Home

Awesome

Partition%4Diagnostic.evtx Log Parser

Partition%4DiagnosticParser is a Python tool that parses the Windows 10 Microsoft-Windows-Partition%4Diagnostic.evtx log file (Path:C:\Windows\System32\winevt\Logs) and reports information about all the connected devices and their Volume Serial Numbers, both currently present on the device and previously existed. It accomplices this task by doing the following:

Taking into consideration the fact that malicious actors would often try to cover their illicit activities and files, by performing either a format or wipe action to their device, is what gives this information an added value. Utilizing this info, an investigator can attribute LNK and Jump List files, to a specific removable device, even after the original files were deleted and the device formatted.

Installation

This is a tool written in Python (version 3.8.5 used). The .exe file (Partition%4DiagnosticParser.exe) works on Microsoft Windows based machines by just double clicking.

The source code file (Partition%4DiagnosticParser.py) can be run on a system with python 3 installed (Version 3.6 and above needed). It only needs two additional libraries to run successfully. Use the package manager pip to install them.

pip install evtx

for the evtx module from Omer Ben-Amram at https://pypi.org/project/evtx/

pip install PySimpleGUI

for the PySimpleGUI module from MikeTheWatchGuy at https://pypi.org/project/PySimpleGUI/

Usage

The tool comes with a GUI interface. User has to provide the tool with a Partition%4Diagnostic.evtx log file (when in live systems, bear in mind that this Event Log is locked from the OS and needs to be copied elsewere first) and then has the following options:

1. Run a full report action to get a report (HTML or CSV) showing all of the connected devices, their manufacturer, model, First Connected Timestamp in UTC, Last Connected Timestamp in UTC and finally every Volume Serial Number that ever existed on these devices historically throughout the whole log.

GitHub Logo

2. Run a targeted analysis action for a specific removable device by providing the device's S/N (embedded by the manufacturer and usually written on the device's outer case. See the command Cheatsheet included within the first few lines of the .py file, for obtaining a device's S/N via CMD). With this option the user will get a report (HTML or CSV) providing an actual timeline of all the times the device was connected to the OS, along with:

GitHub Logo

In any case, the tool provides a verbose output pane providing extra info for the analysis.

Caveats

License

MIT