Added in SRUDB processing

jimtin · May 31, 2020 · 1dd3bad · 1dd3bad
1 parent 52df079
commit 1dd3bad
Show file tree

Hide file tree

Showing 8 changed files with 65 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
+/PythonAnalysisList
 /volatility3
diff --git a/Actions/SRUProcessing/Format-SRUDB.psm1 b/Actions/SRUProcessing/Format-SRUDB.psm1
@@ -0,0 +1,51 @@
+function Format-SRUDB {
+ <#
+ .SYNOPSIS
+ Gets the SRUDB.dat file and runs the excellent srum-dump executeable by Mark Baggett
+
+ .DESCRIPTION
+ Uses the excellent work done by Mark Baggett here: https://github.com/MarkBaggett/srum-dump
+ Transforms the information from SRUDB into an excel file
+ 
+ #>
+ param (
+
+ )
+
+ # Create the output dictionary
+ $output = @{
+ "Object" = "Format-SRUDB"
+ }
+
+ # Get the endpoint from the target list
+ $endpoints = Get-TargetList
+
+ foreach($endpoint in $endpoints){
+ # Create dictionary for output
+ $endpointdict = @{}
+
+ # Create input location
+ $inputloc = "C:\ExtractionDirectory\" + $endpoint + "_ForensicArtifacts\EventLoggingandSRU\sru\SRUDB.dat"
+
+ # Add to the output object
+ $endpointdict.Add("InputLocation", $inputloc)
+
+ # Create the output location
+ $outputloc = "C:\ExtractionDirectory\" + $endpoint + "_ForensicArtifacts\EventLoggingandSRU\ProcessedOutcomes\sru_database.xlsx"
+
+ # Add to the output object
+ $endpointdict.Add("OutputLocation", $outputloc)
+
+ # Now run the executeable
+ $srumdb = .\Executeables\srum_dump2.exe --SRUM_INFILE $inputloc --XLSX_OUTFILE $outputloc --XLSX_TEMPLATE ".\Executeables\SRUM_TEMPLATE2.xlsx"
+
+ # Add the results to the output object
+ $endpointdict.Add("SRUDB_Processing", $srumdb)
+
+ # Add all results to the output dictionary
+ $output.Add($endpoint, $endpointdict)
+ }
+
+ # Return outcomes to the user
+ Write-Output $output
+}
diff --git a/CoreEndpointInteraction/Get-TargetList.psm1 b/CoreEndpointInteraction/Get-TargetList.psm1
@@ -18,5 +18,7 @@ function Get-TargetList{
 
  Write-ColoredInformation -MessageData "Targets:" -ForegroundColor "Blue"
  Write-ColoredInformation -MessageData $message -ForegroundColor "Red"
+
+ Write-Output $message
 
 }
diff --git a/Executeables/SRUM_TEMPLATE2.xlsx b/Executeables/SRUM_TEMPLATE2.xlsx
diff --git a/Executeables/executeablemanifest.json b/Executeables/executeablemanifest.json
@@ -3,5 +3,15 @@
  "ExecutableName": "WinPmem.exe",
  "DownloadURL": "https://github.com/google/rekall/releases/download/v1.3.1/winpmem_1.6.2.exe",
  "OutputPath": "Executeables"
+ },
+ {
+ "ExecutableName": "srum_dump2.exe",
+ "DownloadURL": "https://github.com/MarkBaggett/srum-dump/blob/master/SRUM_TEMPLATE2.xlsx",
+ "OutputPath": "Executeables"
+ },
+ {
+ "ExecutableName": "SRUM_TEMPLATE2.xlsx",
+ "DownloadURL": "https://github.com/MarkBaggett/srum-dump/blob/master/SRUM_TEMPLATE2.xlsx",
+ "OutputPath: Executeables"
  }
 ]
diff --git a/Executeables/srum_dump2.exe b/Executeables/srum_dump2.exe
diff --git a/volatility3 → PythonAnalysisList/volatility3 b/volatility3 → PythonAnalysisList/volatility3
diff --git a/modulemanifest.txt b/modulemanifest.txt
@@ -15,3 +15,4 @@
 .\Actions\DumpandRetrieveMemory\Get-MemoryDump.psm1
 .\Actions\RetrieveLogsandSRUDB\Copy-RemoteEventLogging.psm1
 .\Actions\RetrieveLogsandSRUDB\Get-RemoteEventLogging.psm1
+.\Actions\SRUProcessing\Format-SRUDB.psm1