EventTranscriptParser is python based tool to extract forensically useful details from EventTranscript.db (Windows Diagnostic Database).
The database is found in Windows 10 systems and present at
The tool currently supports the following features.
- Extracting MS Edge browser history.
- Extracting list of software/programs installed on the host system.
- Extracting Wireless Scan results.
- Extracting WiFi connection details (SSIDs, device manufacturers etc...)
- Extracting Physical Disk information (Disk size, No. of partitions etc...)
- Extracting PnP device installation information (Install time, Model, Manufacturer etc...)
- MORE COMING SOON!!
Python 3.8 or above. The older versions of Python 3.x should work fine as well.
These are the required libraries/modules needed to run the script
The tool is completely CLI based.python EventTranscriptParser.py -f <Path-To-EventTranscript.db>
Tip: Before running the tool against the database, make sure that the -wal (Write Ahead Log) file data is merged with the original database. Because you might miss out on crucial/juicy data.
Read more about their research here - https://github.com/rathbuna/EventTranscript.db-Research
Follow the investigative series at Kroll on EventTranscript.db - https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript