IPED
IPED copied to clipboard
sepinf-inc
EventTranscriptDB parser.
In some cases MS activates the EventTranscriptDB. It should be easy to parse this SQLite database: https://github.com/rathbuna/EventTranscript.db-Research
--- additional information so far. Kape file: https://github.com/EricZimmerman/KapeFiles/blob/9982efa29950c1b427cf746b9f61eb77929f1e61/Targets/Windows/EventTranscriptDB.tkape Parser map: https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_EventTranscriptDB.smap
Thanks @MariasStory for pointing out this artifact, I was not aware of it.
@tc-wleite, when you have time, could you run a search for EventTranscript.db sample files in São Paulo past cases database so we could better test #1285? I searched for it in about ~1500 Brasilia cases and didn't find any sample...
@tc-wleite, when you have time, could you run a search for EventTranscript.db sample files in São Paulo past cases database so we could better test #1285? I search for it in about ~1500 Brasilia cases and didn't find any sample...
Sure! I am running a search here and will update later if I found any samples.
Sure! I am running a search here and will update later if I found any samples.
Unfortunately there is no sample here neither. I think the Windows default behavior is not to produce this file.
@FelipeFcosta I think you don't need to spend much more time with this parser edited: for now. When you finish cleaning up the code, let me know.
So, unfortunately seems this won't be useful for most cases :-(
Probably not, but it can very useful in cases when it was enabled. And Windows updates/new versions may change the default behavior in the future.
@FelipeFcosta I think you don't need to spend much more time with this parser edited: for now. When you finish cleaning up the code, let me know.
ready to be reviewed!
