranscript.db vs .rbs Files and Their Relation to DiagTrack

EventTranscript.db provides both a potential boon and challenges for forensic investigations. Understanding the core components, database interaction and the artifact generation process is critical to maximizing the value generation of this sparsely documented functionality. This process is still underway; however, sufficient analysis has been accomplished to provide a generalized understanding.

Starting with a forensic image of a device, we identified the EventTranscript.db file located at C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db. This database clearly contained important information, but how was it being updated? First, we searched for processes with handles to the file. At the time, no results were found. This was most likely due to the testing environment being improperly configured, but we didn’t know what we were looking for at the time.

Investigating the directory structure and paths to EventTranscript.db led us to Microsoft documentation for the Windows functionality related to privacy, diagnostics and telemetry. No mention of the database file was found; however, we were armed with new information. Primarily, we had observed that there seemed to be a relationship between the database and the Windows telemetry and diagnostics subsystem.

Using this new information, we began searching for Windows services that could be associated with telemetry and diagnostics (Figure 1).

EventTranscript Files and Their Relation DiagTrack

Figure 1: Service Searching

As shown in Figure 1, the DiagTrack service uses C:\windows\system32\diagtrack.dll and contains references to EventTranscript. Investigating this DLL with Ghidra, we find multiple references to EventTranscript.db, SQLite temporary files, service temporary files and Windows Registry.

EventTranscript Files and Their Relation DiagTrack

Figure 2: DiagTrack Database Interaction

Reviewing historical data for diagtrack.dll, we find that between version 1703 and 1709, diagtrack.dll consolidates diagnostic logging from events00.rbs, events01.rbs, events10.rbs and events11.rbs into EventTranscript.db. These changes correspond to the increased telemetry data collection between the aforementioned versions. Detailed analysis of the *.rbs files and associated telemetry data for the purposes of forensic analysis is outlined here. Using this newfound information, we can begin to decipher the Windows Registry components that dictate the behavior of this subsystem.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.