EventTranscript not getting parsed #518
Comments
|
Thanks, checking now |
|
First of all, thanks for reaching out so we can get this figured out. I'll explain what's going on here and what the "fix" is. This line outlines the schema of the DB. SQLECmd will look for tables that have those tables within the DB that match the filename listed here. See that 7? That means SQLECmd is going to require 7 of the tables listed in the line above it in order for it to register as a "hit" which will then parse the DB according to the SQLite Query listed within the map. Using Navicat for SQLite, we can see that there's only 4 tables in the DB you provided:
So that's where the issue lies. The fix is to change the value listed where the 7 is in YOUR Map to 4 so it will parse. I don't know if this is going to be a big enough problem to where I should do that for the Map in the repo but I suppose that's open to feedback. To fix it right now, just modify your Map locally from 7 to 4 and parse again and it should work. That being said, I just tested it and it didn't work only because you're lacking the Producers table. To make it work, I had to remove any instances of the producer table in each query. Thankfully, there were only two lines:
Again, I don't know if this is going to be a bigger problem since this artifact is so new to the community, but thanks again for bringing this up. Given all this, do you have enough to move forward successfully? Regardless, I'll keep this on my radar for if I need to make changes or maybe make a Map for a DB with DataSampling and one that doesn't have it, which I'm guessing the one you provided does not. |
|
Also, note that those two lines exist in EACH of the queries within that table, of which there are currently 6. So remove those two lines for all 6. |
|
And it's okay to modify your local copy, you can always run |
|
SOLID! |
|
Hello Geeks, I tried this but still same issue. Below were the steps that were performed Opened file Windows_EventTRanscriptDB.smap file Let me know if there is anything that I am missing out. Best, |
|
Which Map did you modify? Since it appears you're using KAPE, make sure you're modifying this file: Verify that please and then let me know if you still see the same error. You shouldn't need to change the Line 8 values at all, those can be a million different tables names, if you want. The main thing is making sure the 4 we've verified that exist in your specific DB are listed in Line 8, which they should've been by default. So no changes there needed. |
|
Yes, referring the same file for modifications. Still same error. Were you able to execute in your environment? I see there is addition to the table which does not exist in smap file i.e. sqlite_sequence and instead of 4, there are 5 tables which are available in my database. I introduced this table in line 8 but no luck. Sorry, if I am missing out here anything but need guidance. Thank You for your support !! Best, |
|
We'll work through this together, no apologies needed. Try this Map and see if it works. I just tested with SQLECmd and it worked for me. |
|
Hi, I was able to process it and it worked well. Not sure what was changed in your smap file that was not there in my smap file. Also, can the whole process is automated in a way where the application is able to process any type of db file. Just a thought. I am sure you will be facing lot different type of DB files. Below are the logs. SQLECmd.exe -d C:\Users\kwadhwa\Desktop\db --csv C:\Users\kwadhwa\Desktop\db2 --debug Author: Eric Zimmerman (saericzimmerman@gmail.com) Command line: -d C:\Users\kwadhwa\Desktop\db --csv C:\Users\kwadhwa\Desktop\db2 --debug Loading maps from 'C:\Users\kwadhwa\OneDrive - Alvarez and Marsal\Downloads\kape\Modules\bin\SQLECmd\Maps' Checking if 'C:\Users\kwadhwa\Desktop\db\C\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db' is a SQLite file Processed 1 file in 1.6359 seconds Unable to delete 'SQLite.Interop.dll'. Delete manually if needed. |
|
Ok, I am thinking it may be wise to have one Map for DataSampling and one without. I will make adjustments accordingly. |
this is the whole point of maps. there is no way the tool can just know what to do regardless of the sqlite database its handed. maps let the tool process what is there. |
On second thought, I'm worried about if we have two Maps, one with 7 value and one with 4 value, someone who has a DB with DataSampling enabled, aka all 7 tables, they'd effectively get double the output because the Map looking for 4 will parse as well as the Map looking for 7 tables. I'll have to think about how to best go about this, but the fix in the meantime is to remove the |
|
just change the query to look for specific table names, in addition to
the table count.
|
|
Ok, here's what I did. I created separate Maps for each expected scenario (Data Sampling vs. No Data Sampling). Windows_EventTranscriptDB_DataSampling.smap Here's the DBs and their respective paths in testing: V:\EventTranscriptDB\GitHubIssues\EventTranscript.db - Data Sampling Here's the output: So you can see the DB with Data Sampling had the appropriate Map used against it, and the same for the one lacking Data Sampling.
Thoughts on that @kushwadhwa? |
|
Hi, First thing first. Thanks for sharing quick response and assisting me with the issue. Sincerely appreciate it. Second, in order to automate it and not let end user confuse on the usage of smap, can we give a checkbox option which when enabled will pick one specific smap file. Some kind of verbose can be put in on when to enable that check box. Also, wondering if there could be third scenario which includes other tables under which application will fail to process or are these just two possible scenarios. This is a great product and will enhance more as DFIR community uses it more and more. Best, |
|
Also, if you can help me understand how to enable and disable Datasampling, that would be helpful. Best, |
You're welcome. Happy to help. We're not going to add anything to gkape for the end user to choose anything regarding parsing this DB. The way I have it set up will successfully parse with the user pointing SQLECmd against it and the output indicates to the user hints about the status of data sampling. It's pretty ideal and I'll likely push it tomorrow. The queries within the Maps are pulling various data from certain columns within specified tables. If the Map's query isn't using a table that has valuable data then that needs to be brought up on the SQLECmd repo so we can ensure that's fixed. |
This is currently the great mystery with this DB. I think only Microsoft knows what triggers it. If you want to experience it right now, go install Windows 11 via the Developer Preview Insider Program. All the end user can do is turn on Optional logging and keep their fingers crossed on W10. Check my repo for ongoing research as well as the research on the Kroll site, which is linked there, too. |
|
Thanks much. Will work more on this artifact and see what is left more to discover. Good luck and I wish you the best Eric and Andrew. Best, |
KAPE version
1.0.0.3
Describe the bug
Please see attached screenshot. Attaching the EventTranscript.db file for your review.
EventTranscript.zip
The text was updated successfully, but these errors were encountered: