https://github.com/EricZimmerman/Sum

https://github.com/EricZimmerman/Sum

Last synced: 3 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/EricZimmerman/Sum
• Owner: EricZimmerman
• License: mit
• Created: 2021-02-19T16:14:41.000Z (over 3 years ago)
• Default Branch: master
• Last Pushed: 2023-07-07T16:28:06.000Z (12 months ago)
• Last Synced: 2024-03-27T05:12:06.087Z (3 months ago)
• Language: C#
• Size: 141 KB
• Stars: 17
• Watchers: 8
• Forks: 8
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Lists

• Awesome-KAPE - SumECmd

README

        
# SumECmd

Process Microsoft User Access Logs! Thanks to KPMG for the initial write up, found [here](https://advisory.kpmg.us/blog/2021/digital-forensics-incident-response.html).

## Command Line Interface

    SumECmd version 0.5.0.0

    Author: Eric Zimmerman ([email protected])

    https://github.com/EricZimmerman/Sum

        d               Directory to recursively process, looking for SystemIdentity.mdb, Current.mdb, etc. Required.

        csv             Directory to save CSV formatted results to. Be sure to include the full path in double quotes

        wd              Generate CSV with day level details. Default is TRUE

        dt              The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff

        debug           Show debug information during processing

        trace           Show trace information during processing

    Examples: SumECmd.exe -d "C:\Temp\sum" --csv "C:\Temp\"

          Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes

## Documentation

[Windows User Access Logs (UAL)](https://svch0st.medium.com/windows-user-access-logs-ual-9580f1100635)

## Repairing the SUM Database

Until a proper guide can be made with test data, follow the guide for repairing the SRUM database found [here](https://github.com/EricZimmerman/Srum). Both the SUM and SRUM databases are ESE so the process will be identical. Additionally, a walkthrough on how to repair the SUM database was included in [this](https://svch0st.medium.com/windows-user-access-logs-ual-9580f1100635) blog post.

# Download Eric Zimmerman's Tools

All of Eric Zimmerman's tools can be downloaded [here](https://ericzimmerman.github.io/#!index.md). Use the [Get-ZimmermanTools](https://f001.backblazeb2.com/file/EricZimmermanTools/Get-ZimmermanTools.zip) PowerShell script to automate the download and updating of the EZ Tools suite. Additionally, you can automate each of these tools using [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape)!

# Special Thanks

Open Source Development funding and support provided by the following contributors: [SANS Institute](http://sans.org/) and [SANS DFIR](http://dfir.sans.org/).