Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Other tools #19

Open
randomaccess3 opened this issue Jun 30, 2018 · 11 comments
Open

Other tools #19

randomaccess3 opened this issue Jun 30, 2018 · 11 comments

Comments

@randomaccess3
Copy link

randomaccess3 commented Jun 30, 2018
edited
Loading

  1. Win10NotificationDatabase Tool (sqlite)
  2. StickyNotes parser (old format is ole, new format is sqlite)
  3. timeline transposer tool!

File Format Viewers!
6. ESE
7. OLE (less needed these days, could be incorporated into ezviewer)

Figured I'd put the requests in.
@randomaccess3
Copy link
Author

Recycle bin parser completed.

@randomaccess3
Copy link
Author

  1. Zwift - Something to tie them all together - KAPE!

@randomaccess3
Copy link
Author

Event log parser complete!

@randomaccess3
Copy link
Author

  1. Sqlite complete!

@AndrewRathbun
Copy link

AndrewRathbun commented Feb 26, 2021
edited
Loading

  1. I'm working on a SQLECmd map for this.
    I'll add 3 to my list too.

@AndrewRathbun
Copy link

  1. I'm working on a SQLECmd map for this.
    I'll add 3 to my list too.

https://www.github.com/EricZimmerman/SQLECmd/tree/master/SQLMap%2FMaps%2FWindows_Notifications_DB.smap

https://www.github.com/EricZimmerman/SQLECmd/tree/master/SQLMap%2FMaps%2FWindows_MicrosoftStickyNotes_NotesDB.smap

Let me know if you need anything else or want any adjustments made.

@randomaccess3
Copy link
Author

Having not used sqlecmd at all, thoughts on adding it to ezparser and running all the relevant maps?
That being said, stickies and notifications arent part of the basic collection....maybe i need an advanced collection?

@AndrewRathbun
Copy link

Having not used sqlecmd at all, thoughts on adding it to ezparser and running all the relevant maps?
That being said, stickies and notifications arent part of the basic collection....maybe i need an advanced collection?

That is 100% the plan to add it. I want to flesh out the browser stuff before it's added. I'm slowly chipping away at more Maps to make the tool more "relevant" out of the box for those who may run only KAPETriage, BasicCollection, or SANSTriage.

Maybe there's room for a SQL databases Compound target? One that'll just have stuff SQLECmd parses all that is grabbed?

@randomaccess3
Copy link
Author

yeah that might be the way to go, but then it's a matter of people knowing what they should collect.
I'm thinking I will go about the more advanced collection one; i tend to tick a bunch of other boxes ontop of basic all the time anyways and that list is growing so would be worthwhile. Will start jotting down some ideas

@AndrewRathbun
Copy link

Would AdvancedCollection call Basic and then just point to other Targets beyond that? Or are you thinking something else?

Maybe it's a good opportunity to take a look at Basic and verify the contents of it fitting the basic label and saving the more advanced stuff for Advanced?

@randomaccess3
Copy link
Author

Yep.
Nah Basic is "If I had a choice of collecting as much as I could in an intrusion regardless of OS, what would I go for", which at the time was everything there listed. It could be expanded to add other stuff, but I've left that to the user.
That being said, one shot on a box im ticking email and web browsers, which increase acquisition time a lot, especially if VSS is ticked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randomaccess3 @AndrewRathbun