Kathryn HedleyVersion 1.6 of #DFIR #parseUSBs is out…
I was interested to see if I could fill in any gaps in assigned drive letters for previous USB connections using LNK data, so this version does exactly that (matching on VSN)
As always, feedback very welcome
🚨 #DFIR Tool update 🚨
I’ve updated my #parseUSBs script (again!) with some big updates:
- Now supports mounted #KAPE images
- Improved deduplication of events within secs of each other
- Added extraction of partition style (MBR/GPT) & Filesystem fields in event logs
- Parses alternate S/Ns in event logs
- Parses WPDBUSENUM key
Check it out here:
https://github.com/khyrenz/parseusbs
My #parseusbs #DFIR tool got a small update this week to fix an issue on Linux - now tested on Windows cmd/powershell, WSL (the best!), & Ubuntu
Parse USB connection artifacts from a Windows volume, including registry & event log data (or offline hives)
github.com/khyrenz/parseusbs
🚨 #DFIR Tool Update 🚨
Updates to #parseUSBs script:
- now also parses Storsvc event log to get volume count & size values
- includes a timeline in CSV out mode as well as summary
Would love to know if there’s anything else you’d like to see parsed