https://github.com/patatetom/4and6
small pieces of code dedicated to the digital investigation of Windows mainly from Linux
https://github.com/patatetom/4and6
bash dfir forensics pipe python scripts sqlite3 tips
Last synced: about 2 months ago
JSON representation
small pieces of code dedicated to the digital investigation of Windows mainly from Linux
- Host: GitHub
- URL: https://github.com/patatetom/4and6
- Owner: patatetom
- License: gpl-3.0
- Created: 2021-12-16T13:01:55.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2021-12-17T09:58:15.000Z (over 4 years ago)
- Last Synced: 2025-01-14T05:29:49.256Z (over 1 year ago)
- Topics: bash, dfir, forensics, pipe, python, scripts, sqlite3, tips
- Language: Python
- Homepage:
- Size: 34.2 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# 4and6
_small pieces of code dedicated to the digital investigation of Windows mainly from Linux_
## TIME
> times are usually stored in UTC format.
- from UTC to locale time (time zone in which the following commands are executed) :
```console
$ # get locale time zone
$ timedatectl -p Timezone show
Timezone=Europe/Paris
$ # Paris is UTC+1 on december (HNEC)
$ date -d 2021-12-14T08:39:00.408109200Z
Tue Dec 14 09:39:00 CET 2021
$ # Z and UTC are equivalent
$ date -d "2021-12-14 08:39:00 UTC"
Tue Dec 14 09:39:00 CET 2021
$ # input format must have a valid format
$ date -d "Tue Dec 14 08:39:00 UTC"
Tue Dec 14 09:39:00 CET 2021
$ # output format can be specified
$ date -d "2021-12-14 08:39 UTC" +'%Y%m%d%H%M%S'
20211214093900
```
- from UTC to specified time zone :
```console
$ # find/show time zones
$ timedatectl list-timezones | grep -i asia/r
Asia/Rangoon
Asia/Riyadh
$ TZ="Asia/Riyadh" date -d ' Tue Dec 14 08:39:00 UTC'
Tue Dec 14 11:39:00 +03 2021
```
## EVTX
- used tools :
- `evtxexport` and `evtxinfo` from https://github.com/libyal/libevtx
- scripts :
- `evtx.toxml`
```console
$ # export in xml format
$ evtx.toxml /mnt/Windows/System32/winevt/Logs/System.evtx 2> /tmp/evtx.toxml.log
…
…
…
```
- `evtx.totsv`
> `evtx.totsv` is based on `evtx.toxml` export
```console
$ # export in tsv format
$ evtx.toxml /mnt/Windows/System32/winevt/Logs/Application.evtx 2> /tmp/evtx.toxml.log | evtx.totsv
/mnt/Windows/System32/winevt/Logs/Application.evtx Microsoft-Windows-User Profiles Service 1531 2021-10-27T10:59:43.418663000Z 1 {…
…
$ # tsv lends itself easily to grep et cetera
$ evtx.toxml /mnt/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx 2> /tmp/evtx.toxml.log | evtx.totsv |
> cut -f 4,6 | grep 'VID_....&PID_...' | sort -r
2021-12-14T08:39:00.408109200Z {'DeviceInstanceId': 'USBSTOR\\Disk&…
2021-12-14T08:39:00.404377100Z {'DeviceInstanceId': 'USB\\VID_…
2021-12-14T08:39:00.393581500Z {'DeviceInstanceId': 'USB\\VID_…
…
$ # tsv can also be easily integrated into a sqlite database
$ sqlite3 /tmp/events.db 'CREATE TABLE IF NOT EXISTS "events" (file TEXT, provider TEXT, eventid INT, date TEXT, recordid INT, data TEXT);'
$ sqlite3 -cmd '.mode tabs' /tmp/events.db '.import /dev/stdin events' < <(
for evtx in /mnt/Windows/System32/winevt/Logs/*.evtx
do
evtx.toxml "${evtx}" | evtx.totsv
done 2> /tmp/evtx.toxml.log
)
$ sqlite3 /tmp/events.db 'SELECT … FROM events WHERE … ORDER BY date DESC;'
```
- other tools to look at :
- `evtx_dump` at https://github.com/omerbenamram/evtx
- python `python-evtx` module at https://github.com/williballenthin/python-evtx
> in the same way as for `evtxexport`, `evtx_dump` can be formatted with `sed '/^Record/d;/^