Last active
April 16, 2021 10:11
-
-
Save janstarke/644816275bcdd3dddb8b85121e75389b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # convert all evtx files to xml files | |
| for F in *.evtx; do evtx_dump "$F">"${F%.evtx}.xml"; done | |
| # create python env | |
| python3 -m venv venv | |
| source venv/bin/activate.fish | |
| pip3 install --upgrade pip | |
| pip3 install regipy | |
| # create registry timeline | |
| registry-dump -t -o SYSTEM_timeline.txt ../LiveResponseData/CopiedFiles/registry/SYSTEM | |
| sort SYSTEM_timeline.txt >SYSTEM_timeline_sorted.txt | |
| mv SYSTEM_timeline_sorted.txt SYSTEM_timeline.txt | |
| registry-dump -o SYSTEM_dump.txt ../LiveResponseData/CopiedFiles/registry/SYSTEM | |
| registry-dump -t -o SOFTWARE_timeline.txt ../LiveResponseData/CopiedFiles/registry/SOFTWARE | |
| sort SOFTWARE_timeline.txt >SOFTWARE_timeline_sorted.txt | |
| mv SOFTWARE_timeline_sorted.txt SOFTWARE_timeline.txt | |
| registry-dump -o SOFTWARE_dump.txt ../LiveResponseData/CopiedFiles/registry/SOFTWARE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment