Parsing EventTranscript.db With KAPE and SQLECmd

Using the Kroll Artifact Parser and Extractor (KAPE), Kroll can leverage the EventTranscriptDB Target, which will collect this database from any Windows 10 system, version 1709 or above, if the database is enabled. As for a module to parse EventTranscript.db, the !EZParser or SQLECmd modules will parse the database using the SQL queries within the EventTranscriptDB Map. With this map, you’ll find CSV output for each of the six (6) Tag Descriptions this database records.

Figure 1: Acquiring EventTranscript.db with KAPE and Parsing with KAPE’s SQLECmd Module

One major benefit of using the EventTranscriptDB SQLECmd Map is that the SID recorded for each event within EventTranscript.db is resolved if it’s a well-known SID documented by Microsoft. To ensure you have this map within your local instance of KAPE, run the !!ToolSync Module to ensure you’re getting the latest SQLECmd Maps.

Example Command for Acquiring and Parsing EventTranscript.DB with KAPE

Using the KAPE GUI (gkape.exe), we can build out a command that we’ll use to parse EventTranscript.db, using the EventTranscriptDB Target and the SQLECmd Module.

.\kape.exe --tsource C: --tdest C:\Temp\tout --tflush --target EventTranscriptDB --mdest C:\Temp\mout --mflush --module SQLECmd --debug

The above command is doing the following in order:

1. .\kape.exe 
a. Executes kape.exe, which will carry out actions specified by the switches detailed below

2. --tsource C: 
a. Sets the Target Source as the C drive. This is where your selected Targets will collect data from, which is typically an OS drive.

3. --tdest C:\Temp\tout 
a. Sets the Target Destination as C:\Temp\tout. This is where the data collected by your selected Target(s) will be placed.

4. --tflush 
a. Flushes the Target Destination (--tdest) directory prior to collecting data via the selected Targets

5. --target EventTranscriptDB 
a. Tells kape.exe to execute the EventTranscriptDB Target against the Target Source (--tsource) directory.

6. --mdest C:\Temp\mout 
a. Sets the Module Destination as C:\Temp\mout. This is where the parsed output from the data collected using Targets is placed. This only works if there is a parser for a given artifact collected by a Target. If there’s no parser, refer to the logical file(s) themselves in the tout folder.

7. --mflush 
a. Flushes the Module Destination (--mdest) directory prior to collecting data via the selected modules

8. --module SQLECmd 
a. Tells kape.exe to execute the SQLECmd Module against the data collected by the selected Target(s)

9. --debug
a. Runs kape.exe with more verbose logging. If we run into an error and we don’t have this enabled, we’re going to want to rerun with --debug prior to troubleshooting the error. This is a precautionary measure so the logging needed is already there in case an error occurs. 

Troubleshooting Map Errors

KAPE

If you’re running KAPE and you receive no output in the expected SQLDatabases directory within your specified Module Destination (--mdest), there is a simple fix that you can follow:

1. Navigate to .\KAPE\Modules\bin\SQLECmd\Maps and delete all the Maps within (or the entire folder)

2. Run a sync to obtain the Maps from GitHub by either: 
a. Running sqlecmd.exe --sync with the binary in .\KAPE\Modules\bin\SQLECmd
b. Running either the !!ToolSync or Sync_SQLECmd Modules

3. Try again.

It always helps to run any of Eric’s tools with --debug; in case you run into an error, you can effectively troubleshoot without having to rerun the same command(s) to generate the debug output. An error may look something like this when using KAPE (Figure 2).

Figure 2: SQLECmd Map Validation Error While Using KAPE 

Please note this method works for the following tools as well as SQLECmd:

1. KAPE: Targets and Modules

2. RECmd: Batch Files (BatchExamples folder)

3. EvtxECmd: Maps

SQLECmd

If you’re running SQLECmd separate from KAPE and you receive errors when parsing, there is a simple fix that you can follow:

1. Navigate to .\ZimmermanTools\SQLECmd\Maps and delete all the Maps within (or the entire folder)

2. Run a sync to obtain the Maps from GitHub by running sqlecmd.exe --sync with the binary in .\ZimmermanTools\SQLECmd

3. Try again.

As with KAPE, it is always helpful to run any of Eric’s tools with –debug in case you run into an error. That way, you can effectively troubleshoot without having to rerun the same command(s) to generate the debug output. An error may look something like this when using SQLECmd (Figure 3).

Figure 3: SQLECmd Map Validation Error When Running SQLECmd Separate from KAPE

Please note this method works for the following tools as well as SQLECmd:

1. RECmd: Batch Files (BatchExamples folder)

2. EvtxECmd: Maps

Now that we’ve parsed EventTranscript.db with KAPE using SQLECmd, we can analyze the CSV output with Timeline Explorer, Excel or an alternative CSV viewer. Please check out our ongoing Forensic Quick Wins series for ways you can leverage this artifact to assist in your investigations.