From 6dd180e56178cf05f50ec0538a9865962228ce17 Mon Sep 17 00:00:00 2001 From: Ryan Benson Date: Sat, 20 Apr 2019 13:39:00 -0700 Subject: [PATCH 1/6] Created using Colaboratory --- notebooks/MUS2019_CTF.ipynb | 5384 +++++++++++++++++++++++++++++++++++ 1 file changed, 5384 insertions(+) create mode 100644 notebooks/MUS2019_CTF.ipynb diff --git a/notebooks/MUS2019_CTF.ipynb b/notebooks/MUS2019_CTF.ipynb new file mode 100644 index 0000000000..7bac7cb350 --- /dev/null +++ b/notebooks/MUS2019_CTF.ipynb @@ -0,0 +1,5384 @@ +{ + "nbformat": 4, + "nbformat_minor": 0, + "metadata": { + "colab": { + "name": "MUS2019-CTF.ipynb", + "version": "0.3.2", + "provenance": [], + "include_colab_link": true + }, + "kernelspec": { + "name": "python2", + "display_name": "Python 2" + } + }, + "cells": [ + { + "cell_type": "markdown", + "metadata": { + "id": "view-in-github", + "colab_type": "text" + }, + "source": [ + "\"Open" + ] + }, + { + "metadata": { + "id": "2y1Dij2Z7C4n", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "# Magnet User Summit CTF 2019\n" + ] + }, + { + "metadata": { + "id": "V3DWqc_275Jm", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "The folks at [Magnet Forensics](https://www.magnetforensics.com/) had a [conference](https://magnetusersummit.com/) recently, and as part of it they put together a digital forensics-themed Capture the Flag competition. I wasn't able to attend, but thankfully they [released the CTF online](https://www.hecfblog.com/2019/04/daily-blog-657-mus2019-dfir-ctf-open-to.html) a few days after the live competition ended. \n", + "\n", + "It looked like a lot of fun and I wanted to take a crack at it using the open source tools we use/build here at Google. \n" + ] + }, + { + "metadata": { + "id": "1_pWpmTdnYJM", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "## Forensics Preprocessing" + ] + }, + { + "metadata": { + "id": "2Hph_KETIvOT", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "I'm going to focus on how to find the answers to the CTF questions after all the processing has been done. I'll quickly summarize the processing steps I did to get to the state when I pick up my walkthrough.\n", + "\n", + "I started off by processing the provided E01 image with a basic log2timeline command; nothing special added:\n", + "\n", + "\n", + "```\n", + "ryan:~$ log2timeline.py MUS2019-CTF.plaso MUS-CTF-19-DESKTOP-001.E01\n", + "```\n", + "\n", + "Once that finished, I went to [Timesketch](https://github.com/google/timesketch), made a new sketch, and uploaded the MUS2019-CTF.plaso file I just made. The *.plaso* file is a database containing the results of my log2timeline run; Timesketch can read it and provide a nice, collaborative interface for reviewing and exploring that data.\n", + "\n", + "Most of what I'm going to show you is done in Colab by accessing the Timesketch API in Python. You can do most of the steps in the Timesketch web interface directly, but I wanted to demonstrate how you can use Python, Colab, Timesketch, and Plaso together to work a case. \n" + ] + }, + { + "metadata": { + "id": "w-UPKnDLnbBF", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "## Timesketch & Colab Setup\n", + "\n", + "The [Timesketch GitHub](https://github.com/google/timesketch) has Colab ([Timesketch and Colab](https://colab.research.google.com/github/google/timesketch/blob/master/notebooks/colab-timesketch-demo.ipynb)) that walks through how to install, connect, and explore a Sketch using Colab. Please check it out if you want a more thorough explanation of the setup; I'm just going to show the commands you need to run to get it working: " + ] + }, + { + "metadata": { + "id": "h35lMbAxIeYE", + "colab_type": "code", + "outputId": "86656d91-ba58-4efa-f01a-aa2ecb825068", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 255 + } + }, + "cell_type": "code", + "source": [ + "# Install the TimeSketch API client if you don't have it\n", + "!pip install timesketch-api-client\n", + "\n", + "# Import some things we'll need\n", + "from timesketch_api_client import client\n", + "import pandas as pd\n", + "pd.options.display.max_colwidth = 60" + ], + "execution_count": 1, + "outputs": [ + { + "output_type": "stream", + "text": [ + "Collecting timesketch-api-client\n", + " Downloading https://files.pythonhosted.org/packages/70/70/863ff486c8d2f9ddb5d7edebcde3cc5cff8de3c4a2682b32f6d292b4d34e/timesketch-api-client-20190124.tar.gz\n", + "Requirement already satisfied: requests in /usr/local/lib/python2.7/dist-packages (from timesketch-api-client) (2.18.4)\n", + "Requirement already satisfied: beautifulsoup4 in /usr/local/lib/python2.7/dist-packages (from timesketch-api-client) (4.6.3)\n", + "Requirement already satisfied: idna<2.7,>=2.5 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (2.6)\n", + "Requirement already satisfied: urllib3<1.23,>=1.21.1 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (1.22)\n", + "Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (2019.3.9)\n", + "Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (3.0.4)\n", + "Building wheels for collected packages: timesketch-api-client\n", + " Building wheel for timesketch-api-client (setup.py) ... \u001b[?25ldone\n", + "\u001b[?25h Stored in directory: /root/.cache/pip/wheels/71/ae/fc/53d5a72e83b0442a3c31788391b1a72a387c9819602ffc49e4\n", + "Successfully built timesketch-api-client\n", + "Installing collected packages: timesketch-api-client\n", + "Successfully installed timesketch-api-client-20190124\n" + ], + "name": "stdout" + } + ] + }, + { + "metadata": { + "id": "ph1jGHR5JjZo", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Connect to Timesketch\n", + "By default, this will connect to the public demo Timesketch server, which [David Cowen](https://twitter.com/HECFBlog) has graciously allowed to host a copy of the Plaso timeline of the MUS2019-CTF. Thanks Dave!" + ] + }, + { + "metadata": { + "id": "dqwwIBOpJfZi", + "colab_type": "code", + "cellView": "form", + "colab": {} + }, + "cell_type": "code", + "source": [ + "#@title Client Information { run: \"auto\"}\n", + "\n", + "SERVER = 'https://demo.timesketch.org' #@param {type: \"string\"}\n", + "USER = 'demo' #@param {type: \"string\"}\n", + "PASSWORD = 'demo' #@param {type: \"string\"}\n", + "\n", + "\n", + "ts_client = client.TimesketchApi(SERVER, USER, PASSWORD)" + ], + "execution_count": 0, + "outputs": [] + }, + { + "metadata": { + "id": "OZ4CahZZPjht", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Now that we've connected to the Timesketch server, we need to select the Sketch that has the CTF timeline. \n", + "\n", + "First we'll list the available sketches, then print their names:" + ] + }, + { + "metadata": { + "id": "vsEZI45porba", + "colab_type": "code", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 85 + }, + "outputId": "5ead42d2-767f-472b-b575-0deceeec9342" + }, + "cell_type": "code", + "source": [ + "sketches = ts_client.list_sketches()\n", + "for i, sketch in enumerate(sketches):\n", + " print('[{0:d}] {1:s}'.format(i, sketch.name))" + ], + "execution_count": 3, + "outputs": [ + { + "output_type": "stream", + "text": [ + "[0] MUSCTF 2019\n", + "[1] The Greendale incident - 2019\n", + "[2] test1Untitled sketch\n", + "[3] The Greendale investigation\n" + ], + "name": "stdout" + } + ] + }, + { + "metadata": { + "id": "E6RX0jqzQrRq", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Then we'll select the MUS2019-CTF sketch:" + ] + }, + { + "metadata": { + "id": "hvCl6L7ZQrsZ", + "colab_type": "code", + "colab": {} + }, + "cell_type": "code", + "source": [ + "ctf = sketches[0]" + ], + "execution_count": 0, + "outputs": [] + }, + { + "metadata": { + "id": "4P9vvN2KWRjX", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Lastly, I'll briefly explain a few paramters of the **explore** function, which we'll use heavily when answering questions.\n", + "\n", + ".explore() is how we send queries to Timesketch and get results back. **query_string**, **return_fields**, and **as_pandas** are the main parameters I'll be using:\n", + " - query_string: This is the same as the query you'd enter if you were using the Timesketch web interface.\n", + " - return_fields: Here we specify what fields we want back from Timesketch. This is where we can get really specific using Colab and only get the things we're interested in (which varies depending on what data types we're expecting back).\n", + " - as_pandas: This just a boolen value which tells Timesketch to return a [Pandas DataFrame](https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.DataFrame.html), rather than a dictionary. We'll have this set to True in all our queries, since DataFrames are awesome!\n", + "\n", + "Okay, enough setup. Let's get to answering questions!" + ] + }, + { + "metadata": { + "id": "tzvfE55GLKhB", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "# Questions\n", + "![Basic - Desktop Questions](https://dfir.blog/content/images/2019/04/MUS2019-CTF-Basic-Desktop.png)\n", + "\n", + "I grouped the questions from the 'Basic - Desktop' section into three categories: NTFS, TeamViewer, and Registry.\n" + ] + }, + { + "metadata": { + "id": "SBtoNqZcp_Oi", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "## NTFS Questions\n", + "This first set of questions relate to aspects of NTFS: MFT entries, sequence numbers, USN entries, and VSNs." + ] + }, + { + "metadata": { + "id": "t4G6-lVUqN_V", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "As a little refresher, the 64-bit **file reference address** (or number) is made up of the **MFT entry** (48 bits) and **sequence** (16 bits) numbers. We often see this represented as something like 1234-2, with 1234 being the MFT entry number and 2 being the sequence number. Plaso calls the MFT entry number the **inode**, since that's the more generic term that applies across file systems." + ] + }, + { + "metadata": { + "id": "aVcSxh925V2T", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: What is the name of the file associated with MFT entry number 102698?" + ] + }, + { + "metadata": { + "id": "m6apzEsfAGeo", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Since Plaso parses out the MFT entry (or as it calls it, inode) into its own field, let's do a query for all records with that value:" + ] + }, + { + "metadata": { + "id": "0n6k7v-ioy4_", + "colab_type": "code", + "outputId": "55609bcf-3cd4-430c-948a-9ca1e9806fb1", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 204 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('inode:102698', return_fields='datetime,timestamp_desc,data_type,inode,filename', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','inode','filename']]" + ], + "execution_count": 5, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typeinodefilename
02016-04-03 20:18:47Creation Timepe:compilation:compilation_time102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
12019-02-25 20:40:00Creation Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
22019-02-25 20:40:30Content Modification Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
32019-02-25 20:40:45Metadata Modification Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
42019-02-25 20:41:36Last Access Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc \\\n", + "0 2016-04-03 20:18:47 Creation Time \n", + "1 2019-02-25 20:40:00 Creation Time \n", + "2 2019-02-25 20:40:30 Content Modification Time \n", + "3 2019-02-25 20:40:45 Metadata Modification Time \n", + "4 2019-02-25 20:41:36 Last Access Time \n", + "\n", + " data_type inode \\\n", + "0 pe:compilation:compilation_time 102698 \n", + "1 fs:stat 102698 \n", + "2 fs:stat 102698 \n", + "3 fs:stat 102698 \n", + "4 fs:stat 102698 \n", + "\n", + " filename \n", + "0 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", + "1 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", + "2 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", + "3 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", + "4 /Users/Administrator/Downloads/TeamViewer_Setup.exe " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 5 + } + ] + }, + { + "metadata": { + "id": "zuBoWImjAjs-", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Multiple results, as is expected since Plaso creates multiple records for different types of timestamps, but they all point to the same filename: **/Users/Administrator/Downloads/TeamViewer_Setup.exe**" + ] + }, + { + "metadata": { + "id": "RPH7R0tKtLXn", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: What is the file name that represented MFT entry 60725 with a sequence number of 10?" + ] + }, + { + "metadata": { + "id": "lHvfLumPlC5J", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "The quick way to answer this is to just search for the MFT entry number (60725) and look for references to sequence number 10 in the message field:" + ] + }, + { + "metadata": { + "id": "idzQZADYj8LF", + "colab_type": "code", + "outputId": "8f4b17f0-8f5f-40d0-9267-0d4ccc6ceded", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 731 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('60725', return_fields='datetime,timestamp_desc,data_type,filename,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','filename','message']]" + ], + "execution_count": 6, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typefilenamemessage
02019-02-26 23:59:41Content Modification Timewindows:evtx:record/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O...[2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A...
12019-03-13 18:16:00Metadata Modification Timefs:ntfs:usn_changeenergy-report-2019-02-19.xmlenergy-report-2019-02-19.xml File reference: 60725-9 Par...
