Merge pull request #39 from rathbuna/master

Split EventTranscript.db Maps
EricZimmerman · Jul 30, 2021 · 4b4a4e7 · 4b4a4e7
2 parents eccf3f5 + 999709b
commit 4b4a4e7
Show file tree

Hide file tree

Showing 2 changed files with 1,413 additions and 7 deletions.
diff --git a/SQLMap/Maps/Windows_EventTranscriptDB.smap → ...ndows_EventTranscriptDB_DataSampling.smap b/SQLMap/Maps/Windows_EventTranscriptDB.smap → ...ndows_EventTranscriptDB_DataSampling.smap
@@ -6,7 +6,7 @@ Version: 1.0
 FileName: EventTranscript.db
 CSVPrefix: Windows
 IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='categories' OR name='event_categories' OR name='event_tags' OR name='events_persisted' OR name='producers' OR name='provider_groups' OR name='tag_descriptions');
-IdentifyValue: 7
+IdentifyValue: 4
 Queries:
     -
         Name: Windows EventTranscript.db BrowsingHistory
@@ -241,7 +241,7 @@ Queries:
                TagName = 'Browsing History'
                ORDER BY
                events_persisted.timestamp ASC
-        BaseFileName: EventTranscriptDB_BrowsingHistory
+        BaseFileName: EventTranscriptDB_BrowsingHistory_DataSampling
     -
         Name: Windows EventTranscript.db Device Connectivity and Configuration
         Query: |
@@ -475,7 +475,7 @@ Queries:
                TagName = 'Device Connectivity and Configuration'
                ORDER BY
                events_persisted.timestamp ASC
-        BaseFileName: EventTranscriptDB_DeviceConnectivityandConfiguration
+        BaseFileName: EventTranscriptDB_DeviceConnectivityandConfiguration_DataSampling
     -
         Name: Windows EventTranscript.db Inking Typing and Speech Utterance
         Query: |
@@ -709,7 +709,7 @@ Queries:
                TagName = 'Inking Typing and Speech Utterance'
                ORDER BY
                events_persisted.timestamp ASC
-        BaseFileName: EventTranscriptDB_InkingTypingandSpeechUtterance
+        BaseFileName: EventTranscriptDB_InkingTypingandSpeechUtterance_DataSampling
     -
         Name: Windows EventTranscript.db_ProductandServicePerformance
         Query: |
@@ -943,7 +943,7 @@ Queries:
                TagName = 'Product and Service Performance'
                ORDER BY
                events_persisted.timestamp ASC
-        BaseFileName: EventTranscriptDB_ProductandServicePerformance
+        BaseFileName: EventTranscriptDB_ProductandServicePerformance_DataSampling
     -
         Name: Windows EventTranscript.db Product and Service Usage
         Query: |
@@ -1177,7 +1177,7 @@ Queries:
                TagName = 'Product and Service Usage'
                ORDER BY
                events_persisted.timestamp ASC
-        BaseFileName: EventTranscriptDB_ProductandServiceUsage
+        BaseFileName: EventTranscriptDB_ProductandServiceUsage_DataSampling
     -
         Name: Windows EventTranscript.db Software Setup and Inventory
         Query: |
@@ -1411,7 +1411,7 @@ Queries:
                TagName = 'Software Setup and Inventory'
                ORDER BY
                events_persisted.timestamp ASC
-        BaseFileName: EventTranscriptDB_SoftwareSetupandInventory
+        BaseFileName: EventTranscriptDB_SoftwareSetupandInventory_DataSampling
 
 # Documentation
 # https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript