Other tools

[randomaccess3]

2. Win10NotificationDatabase Tool (sqlite)
3. StickyNotes parser (old format is ole, new format is sqlite)
4. timeline transposer tool!

File Format Viewers!

6. ESE
7. OLE (less needed these days, could be incorporated into ezviewer)

Figured I'd put the requests in.

[randomaccess3]

Recycle bin parser completed.

[randomaccess3]

3. Zwift - Something to tie them all together - KAPE!

[randomaccess3]

Event log parser complete!

[randomaccess3]

5. Sqlite complete!

[AndrewRathbun]

2. I'm working on a SQLECmd map for this. I'll add 3 to my list too.

[AndrewRathbun]

2. I'm working on a SQLECmd map for this. I'll add 3 to my list too.

https://www.github.com/EricZimmerman/SQLECmd/tree/master/SQLMap%2FMaps%2FWindows_Notifications_DB.smap

https://www.github.com/EricZimmerman/SQLECmd/tree/master/SQLMap%2FMaps%2FWindows_MicrosoftStickyNotes_NotesDB.smap

Let me know if you need anything else or want any adjustments made.

[randomaccess3]

Having not used sqlecmd at all, thoughts on adding it to ezparser and running all the relevant maps? That being said, stickies and notifications arent part of the basic collection....maybe i need an advanced collection?

[AndrewRathbun]

Having not used sqlecmd at all, thoughts on adding it to ezparser and running all the relevant maps? That being said, stickies and notifications arent part of the basic collection....maybe i need an advanced collection?

That is 100% the plan to add it. I want to flesh out the browser stuff before it's added. I'm slowly chipping away at more Maps to make the tool more "relevant" out of the box for those who may run only KAPETriage, BasicCollection, or SANSTriage.

Maybe there's room for a SQL databases Compound target? One that'll just have stuff SQLECmd parses all that is grabbed?

[randomaccess3]

yeah that might be the way to go, but then it's a matter of people knowing what they should collect. I'm thinking I will go about the more advanced collection one; i tend to tick a bunch of other boxes ontop of basic all the time anyways and that list is growing so would be worthwhile. Will start jotting down some ideas

[AndrewRathbun]

Would AdvancedCollection call Basic and then just point to other Targets beyond that? Or are you thinking something else?

Maybe it's a good opportunity to take a look at Basic and verify the contents of it fitting the basic label and saving the more advanced stuff for Advanced?

[randomaccess3]

Yep. Nah Basic is "If I had a choice of collecting as much as I could in an intrusion regardless of OS, what would I go for", which at the time was everything there listed. It could be expanded to add other stuff, but I've left that to the user. That being said, one shot on a box im ticking email and web browsers, which increase acquisition time a lot, especially if VSS is ticked.