22019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
32019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
42019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
52019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
62019-03-13 18:38:16Metadata Modification Timefs:ntfs:usn_changeutc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
72019-03-13 18:38:16Metadata Modification Timefs:ntfs:usn_changeutc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
82019-03-13 18:53:16Metadata Modification Timefs:ntfs:usn_changetelemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
92019-03-13 18:53:17Metadata Modification Timefs:ntfs:usn_changetelemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
102019-03-13 19:08:17Metadata Modification Timefs:ntfs:usn_changeTELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
112019-03-13 19:08:17Metadata Modification Timefs:ntfs:usn_changeTELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
122019-03-13 19:23:17Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
132019-03-13 19:23:17Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
142019-03-13 19:23:17Creation Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
152019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
162019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_changeutc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
172019-03-13 19:23:18Last Access Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
182019-03-13 19:23:18Content Modification Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
192019-03-13 19:23:18Metadata Modification Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
202019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
212019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_changeutc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 2019-02-26 23:59:41 Content Modification Time windows:evtx:record \n", + "1 2019-03-13 18:16:00 Metadata Modification Time fs:ntfs:usn_change \n", + "2 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "3 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "4 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "5 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "6 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", + "7 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", + "8 2019-03-13 18:53:16 Metadata Modification Time fs:ntfs:usn_change \n", + "9 2019-03-13 18:53:17 Metadata Modification Time fs:ntfs:usn_change \n", + "10 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", + "11 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", + "12 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", + "13 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", + "14 2019-03-13 19:23:17 Creation Time fs:stat \n", + "15 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "16 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "17 2019-03-13 19:23:18 Last Access Time fs:stat \n", + "18 2019-03-13 19:23:18 Content Modification Time fs:stat \n", + "19 2019-03-13 19:23:18 Metadata Modification Time fs:stat \n", + "20 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "21 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "\n", + " filename \\\n", + "0 /Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O... \n", + "1 energy-report-2019-02-19.xml \n", + "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "6 utc.app.json.new \n", + "7 utc.app.json.new \n", + "8 telemetry.ASM-WindowsDefault.json.new \n", + "9 telemetry.ASM-WindowsDefault.json.new \n", + "10 TELEMETRY.ASM-WINDOWSSQ.json.new \n", + "11 TELEMETRY.ASM-WINDOWSSQ.json.new \n", + "12 utc.privacy.json.new \n", + "13 utc.privacy.json.new \n", + "14 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "15 utc.privacy.json.new \n", + "16 utc.privacy.json \n", + "17 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "18 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "19 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "20 utc.privacy.json.new \n", + "21 utc.privacy.json \n", + "\n", + " message \n", + "0 [2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A... \n", + "1 energy-report-2019-02-19.xml File reference: 60725-9 Par... \n", + "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "6 utc.app.json.new File reference: 60725-12 Parent file re... \n", + "7 utc.app.json.new File reference: 60725-12 Parent file re... \n", + "8 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", + "9 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", + "10 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", + "11 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", + "12 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "13 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "14 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "15 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "16 utc.privacy.json File reference: 60725-15 Parent file re... \n", + "17 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "18 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "19 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "20 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "21 utc.privacy.json File reference: 60725-15 Parent file re... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 6 + } + ] + }, + { + "metadata": { + "id": "lEAo1lLcUeBb", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "That's a bunch of rows, so let's filter it down by searching for messages that contain '60725-10':" + ] + }, + { + "metadata": { + "id": "iPCYySiEVB6P", + "colab_type": "code", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 199 + }, + "outputId": "2e96bed7-9f3c-4c36-d020-dd0489bdfa56" + }, + "cell_type": "code", + "source": [ + "ts_results[ts_results.message.str.contains('60725-10')]" + ], + "execution_count": 7, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
_id_index_source_typedata_typedatetimefilenamelabelmessagetimestamp_desc
2AWowcLcHTGJyHzo5vZNF51f20fbeff6b4a7ca2dd3f76c1a41598MUSCTF-2019plaso_eventfs:ntfs:usn_change2019-03-13 18:23:16telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...[]telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...Metadata Modification Time
4AWowcLcHTGJyHzo5vZNG51f20fbeff6b4a7ca2dd3f76c1a41598MUSCTF-2019plaso_eventfs:ntfs:usn_change2019-03-13 18:23:16telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...[]telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...Metadata Modification Time
\n", + "
" + ], + "text/plain": [ + " _id _index _source \\\n", + "2 AWowcLcHTGJyHzo5vZNF 51f20fbeff6b4a7ca2dd3f76c1a41598 MUSCTF-2019 \n", + "4 AWowcLcHTGJyHzo5vZNG 51f20fbeff6b4a7ca2dd3f76c1a41598 MUSCTF-2019 \n", + "\n", + " _type data_type datetime \\\n", + "2 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16 \n", + "4 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16 \n", + "\n", + " filename label \\\n", + "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... [] \n", + "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... [] \n", + "\n", + " message \\\n", + "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "\n", + " timestamp_desc \n", + "2 Metadata Modification Time \n", + "4 Metadata Modification Time " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 7 + } + ] + }, + { + "metadata": { + "id": "ShIpZoBRV-xi", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "That filename is really long and cut off; let's just select that field, then deduplicate using set():" + ] + }, + { + "metadata": { + "id": "7xRO5-FFV_KN", + "colab_type": "code", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 34 + }, + "outputId": "9f5df5c7-4cf9-4594-fb32-11a94ecd0774" + }, + "cell_type": "code", + "source": [ + "set(ts_results[ts_results.message.str.contains('60725-10')].filename)" + ], + "execution_count": 8, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/plain": [ + "{u'telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new'}" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 8 + } + ] + }, + { + "metadata": { + "id": "VX8kLLl4ltAI", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Another way to solve this is to query for the file reference number directly. That's not as easy as it sounds, since Plaso stores it in the hex form ([I'm working on fixing that](https://github.com/log2timeline/plaso/issues/2453)). We can work with that though! \n", + "\n", + "Let's do the same query as above, but add the file_reference field:" + ] + }, + { + "metadata": { + "id": "qzemkUIAl-dX", + "colab_type": "code", + "outputId": "f9597053-231c-45f5-f78b-000de17348ce", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 731 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('60725', return_fields='datetime,timestamp_desc,data_type,file_reference,filename,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','file_reference','filename','message']]" + ], + "execution_count": 9, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typefile_referencefilenamemessage
02019-02-26 23:59:41Content Modification Timewindows:evtx:recordNaN/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O...[2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A...
12019-03-13 18:16:00Metadata Modification Timefs:ntfs:usn_change2.533275e+15energy-report-2019-02-19.xmlenergy-report-2019-02-19.xml File reference: 60725-9 Par...
22019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change2.814750e+15telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
32019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change3.096225e+15telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
42019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change2.814750e+15telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
52019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change3.096225e+15telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
62019-03-13 18:38:16Metadata Modification Timefs:ntfs:usn_change3.377700e+15utc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
72019-03-13 18:38:16Metadata Modification Timefs:ntfs:usn_change3.377700e+15utc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
82019-03-13 18:53:16Metadata Modification Timefs:ntfs:usn_change3.659175e+15telemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
92019-03-13 18:53:17Metadata Modification Timefs:ntfs:usn_change3.659175e+15telemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
102019-03-13 19:08:17Metadata Modification Timefs:ntfs:usn_change3.940650e+15TELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
112019-03-13 19:08:17Metadata Modification Timefs:ntfs:usn_change3.940650e+15TELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
122019-03-13 19:23:17Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
132019-03-13 19:23:17Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
142019-03-13 19:23:17Creation Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
152019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
162019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
172019-03-13 19:23:18Last Access Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
182019-03-13 19:23:18Content Modification Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
192019-03-13 19:23:18Metadata Modification Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
202019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
212019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 2019-02-26 23:59:41 Content Modification Time windows:evtx:record \n", + "1 2019-03-13 18:16:00 Metadata Modification Time fs:ntfs:usn_change \n", + "2 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "3 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "4 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "5 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "6 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", + "7 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", + "8 2019-03-13 18:53:16 Metadata Modification Time fs:ntfs:usn_change \n", + "9 2019-03-13 18:53:17 Metadata Modification Time fs:ntfs:usn_change \n", + "10 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", + "11 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", + "12 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", + "13 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", + "14 2019-03-13 19:23:17 Creation Time fs:stat \n", + "15 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "16 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "17 2019-03-13 19:23:18 Last Access Time fs:stat \n", + "18 2019-03-13 19:23:18 Content Modification Time fs:stat \n", + "19 2019-03-13 19:23:18 Metadata Modification Time fs:stat \n", + "20 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "21 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "\n", + " file_reference \\\n", + "0 NaN \n", + "1 2.533275e+15 \n", + "2 2.814750e+15 \n", + "3 3.096225e+15 \n", + "4 2.814750e+15 \n", + "5 3.096225e+15 \n", + "6 3.377700e+15 \n", + "7 3.377700e+15 \n", + "8 3.659175e+15 \n", + "9 3.659175e+15 \n", + "10 3.940650e+15 \n", + "11 3.940650e+15 \n", + "12 4.222125e+15 \n", + "13 4.222125e+15 \n", + "14 NaN \n", + "15 4.222125e+15 \n", + "16 4.222125e+15 \n", + "17 NaN \n", + "18 NaN \n", + "19 NaN \n", + "20 4.222125e+15 \n", + "21 4.222125e+15 \n", + "\n", + " filename \\\n", + "0 /Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O... \n", + "1 energy-report-2019-02-19.xml \n", + "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "6 utc.app.json.new \n", + "7 utc.app.json.new \n", + "8 telemetry.ASM-WindowsDefault.json.new \n", + "9 telemetry.ASM-WindowsDefault.json.new \n", + "10 TELEMETRY.ASM-WINDOWSSQ.json.new \n", + "11 TELEMETRY.ASM-WINDOWSSQ.json.new \n", + "12 utc.privacy.json.new \n", + "13 utc.privacy.json.new \n", + "14 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "15 utc.privacy.json.new \n", + "16 utc.privacy.json \n", + "17 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "18 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "19 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", + "20 utc.privacy.json.new \n", + "21 utc.privacy.json \n", + "\n", + " message \n", + "0 [2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A... \n", + "1 energy-report-2019-02-19.xml File reference: 60725-9 Par... \n", + "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", + "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", + "6 utc.app.json.new File reference: 60725-12 Parent file re... \n", + "7 utc.app.json.new File reference: 60725-12 Parent file re... \n", + "8 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", + "9 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", + "10 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", + "11 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", + "12 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "13 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "14 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "15 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "16 utc.privacy.json File reference: 60725-15 Parent file re... \n", + "17 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "18 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "19 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", + "20 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", + "21 utc.privacy.json File reference: 60725-15 Parent file re... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 9 + } + ] + }, + { + "metadata": { + "id": "ujdlJk_a9Hxo", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "The *file_reference* value is not the format we want, since it's hard to tell what the sequence number is. We can convert it to a more useful form though: " + ] + }, + { + "metadata": { + "id": "qM4QlMgqmQRk", + "colab_type": "code", + "outputId": "13d5eb34-e618-43d4-eceb-a0103afe821b", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 576 + } + }, + "cell_type": "code", + "source": [ + "# Drop any rows with NaN, since they aren't what we're looking for and will break the below function.\n", + "ts_results = ts_results.dropna()\n", + "pd.options.display.max_colwidth = 110\n", + "\n", + "# Replace the file_reference hex value with the human-readable MFT-Seq version. This is basically what Plaso does to display the result in the 'message' string we searched for. \n", + "ts_results['file_reference'] = ts_results['file_reference'].map(lambda x: '{0:d}-{1:d}'.format(int(x) & 0xffffffffffff, int(x) >> 48))\n", + "ts_results[['datetime','timestamp_desc','data_type','file_reference','filename']]" + ], + "execution_count": 10, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typefile_referencefilename
12019-03-13 18:16:00Metadata Modification Timefs:ntfs:usn_change60725-9energy-report-2019-02-19.xml
22019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change60725-10telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new
32019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change60725-11telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new
42019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change60725-10telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new
52019-03-13 18:23:16Metadata Modification Timefs:ntfs:usn_change60725-11telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new
62019-03-13 18:38:16Metadata Modification Timefs:ntfs:usn_change60725-12utc.app.json.new
72019-03-13 18:38:16Metadata Modification Timefs:ntfs:usn_change60725-12utc.app.json.new
82019-03-13 18:53:16Metadata Modification Timefs:ntfs:usn_change60725-13telemetry.ASM-WindowsDefault.json.new
92019-03-13 18:53:17Metadata Modification Timefs:ntfs:usn_change60725-13telemetry.ASM-WindowsDefault.json.new
102019-03-13 19:08:17Metadata Modification Timefs:ntfs:usn_change60725-14TELEMETRY.ASM-WINDOWSSQ.json.new
112019-03-13 19:08:17Metadata Modification Timefs:ntfs:usn_change60725-14TELEMETRY.ASM-WINDOWSSQ.json.new
122019-03-13 19:23:17Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
132019-03-13 19:23:17Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
152019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
162019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json
202019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
212019-03-13 19:23:18Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "1 2019-03-13 18:16:00 Metadata Modification Time fs:ntfs:usn_change \n", + "2 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "3 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "4 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "5 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", + "6 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", + "7 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", + "8 2019-03-13 18:53:16 Metadata Modification Time fs:ntfs:usn_change \n", + "9 2019-03-13 18:53:17 Metadata Modification Time fs:ntfs:usn_change \n", + "10 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", + "11 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", + "12 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", + "13 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", + "15 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "16 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "20 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "21 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + "\n", + " file_reference \\\n", + "1 60725-9 \n", + "2 60725-10 \n", + "3 60725-11 \n", + "4 60725-10 \n", + "5 60725-11 \n", + "6 60725-12 \n", + "7 60725-12 \n", + "8 60725-13 \n", + "9 60725-13 \n", + "10 60725-14 \n", + "11 60725-14 \n", + "12 60725-15 \n", + "13 60725-15 \n", + "15 60725-15 \n", + "16 60725-15 \n", + "20 60725-15 \n", + "21 60725-15 \n", + "\n", + " filename \n", + "1 energy-report-2019-02-19.xml \n", + "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new \n", + "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new \n", + "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new \n", + "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new \n", + "6 utc.app.json.new \n", + "7 utc.app.json.new \n", + "8 telemetry.ASM-WindowsDefault.json.new \n", + "9 telemetry.ASM-WindowsDefault.json.new \n", + "10 TELEMETRY.ASM-WINDOWSSQ.json.new \n", + "11 TELEMETRY.ASM-WINDOWSSQ.json.new \n", + "12 utc.privacy.json.new \n", + "13 utc.privacy.json.new \n", + "15 utc.privacy.json.new \n", + "16 utc.privacy.json \n", + "20 utc.privacy.json.new \n", + "21 utc.privacy.json " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 10 + } + ] + }, + { + "metadata": { + "id": "5zq9iqSJ9bA6", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "There. Now we have the file_reference number in an easier-to-read format, and the history of all filenames that MFT entry 60725 has had! It's easy to look for the entry with a sequence number of 10 and get our answer." + ] + }, + { + "metadata": { + "id": "hoj0JdKQrDru", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: Which file name represents the USN record where the USN number is 546416480?" + ] + }, + { + "metadata": { + "id": "tDnlbF-8rfIF", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Like other questions, the quick, generic way to answer is to just search for the unique detail; in this case, seach in Timesketch for '546416480'. I'll show the more targeted way below, but it's pretty simple:" + ] + }, + { + "metadata": { + "id": "lPObip1NrOtn", + "colab_type": "code", + "outputId": "721491c7-fc02-4bb8-ba32-ba5f91e9a527", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 80 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('update_sequence_number:546416480', return_fields='datetime,timestamp_desc,data_type,update_sequence_number,filename', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','update_sequence_number','filename']]" + ], + "execution_count": 11, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typeupdate_sequence_numberfilename
02019-03-16 20:05:37Metadata Modification Timefs:ntfs:usn_change546416480TransportSecurity~RF134e6674.TMP
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 2019-03-16 20:05:37 Metadata Modification Time fs:ntfs:usn_change \n", + "\n", + " update_sequence_number filename \n", + "0 546416480 TransportSecurity~RF134e6674.TMP " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 11 + } + ] + }, + { + "metadata": { + "id": "TfRrngTvysQi", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: What is the MFT sequence number associated with the file \"\\Users\\Administrator\\Desktop\\FTK_Imager_Lite_3.1.1\\FTK Imager.exe\"?" + ] + }, + { + "metadata": { + "id": "Xq0HG3CV2s1s", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "We'll handle this question like other ones involving the file reference address, except in this case we first need to find the MFT entry number (or inode) from the file name. Searching for the whole file path in Timesketch is problematic (slashes among other things), so let's search for the file name and then verify the path is right:" + ] + }, + { + "metadata": { + "id": "lvxp9ltq0plT", + "colab_type": "code", + "outputId": "74383d41-9124-4c64-98eb-4ea036fe42b0", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 669 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('FTK Imager.exe', return_fields='datetime,timestamp_desc,data_type,inode,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','inode','message']]" + ], + "execution_count": 12, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typeinodemessage
02012-08-23 20:54:54Creation Timepe:compilation:compilation_time99916PE Type: Executable (EXE) Import hash: 5d1d1d8cdc2296dfc99d791c9f2fdcb1
12016-04-13 22:33:42Content Modification Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
22018-07-28 08:21:07Creation Timewindows:volume:creation977\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origin: FTK IMAGER.EXE-C7E9245B.pf
32019-03-20 13:42:25Metadata Modification Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
42019-03-20 21:26:49Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW...
52019-03-20 21:26:49Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_EXTEN...
62019-03-20 21:26:49Last Access Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
72019-03-20 21:26:49Creation Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
82019-03-20 21:26:49Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW...
92019-03-20 21:26:49Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_FILE_CREATE
102019-03-20 21:26:49Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW...
112019-03-20 21:27:02Last Time Executedwindows:prefetch:execution977Prefetch [FTK IMAGER.EXE] was executed - run count 1 path: \\USERS\\ADMINISTRATOR\\DESKTOP\\FTK_IMAGER_LITE_3....
122019-03-20 21:27:12Metadata Modification Timefs:ntfs:usn_change83366FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_...
132019-03-20 21:27:12Creation Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
142019-03-20 21:27:12Last Access Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
152019-03-20 21:27:12Metadata Modification Timefs:ntfs:usn_change83366FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_...
162019-03-20 21:27:12Metadata Modification Timefs:ntfs:usn_change83366FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_...
172019-03-20 21:27:12Metadata Modification Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
182019-03-20 21:27:12Content Modification Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
192019-03-20 21:28:47Content Modification Timewindows:evtx:record83669[4798 / 0x12be] Source Name: Microsoft-Windows-Security-Auditing Strings: ['Administrator', 'DESKTOP-0QT80...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc \\\n", + "0 2012-08-23 20:54:54 Creation Time \n", + "1 2016-04-13 22:33:42 Content Modification Time \n", + "2 2018-07-28 08:21:07 Creation Time \n", + "3 2019-03-20 13:42:25 Metadata Modification Time \n", + "4 2019-03-20 21:26:49 Metadata Modification Time \n", + "5 2019-03-20 21:26:49 Metadata Modification Time \n", + "6 2019-03-20 21:26:49 Last Access Time \n", + "7 2019-03-20 21:26:49 Creation Time \n", + "8 2019-03-20 21:26:49 Metadata Modification Time \n", + "9 2019-03-20 21:26:49 Metadata Modification Time \n", + "10 2019-03-20 21:26:49 Metadata Modification Time \n", + "11 2019-03-20 21:27:02 Last Time Executed \n", + "12 2019-03-20 21:27:12 Metadata Modification Time \n", + "13 2019-03-20 21:27:12 Creation Time \n", + "14 2019-03-20 21:27:12 Last Access Time \n", + "15 2019-03-20 21:27:12 Metadata Modification Time \n", + "16 2019-03-20 21:27:12 Metadata Modification Time \n", + "17 2019-03-20 21:27:12 Metadata Modification Time \n", + "18 2019-03-20 21:27:12 Content Modification Time \n", + "19 2019-03-20 21:28:47 Content Modification Time \n", + "\n", + " data_type inode \\\n", + "0 pe:compilation:compilation_time 99916 \n", + "1 fs:stat 99916 \n", + "2 windows:volume:creation 977 \n", + "3 fs:stat 99916 \n", + "4 fs:ntfs:usn_change 83366 \n", + "5 fs:ntfs:usn_change 83366 \n", + "6 fs:stat 99916 \n", + "7 fs:stat 99916 \n", + "8 fs:ntfs:usn_change 83366 \n", + "9 fs:ntfs:usn_change 83366 \n", + "10 fs:ntfs:usn_change 83366 \n", + "11 windows:prefetch:execution 977 \n", + "12 fs:ntfs:usn_change 83366 \n", + "13 fs:stat 977 \n", + "14 fs:stat 977 \n", + "15 fs:ntfs:usn_change 83366 \n", + "16 fs:ntfs:usn_change 83366 \n", + "17 fs:stat 977 \n", + "18 fs:stat 977 \n", + "19 windows:evtx:record 83669 \n", + "\n", + " message \n", + "0 PE Type: Executable (EXE) Import hash: 5d1d1d8cdc2296dfc99d791c9f2fdcb1 \n", + "1 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", + "2 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origin: FTK IMAGER.EXE-C7E9245B.pf \n", + "3 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", + "4 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW... \n", + "5 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_EXTEN... \n", + "6 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", + "7 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", + "8 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW... \n", + "9 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_FILE_CREATE \n", + "10 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW... \n", + "11 Prefetch [FTK IMAGER.EXE] was executed - run count 1 path: \\USERS\\ADMINISTRATOR\\DESKTOP\\FTK_IMAGER_LITE_3.... \n", + "12 FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_... \n", + "13 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", + "14 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", + "15 FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_... \n", + "16 FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_... \n", + "17 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", + "18 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", + "19 [4798 / 0x12be] Source Name: Microsoft-Windows-Security-Auditing Strings: ['Administrator', 'DESKTOP-0QT80... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 12 + } + ] + }, + { + "metadata": { + "id": "MZ14rd0f3rCC", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "In the second row of the results, we can find the correct path we're looking for in the message and see that the corresponding inode is 99916. We could do another search, similar to how we answered other questions... or we could just look down a few rows for a USN entry that shows: \"FTK Imager.exe File reference: 99916-**4**\". There's the answer!" + ] + }, + { + "metadata": { + "id": "VjF1NkzwsROK", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: What is the Volume Serial Number of the Desktop's OS volume?" + ] + }, + { + "metadata": { + "id": "3d-el0ezsoQi", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "I know the VSN can be found in multiple places, but the first one I thought of was as part of a Prefetch file, so let's do it that way. \n", + "\n", + "I'll search for all 'volume creation' Prefetch records, since I don't really care about which particular one, beyond that it's from the OS drive. " + ] + }, + { + "metadata": { + "id": "1gt8_VMxsQ77", + "colab_type": "code", + "outputId": "c817d874-1716-452e-985f-e5ede6646ce4", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 1969 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('data_type:\"windows:volume:creation\"', return_fields='datetime,timestamp_desc,data_type,device_path,hostname,serial_number,message', as_pandas=True)\n", + "pd.options.display.max_colwidth = 70\n", + "ts_results[['datetime','timestamp_desc','data_type','device_path','hostname','serial_number','message']]" + ], + "execution_count": 13, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typedevice_pathhostnameserial_numbermessage
02018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
12018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
22018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
32018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
42018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
52018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
62018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
72018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
82018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
92018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
102018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
112018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
122018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
132018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
142018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
152018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
162018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
172018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
182018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
192018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
202018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
212018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
222018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
232018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
242018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
252018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
262018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
272018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
282018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
292018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
........................
1802018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1812018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1822018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1832018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1842018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1852018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1862018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1872018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1882018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1892018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1902018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1912018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1922018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1932018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1942018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1952018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1962018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1972018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1982018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1992018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2002018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2012018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2022018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2032018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2042018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2052018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2062018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2072018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2082018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2092018-07-28 08:21:07Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
\n", + "

210 rows × 7 columns

\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "1 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "2 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "3 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "4 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "5 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "6 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "7 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "8 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "9 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "10 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "11 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "12 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "13 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "14 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "15 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "16 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "17 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "18 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "19 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "20 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "21 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "22 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "23 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "24 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "25 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "26 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "27 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "28 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "29 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + ".. ... ... ... \n", + "180 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "181 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "182 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "183 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "184 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "185 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "186 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "187 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "188 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "189 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "190 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "191 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "192 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "193 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "194 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "195 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "196 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "197 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "198 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "199 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "200 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "201 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "202 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "203 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "204 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "205 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "206 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "207 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "208 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "209 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + "\n", + " device_path hostname serial_number \\\n", + "0 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "1 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "2 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "3 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "4 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "5 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "6 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "7 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "8 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "9 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "10 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "11 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "12 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "13 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "14 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "15 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "16 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "17 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "18 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "19 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "20 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "21 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "22 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "23 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "24 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "25 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "26 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "27 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "28 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "29 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + ".. ... ... ... \n", + "180 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "181 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "182 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "183 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "184 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "185 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "186 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "187 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "188 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "189 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "190 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "191 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "192 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "193 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "194 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "195 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "196 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "197 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "198 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "199 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "200 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "201 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "202 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "203 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "204 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "205 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "206 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "207 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "208 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "209 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", + "\n", + " message \n", + "0 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "1 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "2 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "3 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "4 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "5 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "6 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "7 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "8 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "9 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "10 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "11 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "12 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "13 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "14 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "15 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "16 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "17 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "18 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "19 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "20 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "21 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "22 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "23 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "24 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "25 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "26 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "27 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "28 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "29 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + ".. ... \n", + "180 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "181 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "182 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "183 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "184 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "185 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "186 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "187 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "188 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "189 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "190 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "191 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "192 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "193 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "194 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "195 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "196 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "197 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "198 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "199 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "200 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "201 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "202 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "203 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "204 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "205 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "206 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "207 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "208 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "209 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", + "\n", + "[210 rows x 7 columns]" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 13 + } + ] + }, + { + "metadata": { + "id": "KUtZWLKmuWet", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "You can see the VSN in a readable format at the end of the device_path or in the message string. I'm only seeing one value here, so we don't need to determine which drive was the OS one. If we did, I'd look for some system processes that need to run from the OS drive to get the right VSN. \n", + "\n", + "That's good enough for the question, but let's also convert the serial_number field from an integar to the hex format the answer wants, just to be sure:" + ] + }, + { + "metadata": { + "id": "CVcrtsTfvF6T", + "colab_type": "code", + "outputId": "51d406f9-ff62-420d-dc6b-6654f8d6e7f3", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 34 + } + }, + "cell_type": "code", + "source": [ + "'{0:08X}'.format(3438183451)" + ], + "execution_count": 14, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/plain": [ + "'CCEE841B'" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 14 + } + ] + }, + { + "metadata": { + "id": "4Ig0sZEC8fYa", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "## TeamViewer Questions\n", + "The next group of questions involved [TeamViewer](https://www.teamviewer.com/en-us/), a common remote desktop program." + ] + }, + { + "metadata": { + "id": "qsH4fUlqIUho", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: Which user installed Team Viewer?" + ] + }, + { + "metadata": { + "id": "Hl_qGSxrLzN6", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "We can start searching very broadly, then focus in on anything that stands out. Let's just search everything we have for \"TeamViewer\":" + ] + }, + { + "metadata": { + "id": "Hs2NyOf0IUS2", + "colab_type": "code", + "outputId": "e540c985-e056-460d-918a-fd572378c5e8", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 1969 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('TeamViewer', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','message']]" + ], + "execution_count": 15, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typemessage
01970-01-01 00:00:00Last Time Executedwindows:registry:userassist[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explo...
