forensicmatt / ActivitiesCacheParser

Parse Windows ActivitiesCache to JSONL. This project is for learning purposes and is not maintained.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ActivitiesCacheParser

Parse Windows ActivitiesCache to JSONL or formatted output.

Usage

usage: winactivities2json.py [-h] -s SOURCE [-t TEMP_DIR]
                             [--sequence SEQUENCE] [-o OUTPUT_TEMPLATE]
                             [--dump_db] [--debug {ERROR,WARN,INFO,DEBUG}]

Interface to parse Windows Timeline - ActivitiesCache.db.
Run this tool on the database file, or on a logical volume to process records for all users.

(default location - \Users\%USERNAME%\AppData\Local\ConnectedDevicesPlatform\L.%USERNAME%)

version: 0.0.1

optional arguments:
  -h, --help            show this help message and exit
  -s SOURCE, --source SOURCE
                        The activities database or a logical volume (logical
                        volume: \\.\C:).
  -t TEMP_DIR, --temp_dir TEMP_DIR
                        The template directory for extractions if source is a
                        logical volume.
  --sequence SEQUENCE   Only display sequences above this value. (default: 0)
  -o OUTPUT_TEMPLATE, --output_template OUTPUT_TEMPLATE
                        Output template format.
  --dump_db             Dump the entire ActivitiesCache.db database, not just
                        the Activity table.
  --debug {ERROR,WARN,INFO,DEBUG}
                        Debug level [default=ERROR]

Formatted Output

An output template allows you to customize the output instead of the default JSONL format.

By default, no template will cause the tool to output as jsonl format. The template is really just a custom formatted string.

Given the following record (formatted with indention for better readability):

{
  "_rowid": 115,
  "Id": "c6fbf27c49fb82315155669f8329c995",
  "AppId": [{
      "application": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\WindowsPowerShell\\v1.0\\powershell.exe",
      "platform": "windows_win32"
    }, {
      "application": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\WindowsPowerShell\\v1.0\\powershell.exe",
      "platform": "packageId"
    }, {
      "application": "",
      "platform": "alternateId"
    }, {
      "application": "",
      "platform": "windows_universal"
    }
  ],
  "PackageIdHash": "k6rI3Te3bxJRvjak0sx3vVZjSTM2c6pZ22Lb+ebZW6A=",
  "AppActivityId": "ECB32AF3-1440-4086-94E3-5311F97F89C4",
  "ActivityType": 6,
  "ActivityStatus": 1,
  "ParentActivityId": "00000000000000000000000000000000",
  "Tag": null,
  "Group": null,
  "MatchId": null,
  "LastModifiedTime": "2018-07-13 17:03:54",
  "ExpirationTime": "2018-08-12 17:03:54",
  "Payload": {
    "type": "UserEngaged",
    "reportingApp": "ShellActivityMonitor",
    "activeDurationSeconds": 142,
    "shellContentDescription": {
      "MergedGap": 600
    },
    "userTimezone": "America\/Los_Angeles"
  },
  "Priority": 3,
  "IsLocalOnly": 0,
  "PlatformDeviceId": "zdb2vOpgPSkxd2PLwsayEmxe1DNFt6GOtaz+2ENpgLU=",
  "CreatedInCloud": 0,
  "StartTime": "2018-07-13 17:01:36",
  "EndTime": "2018-07-13 17:13:28",
  "LastModifiedOnClient": "2018-07-13 17:13:28",
  "GroupAppActivityId": "",
  "ClipboardPayload": null,
  "EnterpriseId": "",
  "OriginalPayload": null,
  "OriginalLastModifiedOnClient": null,
  "ETag": 687,
  "_user": "mpowers",
  "_cpd_location": "L.mpowers"
}

We could pass in a template of -o "{StartTime} - {AppId[0][application]}" that would result in the following output:

2018-07-13 17:01:36 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe

Example 1

Using the format template, we want to easily see what activity is recorded for which users having to do with cmd.exe. We can grep our data for faster identification.

winactivities2json.py -s \\.\H: -t D:\Testing\activities --debug ERROR -o "{_user}: {StartTime} - {AppId[0][application]}" | rg cmd.exe
Administrator: 2018-08-07 19:29:59 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
Administrator: 2018-08-07 19:29:59 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-23 13:30:04 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-16 17:30:53 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-12 21:26:43 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-12 21:26:43 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe

TODO Docs

Examples and descriptions of:

  • --sequence
  • --dump_db

About

Parse Windows ActivitiesCache to JSONL. This project is for learning purposes and is not maintained.

License:Apache License 2.0


Languages

Language:Python 100.0%