12007-12-13 09:22:09Creation Timepe:compilation:compilation_timePE Type: Driver (SYS) Import hash: fcbe966aa9c0053fe3d2d7f07dbdd41d
22016-04-03 20:18:56Creation Timepe:compilation:compilation_timePE Type: Executable (EXE) Import hash: 4ea4df5d94204fc550be1874e1b...
32016-04-03 20:19:02Creation Timepe:compilation:compilation_timePE Type: Executable (EXE) Import hash: e2a592076b17ef8bfb48b7e0396...
42017-05-12 08:54:01Creation Timepe:compilation:compilation_timePE Type: Driver (SYS) Import hash: bd2fee8a544a1c6656edb847a80a08c5
52018-04-11 23:38:22Creation Timewindows:shell_item:file_entryName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
62018-04-11 23:38:22Creation Timewindows:shell_item:file_entryName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
72018-06-13 07:24:30Creation Timepe:compilation:compilation_timePE Type: Dynamic Link Library (DLL) Import hash: 0d898c31e89da04c1...
82018-10-17 12:41:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/License.txt Type: file
92018-10-17 12:41:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/CopyRights.txt Type: file
102018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.cat Type: file
112018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.inf Type: file
122018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
132018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
142018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/teamviewer_xpsdriverfi...
152018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.sy_ Type: file
162018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.inf Type: file
172018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.sy_ Type: file
182018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
192018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
202018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.cat Type: file
212018-10-17 12:45:49Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/x64/TeamViewer_XPSDriv...
222019-01-15 20:13:48Previous Last Time Executedwindows:prefetch:executionPrefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path...
232019-01-15 20:15:41Previous Last Time Executedwindows:prefetch:executionPrefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path...
242019-01-16 15:40:57Content Modification Timewindows:lnk:link[Empty description] File size: 47153304 File attribute flags: 0x00...
252019-01-16 15:40:57Content Modification Timewindows:lnk:link[Empty description] File size: 47153304 File attribute flags: 0x00...
262019-01-16 15:40:57Content Modification Timewindows:lnk:link[Empty description] File size: 47153304 File attribute flags: 0x00...
272019-01-16 15:40:58Content Modification Timewindows:shell_item:file_entryName: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...
282019-01-16 15:40:58Content Modification Timewindows:shell_item:file_entryName: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...
292019-01-16 15:40:58Content Modification Timewindows:shell_item:file_entryName: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...
...............
6362019-03-20 21:04:58Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file
6372019-03-20 21:04:59Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file
6382019-03-20 21:04:59Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ...
6392019-03-20 21:04:59Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ...
6402019-03-20 21:04:59Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ...
6412019-03-20 21:05:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ...
6422019-03-20 21:05:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ...
6432019-03-20 21:05:01Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ...
6442019-03-20 21:05:01Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ...
6452019-03-20 21:05:01Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ...
6462019-03-20 21:05:01Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ...
6472019-03-20 21:05:02Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ...
6482019-03-20 21:05:02Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ...
6492019-03-20 21:05:19Content Modification Timewindows:registry:key_value[\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300...
6502019-03-20 21:05:20Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/x64 Type: directory
6512019-03-20 21:05:20Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer Type: directory
6522019-03-20 21:05:20Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory
6532019-03-20 21:05:20Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/outlook Type: directory
6542019-03-20 21:05:24Last Time Executedwindows:prefetch:executionPrefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS...
6552019-03-20 21:05:43Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par...
6562019-03-20 21:05:59Previous Last Time Executedwindows:prefetch:executionPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
6572019-03-20 21:06:00Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
6582019-03-20 21:08:32Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6592019-03-20 21:10:56Previous Last Time Executedwindows:prefetch:executionPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
6602019-03-20 21:15:21Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6612019-03-20 21:15:28Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6622019-03-20 21:15:36Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6632019-03-20 21:15:59Last Time Executedwindows:prefetch:executionPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
6642019-03-20 21:16:00Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
6652019-03-20 21:26:28Last Time Executedwindows:prefetch:executionPrefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\...
\n", + "

666 rows × 4 columns

\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc \\\n", + "0 1970-01-01 00:00:00 Last Time Executed \n", + "1 2007-12-13 09:22:09 Creation Time \n", + "2 2016-04-03 20:18:56 Creation Time \n", + "3 2016-04-03 20:19:02 Creation Time \n", + "4 2017-05-12 08:54:01 Creation Time \n", + "5 2018-04-11 23:38:22 Creation Time \n", + "6 2018-04-11 23:38:22 Creation Time \n", + "7 2018-06-13 07:24:30 Creation Time \n", + "8 2018-10-17 12:41:49 Content Modification Time \n", + "9 2018-10-17 12:41:49 Content Modification Time \n", + "10 2018-10-17 12:45:49 Content Modification Time \n", + "11 2018-10-17 12:45:49 Content Modification Time \n", + "12 2018-10-17 12:45:49 Content Modification Time \n", + "13 2018-10-17 12:45:49 Content Modification Time \n", + "14 2018-10-17 12:45:49 Content Modification Time \n", + "15 2018-10-17 12:45:49 Content Modification Time \n", + "16 2018-10-17 12:45:49 Content Modification Time \n", + "17 2018-10-17 12:45:49 Content Modification Time \n", + "18 2018-10-17 12:45:49 Content Modification Time \n", + "19 2018-10-17 12:45:49 Content Modification Time \n", + "20 2018-10-17 12:45:49 Content Modification Time \n", + "21 2018-10-17 12:45:49 Content Modification Time \n", + "22 2019-01-15 20:13:48 Previous Last Time Executed \n", + "23 2019-01-15 20:15:41 Previous Last Time Executed \n", + "24 2019-01-16 15:40:57 Content Modification Time \n", + "25 2019-01-16 15:40:57 Content Modification Time \n", + "26 2019-01-16 15:40:57 Content Modification Time \n", + "27 2019-01-16 15:40:58 Content Modification Time \n", + "28 2019-01-16 15:40:58 Content Modification Time \n", + "29 2019-01-16 15:40:58 Content Modification Time \n", + ".. ... ... \n", + "636 2019-03-20 21:04:58 Last Access Time \n", + "637 2019-03-20 21:04:59 Last Access Time \n", + "638 2019-03-20 21:04:59 Last Access Time \n", + "639 2019-03-20 21:04:59 Last Access Time \n", + "640 2019-03-20 21:04:59 Last Access Time \n", + "641 2019-03-20 21:05:00 Last Access Time \n", + "642 2019-03-20 21:05:00 Last Access Time \n", + "643 2019-03-20 21:05:01 Last Access Time \n", + "644 2019-03-20 21:05:01 Last Access Time \n", + "645 2019-03-20 21:05:01 Last Access Time \n", + "646 2019-03-20 21:05:01 Last Access Time \n", + "647 2019-03-20 21:05:02 Last Access Time \n", + "648 2019-03-20 21:05:02 Last Access Time \n", + "649 2019-03-20 21:05:19 Content Modification Time \n", + "650 2019-03-20 21:05:20 Last Access Time \n", + "651 2019-03-20 21:05:20 Last Access Time \n", + "652 2019-03-20 21:05:20 Last Access Time \n", + "653 2019-03-20 21:05:20 Last Access Time \n", + "654 2019-03-20 21:05:24 Last Time Executed \n", + "655 2019-03-20 21:05:43 Content Modification Time \n", + "656 2019-03-20 21:05:59 Previous Last Time Executed \n", + "657 2019-03-20 21:06:00 Previous Last Time Executed \n", + "658 2019-03-20 21:08:32 Previous Last Time Executed \n", + "659 2019-03-20 21:10:56 Previous Last Time Executed \n", + "660 2019-03-20 21:15:21 Previous Last Time Executed \n", + "661 2019-03-20 21:15:28 Previous Last Time Executed \n", + "662 2019-03-20 21:15:36 Last Time Executed \n", + "663 2019-03-20 21:15:59 Last Time Executed \n", + "664 2019-03-20 21:16:00 Last Time Executed \n", + "665 2019-03-20 21:26:28 Last Time Executed \n", + "\n", + " data_type \\\n", + "0 windows:registry:userassist \n", + "1 pe:compilation:compilation_time \n", + "2 pe:compilation:compilation_time \n", + "3 pe:compilation:compilation_time \n", + "4 pe:compilation:compilation_time \n", + "5 windows:shell_item:file_entry \n", + "6 windows:shell_item:file_entry \n", + "7 pe:compilation:compilation_time \n", + "8 fs:stat \n", + "9 fs:stat \n", + "10 fs:stat \n", + "11 fs:stat \n", + "12 fs:stat \n", + "13 fs:stat \n", + "14 fs:stat \n", + "15 fs:stat \n", + "16 fs:stat \n", + "17 fs:stat \n", + "18 fs:stat \n", + "19 fs:stat \n", + "20 fs:stat \n", + "21 fs:stat \n", + "22 windows:prefetch:execution \n", + "23 windows:prefetch:execution \n", + "24 windows:lnk:link \n", + "25 windows:lnk:link \n", + "26 windows:lnk:link \n", + "27 windows:shell_item:file_entry \n", + "28 windows:shell_item:file_entry \n", + "29 windows:shell_item:file_entry \n", + ".. ... \n", + "636 fs:stat \n", + "637 fs:stat \n", + "638 fs:stat \n", + "639 fs:stat \n", + "640 fs:stat \n", + "641 fs:stat \n", + "642 fs:stat \n", + "643 fs:stat \n", + "644 fs:stat \n", + "645 fs:stat \n", + "646 fs:stat \n", + "647 fs:stat \n", + "648 fs:stat \n", + "649 windows:registry:key_value \n", + "650 fs:stat \n", + "651 fs:stat \n", + "652 fs:stat \n", + "653 fs:stat \n", + "654 windows:prefetch:execution \n", + "655 windows:registry:key_value \n", + "656 windows:prefetch:execution \n", + "657 windows:prefetch:execution \n", + "658 windows:prefetch:execution \n", + "659 windows:prefetch:execution \n", + "660 windows:prefetch:execution \n", + "661 windows:prefetch:execution \n", + "662 windows:prefetch:execution \n", + "663 windows:prefetch:execution \n", + "664 windows:prefetch:execution \n", + "665 windows:prefetch:execution \n", + "\n", + " message \n", + "0 [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explo... \n", + "1 PE Type: Driver (SYS) Import hash: fcbe966aa9c0053fe3d2d7f07dbdd41d \n", + "2 PE Type: Executable (EXE) Import hash: 4ea4df5d94204fc550be1874e1b... \n", + "3 PE Type: Executable (EXE) Import hash: e2a592076b17ef8bfb48b7e0396... \n", + "4 PE Type: Driver (SYS) Import hash: bd2fee8a544a1c6656edb847a80a08c5 \n", + "5 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", + "6 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", + "7 PE Type: Dynamic Link Library (DLL) Import hash: 0d898c31e89da04c1... \n", + "8 TSK:/Program Files (x86)/TeamViewer/License.txt Type: file \n", + "9 TSK:/Program Files (x86)/TeamViewer/CopyRights.txt Type: file \n", + "10 TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.cat Type: file \n", + "11 TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.inf Type: file \n", + "12 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", + "13 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", + "14 TSK:/Program Files (x86)/TeamViewer/Printer/teamviewer_xpsdriverfi... \n", + "15 TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.sy_ Type: file \n", + "16 TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.inf Type: file \n", + "17 TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.sy_ Type: file \n", + "18 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", + "19 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", + "20 TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.cat Type: file \n", + "21 TSK:/Program Files (x86)/TeamViewer/Printer/x64/TeamViewer_XPSDriv... \n", + "22 Prefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path... \n", + "23 Prefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path... \n", + "24 [Empty description] File size: 47153304 File attribute flags: 0x00... \n", + "25 [Empty description] File size: 47153304 File attribute flags: 0x00... \n", + "26 [Empty description] File size: 47153304 File attribute flags: 0x00... \n", + "27 Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ... \n", + "28 Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ... \n", + "29 Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ... \n", + ".. ... \n", + "636 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file \n", + "637 TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file \n", + "638 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ... \n", + "639 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ... \n", + "640 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ... \n", + "641 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ... \n", + "642 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ... \n", + "643 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ... \n", + "644 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ... \n", + "645 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ... \n", + "646 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ... \n", + "647 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ... \n", + "648 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ... \n", + "649 [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300... \n", + "650 TSK:/Program Files (x86)/TeamViewer/x64 Type: directory \n", + "651 TSK:/Program Files (x86)/TeamViewer/Printer Type: directory \n", + "652 TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory \n", + "653 TSK:/Program Files (x86)/TeamViewer/outlook Type: directory \n", + "654 Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS... \n", + "655 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par... \n", + "656 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "657 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", + "658 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "659 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "660 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "661 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "662 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "663 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "664 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", + "665 Prefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\... \n", + "\n", + "[666 rows x 4 columns]" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 15 + } + ] + }, + { + "metadata": { + "id": "ACBv7solSKa9", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "That returned a lot of results (600+). We could page through them all, but why not see if there are any interesting clusters first? That sounds like a job for a visualization!\n", + "\n", + "You can do this multiple ways; I'll do it in Python in a second, but the explanation is a bit complicated. The easier way is to do the search in TImesketch, then go to Charts > Histogram:\n", + "\n", + "![alt text](https://dfir.blog/content/images/2019/04/timesketch-histogram.png)" + ] + }, + { + "metadata": { + "id": "7zRjoel2wRdA", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "And here's how you'd do something similar in Python:" + ] + }, + { + "metadata": { + "id": "fxJN_YxSScJu", + "colab_type": "code", + "outputId": "eaac39ec-d30c-4879-c08e-2a178b8c39cb", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 311 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ts_results.set_index('datetime')\n", + "ts_results['2018':].message.resample('D').count().plot()" + ], + "execution_count": 16, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/plain": [ + "" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 16 + }, + { + "output_type": "display_data", + "data": { + "image/png": "iVBORw0KGgoAAAANSUhEUgAAAXsAAAEVCAYAAAABwEUhAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz\nAAALEgAACxIB0t1+/AAAADl0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uIDIuMi40LCBo\ndHRwOi8vbWF0cGxvdGxpYi5vcmcv7US4rQAAIABJREFUeJzt3XuYZFV57/Hvr7uHyzDcaZBwGyEI\nh5gwygQviQbUEDGeCIYoHA9KJKLnoNEYc2I0F/XEmKjEE+9CIBCPIigSiRJhJCAQBZkZhuF+Z4Rh\nwjQMlxkuw3TXmz/2qu5dNdXdu25du6p/n+fpp6rW3lVr7erqt1e9e+21FBGYmdlgG+p1A8zMrPsc\n7M3M5gEHezOzecDB3sxsHnCwNzObBxzszczmAQd7M7N5wMHezGwecLA3M5sHRnrdAIA99tgjFi9e\n3OtmmJn1lRUrVjwaEaNF9i1FsF+8eDHLly/vdTPMzPqKpDVF9501jSPpHEnrJd2SK7tA0qr084Ck\nVal8saRnc9u+2tohmJlZJxXp2Z8LfBH452pBRLy1el/SGcCTuf3vjYglnWqgmZm1b9ZgHxFXS1rc\naJskAW8BXtPZZpmZWSe1OxrnVcAjEXF3ruyFkm6U9GNJr5ruiZJOk7Rc0vKxsbE2m2FmZjNpN9if\nBJyfe7wO2D8iXgJ8EPimpJ0aPTEizoyIpRGxdHS00MlkMzNrUcvBXtII8GbggmpZRGyOiMfS/RXA\nvcCL2m2kmZm1p52e/euAOyLioWqBpFFJw+n+gcDBwH3tNdHMrLwqlaAfVvwrMvTyfOCnwCGSHpJ0\natp0IrUpHIBXA6vTUMzvAO+JiA2dbLCZWZn89heu5axryt+nLTIa56Rpyk9pUHYRcFH7zTIz6w8P\nPf4Max9/ttfNmJXnxjEza0dA+ZM4DvZmZm0JoA9S9g72ZmbtiAiiD/r2DvZmZm2oRPZTdg72ZmZt\nCMJpHDOzQZcF+vJHewd7M7M2+AStmdl8EA72ZmYDL/BoHDOzgRfu2ZuZDb5KhIdempkNugCncczM\nBl1k0b70HOzNzNrUB7Hewd7MrFXVRUsGYvESMzNrrBrjyx/qHezNzFpWDfIejWNmNsAqTuOYmQ0+\np3HMzOaByfH1fRDtZw32ks6RtF7SLbmyj0laK2lV+nlDbtufSbpH0p2SfqtbDTcz67Wpnn35o32R\nnv25wOsblH8uIpakn0sBJB0GnAj8UnrOlyUNd6qxZmZl1Acp+9mDfURcDWwo+HpvAr4VEZsj4n7g\nHuDINtpnZlZakz37QQj2M3ivpNUpzbNrKtsHeDC3z0OpbCuSTpO0XNLysbGxNpphZtYb1fRNpQ+i\nfavB/ivAQcASYB1wRrMvEBFnRsTSiFg6OjraYjPMzHqn0j/nZ1sL9hHxSERMREQFOIupVM1aYL/c\nrvumMjOzgTM1XUKPG1JAS8Fe0t65h8cD1ZE6lwAnStpW0guBg4GftddEM7NyGNu4ueZxNLhXVkWG\nXp4P/BQ4RNJDkk4FPi3pZkmrgaOBPwKIiFuBC4HbgB8Cp0fERNdab2Y2R668cz2/+skfcdWd6yfL\n+ukE7chsO0TESQ2Kz55h/08Cn2ynUWZmZXPTg08AsPLnT3DUIXtmhYOeszczm29GhgTARKUyWTYf\nRuOYmc0rw0NZuBzPTXHZT2kcB3szswKGU7ScmJiK7JOzXvaiQU1ysDczK6Bhz7562wddewd7M7MC\nFgxXc/Zbp3H6gYO9mVkBQ8qCfW3PfsAvqjIzm28ajcaZGnpZ/mjvYG9mVsDI8PQ5+3z8LysHezOz\nAiZH41QajcZxz97MbCB4nL2Z2TwwmbOfaDD0sgftaZaDvZlZAUq3tT37/pkcx8HezKyAaoyvmRvH\no3HMzAZLNaDne/ZVDYpKx8HezKyAmOzZNzpBW/5o72BvZlZAdZjleMOhl+XnYG9m1oSJhhOh9aYt\nzXCwNzMroBrQG43G6YNY72BvZlZENWVTu1JV9U75w72DvZlZAZM9+4kGJ2h70J5mzRrsJZ0jab2k\nW3Jln5F0h6TVki6WtEsqXyzpWUmr0s9Xu9l4M7O5Ug3oEzXjLAdrDdpzgdfXlS0DXhwRvwLcBfxZ\nbtu9EbEk/bynM800M+utqTTOgM6NExFXAxvqyi6PiPH08Dpg3y60zcysPBqcoK0MUrAv4J3Av+Ue\nv1DSjZJ+LOlV0z1J0mmSlktaPjY21oFmmJl1T/UK2olGK1X1pEXNaSvYS/ooMA58IxWtA/aPiJcA\nHwS+KWmnRs+NiDMjYmlELB0dHW2nGWZmXVeZ7Nk3mBunD7r2LQd7SacAbwTeFulII2JzRDyW7q8A\n7gVe1IF2mpn11EzTJfSDloK9pNcD/wf4nYh4Jlc+Kmk43T8QOBi4rxMNNTPrpUYToUUfjcYZmW0H\nSecDRwF7SHoI+Cuy0TfbAsuUrbh+XRp582rgE5K2ABXgPRGxoeELm5n1kckpjhuNsy9/rJ892EfE\nSQ2Kz55m34uAi9ptlJlZ6TSYCG1y01y3pQW+gtbMrIBGF1VNznrZB117B3szswIqlWrPvtFKVeXn\nYG9mVkA1oOezOLHVnfJysDczK6DR0oOe4tjMbMA0ystP9fbLH+4d7M3MmjTZo++joZcO9mZmBeR7\n79UROVNpnPJHewd7M7MC8r336lh7r0FrZjZg8vH8+Yls+KXTOGZmAyafxqkuTdgPF1NVOdibmRVQ\nk8ap9uzTY4/GMTMbQE7jmJkNqEqlQRoHj8YxMxso0eC+e/ZmZgMmH9Ar9RdV9aA9zXKwNzMrIH8S\ntv5iKvfszcwGRE0aZ6v0TfmjvYO9mVkRue57pS5902hGzLJxsDczK6DSMGffPxdXOdibmRWQH15Z\nqZvHvvyhvmCwl3SOpPWSbsmV7SZpmaS70+2uqVySPi/pHkmrJb20W403M5sr+c77VM5+8E7Qngu8\nvq7sw8AVEXEwcEV6DHAscHD6OQ34SvvNNDPrrcZpHNJt+aN9oWAfEVcDG+qK3wScl+6fBxyXK//n\nyFwH7CJp70401sysV2rTOKlsnoyz3ysi1qX7/wnsle7vAzyY2++hVFZD0mmSlktaPjY21kYzzMzm\nQKOefYNtZdWRE7SRfYdp6nAj4syIWBoRS0dHRzvRDDOzrml4UVW6HfRZLx+ppmfS7fpUvhbYL7ff\nvqnMzKxvNTxBS+1tmbUT7C8B3pHuvwP4Xq787WlUzsuBJ3PpHjOzvpQP6Fvl7Psg2o8U2UnS+cBR\nwB6SHgL+Cvhb4EJJpwJrgLek3S8F3gDcAzwD/H6H22xmNucqNVfQ9t+C44WCfUScNM2m1zbYN4DT\n22mUmVnZNJz1ssG2svIVtGZmTapP3/RBrHewNzMromEah9p0Tpk52JuZFVCbxqkt64NY72BvZlZE\n4549Nbdl5mBvZlZA7eIlnuLYzGwgNZ71Mt3OfXOa5mBvZlZA1KRxUpnXoDUzGywNx9nX9PbLHfEd\n7M3MCshfJdto0ZKSx3oHezOzIiqNhl7mtpc81jvYm5kV0TiNs3Vvv6wc7M3MCphppapse7k52JuZ\nFdDoZGxtHn+uW9QcB3szswKi0RW0NT37ckd7B3szswICkNL9Ridoyx3rHezNzIqoBAynaN8wZ+9g\nb2bW/yKCoaFqsG+Qs3cax8ys/wUwkoK9L6oyMxtQEdEgjZPv2Zebg72ZWQERNEjj5LeXO9wXWnC8\nEUmHABfkig4E/hLYBXgXMJbKPxIRl7bcQjOzEoiYSuP040VVLQf7iLgTWAIgaRhYC1wM/D7wuYj4\nbEdaaGZWApXcCdpGi5ZEpSfNKqxTaZzXAvdGxJoOvZ6ZWakEuaGXlQZpnJL37TsV7E8Ezs89fq+k\n1ZLOkbRroydIOk3ScknLx8bGGu1iZlYaETBc7dnnymhwv4zaDvaStgF+B/h2KvoKcBBZimcdcEaj\n50XEmRGxNCKWjo6OttsMM7OuysbZZ/fbneL40pvX8ZnL7uhU0wrpRM/+WGBlRDwCEBGPRMRERFSA\ns4AjO1CHmVlP5dM4DXP2TXTtf3T7I3x35dqOtm82nQj2J5FL4UjaO7fteOCWDtRhZtZTETGZxmk8\nEVozrwUTlbnN+7Q8GgdA0g7AbwLvzhV/WtISsmN/oG6bmVlfquRy9vULjmdlxYP3RCWa2r8T2gr2\nEfE0sHtd2clttcjMrIQCGNL0PftmuvYTEcxxx95X0JqZFRERjAxXc/apLL+9ideqVIKJSvDs8xM8\nPz43A/Qd7M3MCohoMM6+xaGXE5WgUgl++wvX8MELV3WymdNysDczKyDIT3E8VZbfXlQlIkvlVGIy\nNdRtDvZmZgVUKrmhl3SgZ58CfvWkb7c52JuZFRBE7gRtKmtxiuNKZP88KhXcszczK5OIbA3aITVe\nvKTSxPCaaq9+ohIMz1EUdrA3MytgKtir4Xz2zXAax8yspIJAKAX7VNZGzr56Fa3TOGZmJZKtVJX1\n7ttdcLz6/C0TFffszczKpBJTPftqL77SRs8eYHzCPXszs1IJpk7QVhrkcZrJ30+knccr7tmbmZVK\ndoJWKJ+zz21vZmKzmEzjBHMU6x3szcyKiAhE1rvvxEVVVUPu2ZuZlcdUGke5idBamwotH+yHnbM3\nMyuPiCzQD2maxUua6NnnUz7O2ZuZlUglpXGmu6iqqRO0+TSOe/ZmZuVRvYI2f4I230Nvrmc/dd89\nezOzEsly9qqZGyffnW/moqqanL2DvZlZeUQ+jZMWl6oZetnEglP5bwRzlcZpaw1aAEkPABuBCWA8\nIpZK2g24AFhMtuj4WyLi8XbrMjPrlfysl1MnaFucLqGmZ9+5Ns6kU9UcHRFLImJpevxh4IqIOBi4\nIj02M+tb1fns1YmJ0HrQs+/W/5Q3Aeel++cBx3WpHjOzOVGZPEGbu6iqxdeayKV8+inYB3C5pBWS\nTktle0XEunT/P4G9OlCPmVnPRIOJ0PppnH3bOXvg1yNiraQ9gWWS7shvjIiQtNXbkP4xnAaw//77\nd6AZZmbdUzMRWgrWlRZz9n05XUJErE2364GLgSOBRyTtDZBu1zd43pkRsTQilo6OjrbbDDOzrqpO\nhJZfvCSviVUJa0/Q9kMaR9IOknas3geOAW4BLgHekXZ7B/C9duoxM+u1/ERoDUfjNJHHqU3jdKyJ\nM2o3jbMXcLGy/0wjwDcj4oeSbgAulHQqsAZ4S5v1mJn1VJClcLKcfZvTJfTbOPuIuA84vEH5Y8Br\n23ltM7MyqURMpXGqF1W1eoI2NxrHV9CamZVIBFuncVqd4tizXpqZlVPDlao6sHiJ+uEErZnZfBER\nk0Mvq734mgXHC75OpW7YTl+MxjEzmy/yJ2in4vVU4K4P4tOZqPsK0G9z45iZDbTK5BW006xU1cTr\n5PXTdAlmZgOv0eIlreTs66dC9glaM7MSabR4SX40TtHpEurTOH0zXYKZ2XwwdYJWDdM4RfM4Ez5B\na2ZWXtVx9vmLqjoyGsc9ezOz8shG4wimuaiq/sTrdOrTOHPUsXewNzMropIbZz8Zr1s5QVs/9NJp\nHDOz8sincRqtVFU8jVP72GkcM7MSifxEaDFVlt9ehEfjmJmV2NQ4+3zOPre94Ot4ugQzsxILmFyD\nttFFVS0PvXTP3sysPCIizY0zlbJpZQ3ardI47tmbmZVHJdj6oqr89krj5231Ou7Zm5mVVxBT89lX\nJgtz24upnxzTs16amZVI4xO0LYzGqYv2XrzEzKxEsnH2qrmoqhNTHJd+NI6k/SRdKek2SbdKen8q\n/5iktZJWpZ83dK65Zma9kaVx6i6qauEK2l6Nxhlp47njwB9HxEpJOwIrJC1L2z4XEZ9tv3lmZuUQ\nsfVKVa0sON6ri6paDvYRsQ5Yl+5vlHQ7sE+nGmZmVibVlaryOfvqCJ2IrU+8Tvs6/XxRlaTFwEuA\n61PReyWtlnSOpF2nec5pkpZLWj42NtaJZpiZdU22eElK4+Ry9tVx8q2mcYb6ZTSOpEXARcAHIuIp\n4CvAQcASsp7/GY2eFxFnRsTSiFg6OjrabjPMzLoqG41TuwYtZBdaZfeKRfuthl72Q89e0gKyQP+N\niPguQEQ8EhETEVEBzgKObL+ZZma9Ux1WObl4SW6lKjXZs99qNE7ZL6pSdoRnA7dHxN/nyvfO7XY8\ncEvrzTMz671qfJ5ccDxdVBVM9cyLDr3cOo1T8hO0wK8BJwM3S1qVyj4CnCRpCdmxPwC8u60Wmpn1\nWDU8D0nphGy1Zx+TPfOWpzieozROO6NxriX7VlPv0tabY2ZWPpWaNA65oZfNLyvY16NxzMwGWT6N\nk7+oqpIbjTPbGrTX3D3G+ESlf0fjmJkNumpwn5wILbdS1eRonBli/Yo1Gzj57J9xxrK7+m+6BDOz\n+aK2Z1+bny8yzv7pzRMArFzzeINZLx3szcxKoRrIh7Zag3ZqNM1MSZznx7PhO08+u6UmjVMd3TMX\nHOzNzGax9QnaqSmOp9I404f7jZu3AFmwz6dx5iqFAw72ZmazqobnqXH2UxdVFRlnv/G5cQCeeKa2\nZz9XY+zBwd6sa+5/9Gm+ft2aXjfDOqDaa6+mcfJz40xdQTtDzz4F+2e3TLBlYmr9QvfszQbAd1Y8\nyF/8yy1sHp/odVOsTfmTqrWzXsbk0MmZTtA+9dyWyftrH3928v4cduwd7M26ZVPqzVVHYlgfmxyN\no60uqhoqkMZ56tnxyfsP5YO90zhm/W/j5uwPvBr0rX9Vx9kP1V1URT5nP0O035jr2T/69PMAbDM8\nNGfDLsHB3qxrqkG+OhLD+le1Jy+ovagqLVVYvT+djc+Ns8eibQB4bNNmAEaG5Zy92SDY5J592z7+\nr7fysUtu7XUzpqY4lmouqiq6eMnG57aw/24LAXg0BfsFw0NzmsZpZ9ZLM5vBZLDf7GDfqp/c89ic\npjqmMzXrZf0atFNXwM429PKg0UVst2CIRzdlaZwF7tmbDYZqj97BvnVjmzbz+DPP97oZUxdC1a1U\nVYkoPPRyx+1G2HXhNpPj7EeGnLM3GwjVE7QbncZpyfPjFTY8/Twbnn6+8FzxXVOXs4/IgnsEDBcY\nernxuS3suN0Cdl24zWTZghHN2YyX4GBv1jXu2benmtvePF7h2S29Hb6aX7wkn6OvGXo5TbSfqARP\nPz/BjtuNsNsOuWA/PDRnC5eAg71ZV4xPTAUon6BtzdjGzZP3H3+mtyOaJufG0dRiJZWsez+Vxpnm\nueuezMbV77FoG3ZZuGCyfMHQkHP2Zv0ufyGVe/atWZ8P9k/3Nm8fuTTOyHAWoJ+fqKSefe0+9a6/\nbwMARxywW23PfkS+qMqs3+XH1jtn35p8z35Dr4N9uh2S2G/XbAjlmseeqR16CVx91xhLPnF5TXt/\ncu9j7LpwAYe+YMeanP2we/Zm/S8f4PNXT1px6zc+N3m/1yNyKrmrqg4c3QGA+8aeJojcFbTBj+8a\n44lntrDqwccB+OCFq7ho5UO8/MDdGRoS2y7IQu7vvnRfhjUg0yVIer2kOyXdI+nD3ajjtoef4rgv\n/Qf3rN/UjZc3a1k+deM0TmseeWozC1LKpNdpnCoBL9wjC/b3jm2iUplaQ/avf3A7/3bzOgC+dOW9\nnP6NlXx35VoO2H0hpx/9i0AW5P/ktw7hU2/+ZYakyZE8c6ErVUkaBr4EHAscBpwk6bBO17PHjttw\n89on+faKBzv90qXw6KbNfPmqexws+lD1pOwuCxf499eCSiW4+q4xjnzhbkiwoccnaPMrVS3cZoRf\n2Hk77hvbVDMaB+DhJ7NvIyvWPM4PUuC/4LRX8OJ9dgZgr5224/Sjf5FtRrKrZ+cyjdOtK2iPBO6J\niPsAJH0LeBNwWycr2XPH7XjNoXty0YqH2GvH7Tr50qXw/dUPs/LnT/Cz+zfw6oNHe90ca8Jt654C\n4AU7bcfDTzzLOdfe3+MW9ZdHNj7H2iee5U+PPZRbH36K6+57rKfvYTWNVI3NB+25iBU/f5znxyvs\nnjvpmrfz9gs44Yh9ecHOjWPTsOb2BG23gv0+QL67/RDwsvwOkk4DTgPYf//9W67o5JcfwLLbHuET\n3+/o/5FSWDAsjjlsL5bd/ghX3TnW6+ZYkxZtO8IrD9qDc/7j/oH8fHbbXjttyzGH7cU3rlvD9fdv\n4Gf3b+hpeyQmA/cRB+zKNXc/CsAxh72Aa+95lCMX78bPHtjAyS8/gK9ft4af/tlrWLjN9CH2wNEd\neG5LZdrtnaZuXJkm6QTg9RHxB+nxycDLIuK9jfZfunRpLF++vOX6nt48zvhEj6+w64IFI9lXxk2b\nx5kYwOMbdNsuGGLbkSGeem585olTrKHttxlmm5EhxicqpVgTYGRY7LBtFrwjYvL3utP2I5MLj0ca\ndx+58ffdJGlFRCwtsm+3evZrgf1yj/dNZV1R/QUMqkUDfnyDbuftF8y+k01rZHiInReWa+CgpJrf\nazWuVwP8XAT6ZnXrHbwBOFjSCyVtA5wIXNKluszMbBZd6TJGxLik9wKXAcPAORHR+0mpzczmqa7l\nByLiUuDSbr2+mZkVV65EmJmZdYWDvZnZPOBgb2Y2DzjYm5nNA125qKrpRkhjwBPAkw027wFsmWbb\nzh0sXwA82uU68uV7pPqm279Tdc/0/nWqjnx59bhm278Tdc/2Hnay7vrjavV1ij4nX183j6/V97DV\nuhv9nXWr7nbew2bfv27WkVf/OTwkInacZt9a2TqKvf8BzpymfPkM2zpWDizvdh31xzXT/p2qe6b3\nrxvHV/8+drPu2d7DDtfdkc9H0efk6+vm8bX6HrZad6P3sVt1t/MeNvv+dbOO6epr9HimnzKlcf61\nhW3dLh/0uueijkGpu5OvU8bjc93lr7stpUjjzETS8ig490M/1DPX9Q3qcQ1yXXNZ36Ae11zV1ev3\nr5n6y9Szn86ZA1bPXNc3qMc1yHXNZX2DelxzVVev37/C9Ze+Z29mZu3rh569mZm1ycHezGweKEWw\nl3ScpJB0aJdePyT9/9zjEUljkr7fjfpy9cz5Suiz1SnpKkktn1Dq9u+qQX0flXSrpNWSVkl62ezP\narmufSV9T9Ldku6V9A9piu7p9v+ApIUt1BOSzsg9/pCkj7XY7JnqmUjv2a2SbpL0x5Lm5G9+Lj77\nueOr/iyeYd+jWvl770Xs6NbfWCmCPXAScG26LSwtbF7E08CLJW2fHv8mXVxMZcC19LtqhaRXAG8E\nXhoRvwK8jtrlLjtZl4DvAv8SEQcDLwIWAZ+c4WkfAJoO9sBm4M2S9mjhuc14NiKWRMQvkX3mjwX+\nqst1zqXq8VV/HuhCHW3HDknNzi7clXjY82AvaRHw68CpZIucVP8LXy3pB5LulPTVao9E0iZJZ0i6\nCXhFE1VdCvx2un8ScH6uDUdK+qmkGyX9RNIhqfxqSUty+10r6fAmj6+mRyHpi5JOSfcfkPRxSSsl\n3dyp/+Qz1dnm6073u5ru+N4g6Q5JKyR9voXe0N7AoxGxGSAiHo2IhyUdIenH6XUvk7R3qu+q1Btf\nJekWSUc2UddrgOci4p9SXRPAHwHvlLSDpM+m11wt6X2S/hD4BeBKSVc2eVzjZKMo/qh+g6TFkv49\n1XOFpP0l7SxpTe5vYAdJD0oqvARWRKwnW/P5vcoMS/qMpBtSXe/OteFP0+fxJkl/2+Sx5Y9lUTqG\n6uf7TbljvF3SWelbx+W5YNqWmY4L2KlRTCmgldhxiqRLJP07cEUT7e9aPOx5sAfeBPwwIu4CHpN0\nRCo/EngfcBhwEPDmVL4DcH1EHB4R1zZRz7eAEyVtB/wKcH1u2x3AqyLiJcBfAn+Tys8GTgGQ9CJg\nu4i4qcnjm82jEfFS4CvAhzr82p023e9qK+l9/hpwbEQcAYy2UN/lwH6S7pL0ZUm/kQLcF4AT0uue\nQ23ve2FELAH+d9pW1C8BK/IFEfEU8HPgD4DFwJL0DeMbEfF54GHg6Ig4uoVj+xLwNkk715V/ATiv\nWg/w+Yh4ElgF/Eba543AZRGxpZkKI+I+ssWE9iQLJk9GxK8Cvwq8S9nKcseS/Z5fFhGHA59u4diq\nngOOT5/vo4EzpMn1+g4GvpS+dTwB/G4Lr7+9plI4F6eyhseVtk0XU2bTSuwAeCnZ5/Q3KK5r8bAM\nwf4ksjeTdFv96vKziLgv9bDOJ/tvBzABXNRsJRGxmuwP9iS2XlRlZ+Dbkm4BPkf2hw/wbeCNKcC8\nEzi32XoL+G66XZHaV2bT/a4aORS4LyLuT4/Pn2HfhiJiE3AEWY90DLgAeDfwYmCZpFXAn5OtcVx1\nfnru1WQ9uV2arbeBo4CvRcR4eu0N7b5g+kfyz8Af1m16BfDNdP/rTH3uLwDemu6fmB634xjg7ek9\nvB7YnSwAvw74p4h4JrWznWMV8DeSVgM/AvYB9krb7o+IVel+q5/9fBrn+FQ23XHB9DFlRi3GDoBl\nLbx/XYuHPV3JWtJuZF+ff1lSkPU6AvhBus2rPn4uHXArLgE+S/bHu3uu/P8CV0bE8cpO8lwFEBHP\nSFpG9t/2LWSBp1nj1P5T3a5u++Z0O0Hnfh+z1dm0GX5X3+t0XXnpd30VcJWkm4HTgVsjYrqvrNN9\nbmZzG3BCvkDSTsD+wANF29uk/wesBP6pwL6XkAXO3cg+h//ebGWSDiT7nK0nC8Tvi4jL6vb5rWZf\ndwZvI/tGd0REbJH0AFOfj825/SaAjqRxmP64jqL1zwY0GTuSp5t4/a7Hw1737E8Avh4RB0TE4ojY\nD7gfeBVwZPpaOUTWo2kmZTOdc4CPR8TNdeU7M3XS5ZS6bf8IfB64ISIeb6HONcBhkrZNvczXtvAa\nZahzut/V0DR13QkcqKkREm+tf8HZSDpE0sG5oiXA7cCospO3SFogKd+bemsq/3Wyr/PTzR5Y7wpg\noaS3p+cPA2eQfZu7DHi30om29EcJsBEoNuNgA6nXdyFZ6qHqJ6RcLVmwvCbtuwm4AfgH4PvNdngk\njQJfBb4Y2ZWUlwH/q5r3l/QiSTsAy4DfVxpllDvWVuwMrE+B/mjggDZeq6jpjgvaiymtxI5mdTUe\n9jrYnwRcXFd2USq/Afgi2R/3/Q32a1pEPJRyrfU+DXxK0o3U9a4jYgXwFMV6X5NSYNgcEQ+S/UHf\nkm5vbKXtJahzut/ViY3qioi31y6wAAAE50lEQVRnyfLmP5S0giwwFg28VYuA8yTdllIBh5HlRU8A\n/i6dlFoFvDL3nOfS7/Gr1AbRGaUAeDzwe5LuBu4iyzl/hOwf/s+B1anO/5GedmY6vmZP0OadQTZt\nbdX7yILtauBk4P25bRcA/5PiKZxqTvtWsjTK5cDH07Z/JPs2szKlIL4GjETED8l6sctTKqTp80jV\nzyHZOYel6RvZ28ny293W8LjStpZjSiuxowVdjYelnC4hfeX6UES8sQRt+QWyr2aHRkSliecdDpwV\nEc2MCGlLL+qciaRFEbEpnZT7EnB3RHyui/VdRfa5Wd6tOmx2Zfsc9rtOxcNe9+xLLX2lvx74aJOB\n/j1kJ1H+vFttK0OdBbwr9Q5vJfu6+7Uet8e6rKSfQ6OkPXszM+ss9+zNzOYBB3sza5mk/SRdmU6i\n3yrp/al8N0nLlM0ztEzSrqn8UGVXnG6W9KG613q/squUb5X0gV4czyBzsDezdowDfxwRhwEvB06X\ndBjwYeCKNM/QFekxwAayC8k+m38RSS8G3kV2pejhZBcz/uLcHML84GBvZi2LiHURsTLd30g2NHAf\nsgsRz0u7nQccl/ZZHxE3APVTPfw3ssv+n0lXKv+Y4tMZWAEO9mbWEekCupeQjWDbKyLWpU3/ydQ0\nCdO5BXiVpN3TBV1vAPbrUlPnpZ5Ol2Bmg0HZbI0XAR+IiKc0Od9ZdsFauvx/WhFxu6S/I7vw62my\ni+VanRbFGnDP3szakqYmuIhsNtDqxH6PaGrq6b3J5uOZUUScHRFHRMSrgcfJrmK2DnGwN7OWpauj\nzwZuj4i/z226BHhHuv8OsgnzZnutPdPt/mT5+m/O/Axrhi+qMrOWpQnnrgFuBqpXmX+ELG9/Idms\noWuAt0TEBkkvAJYDO6X9NwGHpdTPNWQzSm4BPhgRhRf9sNk52JuZzQNO45iZzQMO9mZm84CDvZnZ\nPOBgb2Y2DzjYm5nNAw72NrAkfax+ZsW67celSbtme52a/SR9QtLrOtVOs7ngYG/z2XFk69o2tV9E\n/GVE/KhrrTLrAgd7GyiSPirpLknXAoeksndJukHSTZIukrRQ0iuB3wE+kxblPij9/FDSCknXpLnX\nG+13rqQT0ms/IOlTadtySS+VdJmke9MSfdV2/Ulqw2pJH2/QdLOu8kRoNjAkHQGcCCwh+2yvBFYA\n342Is9I+fw2cGhFfkHQJ8P2I+E7adgXwnoi4W9LLgC9HxGsa7Fdf9c8jYomkzwHnAr8GbEc2k+NX\nJR0DHEw2V7uASyS9OiKu7tqbYVbHwd4GyauAiyPiGYAUpAFenIL8LsAi4LL6J6ZZG18JfDsXzLct\nWG+1npuBRWle941pNaZdgGPSz41pv0Vkwd/B3uaMg73NB+cCx0XETZJOAY5qsM8Q8ERELGnh9Ten\n20rufvXxCFlv/lMR8bUWXtusI5yzt0FyNXCcpO0l7Qj891S+I7AuTcX7ttz+G9M2IuIp4H5JvwfZ\nbI6SDq/fr0WXAe9M3x6QtE91hkezueJgbwMjLY93AXAT8G/ADWnTX5DNwvgfwB25p3wL+BNJN0o6\niOwfwamSbgJuJVtar9F+zbbrcrLpen8q6WbgO7T3z8OsaZ710sxsHnDP3sxsHnCwNzObBxzszczm\nAQd7M7N5wMHezGwecLA3M5sHHOzNzOaB/wJaATXysKXs2wAAAABJRU5ErkJggg==\n", + "text/plain": [ + "
" + ] + }, + "metadata": { + "tags": [] + } + } + ] + }, + { + "metadata": { + "id": "Khe0KmZbyWl0", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Okay, so from the graphs it looks like we have a good cluster at the end of February; let's look closer. I'll slice the results to only show after 2019-02-20:" + ] + }, + { + "metadata": { + "id": "y-hGtMtYyrt6", + "colab_type": "code", + "outputId": "563e3970-164d-445c-d516-ae548e6fa7db", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 3020 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('TeamViewer', return_fields='datetime,timestamp_desc,data_type,filename,message', as_pandas=True)\n", + "ts_results = ts_results.set_index('datetime')\n", + "ts_results['2019-02-20':][['timestamp_desc','data_type','filename','message']]" + ], + "execution_count": 17, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
timestamp_descdata_typefilenamemessage
datetime
2019-02-25 18:28:14Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/PICKERHOST.EXE-93018817.pfPrefetch [PICKERHOST.EXE] was executed - run count 4 path: \\WINDOW...
2019-02-25 20:39:27Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/CHROME.EXE-5FE9909D.pfPrefetch [CHROME.EXE] was executed - run count 3 path: \\PROGRAM FI...
2019-02-25 20:39:41Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://www.google.com/search?q=teamviewer&oq=teamv&...
2019-02-25 20:39:41Last Visited Timechrome:history:page_visited/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...https://www.google.com/search?q=teamviewer&oq=teamv&aqs=chrome.1.6...
2019-02-25 20:39:46Last Visited Timechrome:history:page_visited/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...https://www.teamviewer.com/en-us/ (Home - TeamViewer) [count: 0] T...
2019-02-25 20:39:46Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://static.teamviewer.com/resources/2018/10/logo...
2019-02-25 20:39:54Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://www.teamviewer.com/en-us/teamviewer-automati...
2019-02-25 20:39:55Last Visited Timechrome:history:page_visited/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...https://www.teamviewer.com/en-us/teamviewer-automatic-download/ (T...
2019-02-25 20:39:59Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://tracking.g2crowd.com/attribution_tracking/co...
2019-02-25 20:40:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://bat.bing.com/action/0?ti=5712416&Ver=2&mid=4...
2019-02-25 20:40:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://bat.bing.com/action/0?ti=26037780&Ver=2&mid=...
2019-02-25 20:40:10Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://static.teamviewer.com/resources/2018/10/team...
2019-02-25 20:40:47Content Modification Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.iniTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...
2019-02-25 20:40:47Metadata Modification Timefs:stat/Program Files (x86)/TeamViewer/tvinfo.iniTSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file
2019-02-25 20:40:47Creation Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewerTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer Type: direc...
2019-02-25 20:40:47Creation Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.iniTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...
2019-02-25 20:40:47Metadata Modification Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.iniTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...
2019-02-25 20:40:47Metadata Modification Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_.exeTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_...
2019-02-25 20:40:47Content Modification Timefs:stat/Program Files (x86)/TeamViewer/tvinfo.iniTSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file
2019-02-25 20:40:49Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TEAMVIEWER_.EXE-70DEDD02.pfPrefetch [TEAMVIEWER_.EXE] was executed - run count 1 path: \\USERS...
2019-02-25 20:41:04Creation Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install.logTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install...
2019-02-25 20:41:06Creation Timefs:stat/Program Files (x86)/TeamViewerTSK:/Program Files (x86)/TeamViewer Type: directory
2019-02-25 20:41:06Content Modification Timewindows:shell_item:file_entry/Users/Public/Desktop/TeamViewer 14.lnkName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
2019-02-25 20:41:06Content Modification Timewindows:shell_item:file_entry/ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnkName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
2019-02-25 20:41:06Creation Timewindows:shell_item:file_entry/Users/Administrator/AppData/Roaming/Microsoft/Windows/SendTo/Team...Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06Creation Timewindows:shell_item:file_entry/ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnkName: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06Creation Timewindows:shell_item:file_entry/Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/TeamViewer...Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06Creation Timewindows:shell_item:file_entry/Users/SelmaBouvier/AppData/Roaming/Microsoft/Windows/SendTo/TeamV...Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06Creation Timewindows:shell_item:file_entry/Users/Public/Desktop/TeamViewer 14.lnkName: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:11Creation Timefs:stat/Program Files (x86)/TeamViewer/License.txtTSK:/Program Files (x86)/TeamViewer/License.txt Type: file
...............
2019-03-20 21:04:58Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Note.exeTSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file
2019-03-20 21:04:59Last Access Timefs:stat/Program Files (x86)/TeamViewer/uninstall.exeTSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file
2019-03-20 21:04:59Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ...
2019-03-20 21:04:59Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ...
2019-03-20 21:04:59Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ...
2019-03-20 21:05:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ...
2019-03-20 21:05:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ...
2019-03-20 21:05:01Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ...
2019-03-20 21:05:01Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ...
2019-03-20 21:05:01Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ...
2019-03-20 21:05:01Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ...
2019-03-20 21:05:02Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ...
2019-03-20 21:05:02Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ...
2019-03-20 21:05:19Content Modification Timewindows:registry:key_value/Windows/appcompat/Programs/Amcache.hve[\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300...
2019-03-20 21:05:20Last Access Timefs:stat/Program Files (x86)/TeamViewer/x64TSK:/Program Files (x86)/TeamViewer/x64 Type: directory
2019-03-20 21:05:20Last Access Timefs:stat/Program Files (x86)/TeamViewer/PrinterTSK:/Program Files (x86)/TeamViewer/Printer Type: directory
2019-03-20 21:05:20Last Access Timefs:stat/Program Files (x86)/TeamViewer/Printer/x64TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory
2019-03-20 21:05:20Last Access Timefs:stat/Program Files (x86)/TeamViewer/outlookTSK:/Program Files (x86)/TeamViewer/outlook Type: directory
2019-03-20 21:05:24Last Time Executedwindows:prefetch:execution/Windows/Prefetch/RUNDLL32.EXE-F52D40E6.pfPrefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS...
2019-03-20 21:05:43Content Modification Timewindows:registry:key_value/Windows/System32/config/SYSTEM[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par...
2019-03-20 21:05:59Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pfPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
2019-03-20 21:06:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-79BA10F2.pfPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
2019-03-20 21:08:32Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:10:56Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pfPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
2019-03-20 21:15:21Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:15:28Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:15:36Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:15:59Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pfPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
2019-03-20 21:16:00Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-79BA10F2.pfPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
2019-03-20 21:26:28Last Time Executedwindows:prefetch:execution/Windows/Prefetch/RUNDLL32.EXE-A7B4E4F7.pfPrefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\...
\n", + "

632 rows × 4 columns

\n", + "
" + ], + "text/plain": [ + " timestamp_desc \\\n", + "datetime \n", + "2019-02-25 18:28:14 Previous Last Time Executed \n", + "2019-02-25 20:39:27 Previous Last Time Executed \n", + "2019-02-25 20:39:41 Last Visited Time \n", + "2019-02-25 20:39:41 Last Visited Time \n", + "2019-02-25 20:39:46 Last Visited Time \n", + "2019-02-25 20:39:46 Last Visited Time \n", + "2019-02-25 20:39:54 Last Visited Time \n", + "2019-02-25 20:39:55 Last Visited Time \n", + "2019-02-25 20:39:59 Last Visited Time \n", + "2019-02-25 20:40:00 Last Visited Time \n", + "2019-02-25 20:40:00 Last Visited Time \n", + "2019-02-25 20:40:10 Last Visited Time \n", + "2019-02-25 20:40:47 Content Modification Time \n", + "2019-02-25 20:40:47 Metadata Modification Time \n", + "2019-02-25 20:40:47 Creation Time \n", + "2019-02-25 20:40:47 Creation Time \n", + "2019-02-25 20:40:47 Metadata Modification Time \n", + "2019-02-25 20:40:47 Metadata Modification Time \n", + "2019-02-25 20:40:47 Content Modification Time \n", + "2019-02-25 20:40:49 Last Time Executed \n", + "2019-02-25 20:41:04 Creation Time \n", + "2019-02-25 20:41:06 Creation Time \n", + "2019-02-25 20:41:06 Content Modification Time \n", + "2019-02-25 20:41:06 Content Modification Time \n", + "2019-02-25 20:41:06 Creation Time \n", + "2019-02-25 20:41:06 Creation Time \n", + "2019-02-25 20:41:06 Creation Time \n", + "2019-02-25 20:41:06 Creation Time \n", + "2019-02-25 20:41:06 Creation Time \n", + "2019-02-25 20:41:11 Creation Time \n", + "... ... \n", + "2019-03-20 21:04:58 Last Access Time \n", + "2019-03-20 21:04:59 Last Access Time \n", + "2019-03-20 21:04:59 Last Access Time \n", + "2019-03-20 21:04:59 Last Access Time \n", + "2019-03-20 21:04:59 Last Access Time \n", + "2019-03-20 21:05:00 Last Access Time \n", + "2019-03-20 21:05:00 Last Access Time \n", + "2019-03-20 21:05:01 Last Access Time \n", + "2019-03-20 21:05:01 Last Access Time \n", + "2019-03-20 21:05:01 Last Access Time \n", + "2019-03-20 21:05:01 Last Access Time \n", + "2019-03-20 21:05:02 Last Access Time \n", + "2019-03-20 21:05:02 Last Access Time \n", + "2019-03-20 21:05:19 Content Modification Time \n", + "2019-03-20 21:05:20 Last Access Time \n", + "2019-03-20 21:05:20 Last Access Time \n", + "2019-03-20 21:05:20 Last Access Time \n", + "2019-03-20 21:05:20 Last Access Time \n", + "2019-03-20 21:05:24 Last Time Executed \n", + "2019-03-20 21:05:43 Content Modification Time \n", + "2019-03-20 21:05:59 Previous Last Time Executed \n", + "2019-03-20 21:06:00 Previous Last Time Executed \n", + "2019-03-20 21:08:32 Previous Last Time Executed \n", + "2019-03-20 21:10:56 Previous Last Time Executed \n", + "2019-03-20 21:15:21 Previous Last Time Executed \n", + "2019-03-20 21:15:28 Previous Last Time Executed \n", + "2019-03-20 21:15:36 Last Time Executed \n", + "2019-03-20 21:15:59 Last Time Executed \n", + "2019-03-20 21:16:00 Last Time Executed \n", + "2019-03-20 21:26:28 Last Time Executed \n", + "\n", + " data_type \\\n", + "datetime \n", + "2019-02-25 18:28:14 windows:prefetch:execution \n", + "2019-02-25 20:39:27 windows:prefetch:execution \n", + "2019-02-25 20:39:41 chrome:cache:entry \n", + "2019-02-25 20:39:41 chrome:history:page_visited \n", + "2019-02-25 20:39:46 chrome:history:page_visited \n", + "2019-02-25 20:39:46 chrome:cache:entry \n", + "2019-02-25 20:39:54 chrome:cache:entry \n", + "2019-02-25 20:39:55 chrome:history:page_visited \n", + "2019-02-25 20:39:59 chrome:cache:entry \n", + "2019-02-25 20:40:00 chrome:cache:entry \n", + "2019-02-25 20:40:00 chrome:cache:entry \n", + "2019-02-25 20:40:10 chrome:cache:entry \n", + "2019-02-25 20:40:47 fs:stat \n", + "2019-02-25 20:40:47 fs:stat \n", + "2019-02-25 20:40:47 fs:stat \n", + "2019-02-25 20:40:47 fs:stat \n", + "2019-02-25 20:40:47 fs:stat \n", + "2019-02-25 20:40:47 fs:stat \n", + "2019-02-25 20:40:47 fs:stat \n", + "2019-02-25 20:40:49 windows:prefetch:execution \n", + "2019-02-25 20:41:04 fs:stat \n", + "2019-02-25 20:41:06 fs:stat \n", + "2019-02-25 20:41:06 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06 windows:shell_item:file_entry \n", + "2019-02-25 20:41:11 fs:stat \n", + "... ... \n", + "2019-03-20 21:04:58 fs:stat \n", + "2019-03-20 21:04:59 fs:stat \n", + "2019-03-20 21:04:59 fs:stat \n", + "2019-03-20 21:04:59 fs:stat \n", + "2019-03-20 21:04:59 fs:stat \n", + "2019-03-20 21:05:00 fs:stat \n", + "2019-03-20 21:05:00 fs:stat \n", + "2019-03-20 21:05:01 fs:stat \n", + "2019-03-20 21:05:01 fs:stat \n", + "2019-03-20 21:05:01 fs:stat \n", + "2019-03-20 21:05:01 fs:stat \n", + "2019-03-20 21:05:02 fs:stat \n", + "2019-03-20 21:05:02 fs:stat \n", + "2019-03-20 21:05:19 windows:registry:key_value \n", + "2019-03-20 21:05:20 fs:stat \n", + "2019-03-20 21:05:20 fs:stat \n", + "2019-03-20 21:05:20 fs:stat \n", + "2019-03-20 21:05:20 fs:stat \n", + "2019-03-20 21:05:24 windows:prefetch:execution \n", + "2019-03-20 21:05:43 windows:registry:key_value \n", + "2019-03-20 21:05:59 windows:prefetch:execution \n", + "2019-03-20 21:06:00 windows:prefetch:execution \n", + "2019-03-20 21:08:32 windows:prefetch:execution \n", + "2019-03-20 21:10:56 windows:prefetch:execution \n", + "2019-03-20 21:15:21 windows:prefetch:execution \n", + "2019-03-20 21:15:28 windows:prefetch:execution \n", + "2019-03-20 21:15:36 windows:prefetch:execution \n", + "2019-03-20 21:15:59 windows:prefetch:execution \n", + "2019-03-20 21:16:00 windows:prefetch:execution \n", + "2019-03-20 21:26:28 windows:prefetch:execution \n", + "\n", + " filename \\\n", + "datetime \n", + "2019-02-25 18:28:14 /Windows/Prefetch/PICKERHOST.EXE-93018817.pf \n", + "2019-02-25 20:39:27 /Windows/Prefetch/CHROME.EXE-5FE9909D.pf \n", + "2019-02-25 20:39:41 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:41 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:46 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:46 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:54 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:55 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:59 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:10 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47 /Program Files (x86)/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer \n", + "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_.exe \n", + "2019-02-25 20:40:47 /Program Files (x86)/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:49 /Windows/Prefetch/TEAMVIEWER_.EXE-70DEDD02.pf \n", + "2019-02-25 20:41:04 /Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install.log \n", + "2019-02-25 20:41:06 /Program Files (x86)/TeamViewer \n", + "2019-02-25 20:41:06 /Users/Public/Desktop/TeamViewer 14.lnk \n", + "2019-02-25 20:41:06 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", + "2019-02-25 20:41:06 /Users/Administrator/AppData/Roaming/Microsoft/Windows/SendTo/Team... \n", + "2019-02-25 20:41:06 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", + "2019-02-25 20:41:06 /Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/TeamViewer... \n", + "2019-02-25 20:41:06 /Users/SelmaBouvier/AppData/Roaming/Microsoft/Windows/SendTo/TeamV... \n", + "2019-02-25 20:41:06 /Users/Public/Desktop/TeamViewer 14.lnk \n", + "2019-02-25 20:41:11 /Program Files (x86)/TeamViewer/License.txt \n", + "... ... \n", + "2019-03-20 21:04:58 /Program Files (x86)/TeamViewer/TeamViewer_Note.exe \n", + "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/uninstall.exe \n", + "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll \n", + "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll \n", + "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll \n", + "2019-03-20 21:05:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll \n", + "2019-03-20 21:05:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll \n", + "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll \n", + "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll \n", + "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll \n", + "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll \n", + "2019-03-20 21:05:02 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll \n", + "2019-03-20 21:05:02 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll \n", + "2019-03-20 21:05:19 /Windows/appcompat/Programs/Amcache.hve \n", + "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/x64 \n", + "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/Printer \n", + "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/Printer/x64 \n", + "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/outlook \n", + "2019-03-20 21:05:24 /Windows/Prefetch/RUNDLL32.EXE-F52D40E6.pf \n", + "2019-03-20 21:05:43 /Windows/System32/config/SYSTEM \n", + "2019-03-20 21:05:59 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", + "2019-03-20 21:06:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", + "2019-03-20 21:08:32 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:10:56 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", + "2019-03-20 21:15:21 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:15:28 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:15:36 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:15:59 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", + "2019-03-20 21:16:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", + "2019-03-20 21:26:28 /Windows/Prefetch/RUNDLL32.EXE-A7B4E4F7.pf \n", + "\n", + " message \n", + "datetime \n", + "2019-02-25 18:28:14 Prefetch [PICKERHOST.EXE] was executed - run count 4 path: \\WINDOW... \n", + "2019-02-25 20:39:27 Prefetch [CHROME.EXE] was executed - run count 3 path: \\PROGRAM FI... \n", + "2019-02-25 20:39:41 Original URL: https://www.google.com/search?q=teamviewer&oq=teamv&... \n", + "2019-02-25 20:39:41 https://www.google.com/search?q=teamviewer&oq=teamv&aqs=chrome.1.6... \n", + "2019-02-25 20:39:46 https://www.teamviewer.com/en-us/ (Home - TeamViewer) [count: 0] T... \n", + "2019-02-25 20:39:46 Original URL: https://static.teamviewer.com/resources/2018/10/logo... \n", + "2019-02-25 20:39:54 Original URL: https://www.teamviewer.com/en-us/teamviewer-automati... \n", + "2019-02-25 20:39:55 https://www.teamviewer.com/en-us/teamviewer-automatic-download/ (T... \n", + "2019-02-25 20:39:59 Original URL: https://tracking.g2crowd.com/attribution_tracking/co... \n", + "2019-02-25 20:40:00 Original URL: https://bat.bing.com/action/0?ti=5712416&Ver=2&mid=4... \n", + "2019-02-25 20:40:00 Original URL: https://bat.bing.com/action/0?ti=26037780&Ver=2&mid=... \n", + "2019-02-25 20:40:10 Original URL: https://static.teamviewer.com/resources/2018/10/team... \n", + "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", + "2019-02-25 20:40:47 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", + "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer Type: direc... \n", + "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", + "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", + "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_... \n", + "2019-02-25 20:40:47 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", + "2019-02-25 20:40:49 Prefetch [TEAMVIEWER_.EXE] was executed - run count 1 path: \\USERS... \n", + "2019-02-25 20:41:04 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install... \n", + "2019-02-25 20:41:06 TSK:/Program Files (x86)/TeamViewer Type: directory \n", + "2019-02-25 20:41:06 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", + "2019-02-25 20:41:06 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", + "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:11 TSK:/Program Files (x86)/TeamViewer/License.txt Type: file \n", + "... ... \n", + "2019-03-20 21:04:58 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file \n", + "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file \n", + "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ... \n", + "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ... \n", + "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ... \n", + "2019-03-20 21:05:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ... \n", + "2019-03-20 21:05:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ... \n", + "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ... \n", + "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ... \n", + "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ... \n", + "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ... \n", + "2019-03-20 21:05:02 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ... \n", + "2019-03-20 21:05:02 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ... \n", + "2019-03-20 21:05:19 [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300... \n", + "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/x64 Type: directory \n", + "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/Printer Type: directory \n", + "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory \n", + "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/outlook Type: directory \n", + "2019-03-20 21:05:24 Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS... \n", + "2019-03-20 21:05:43 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par... \n", + "2019-03-20 21:05:59 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "2019-03-20 21:06:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", + "2019-03-20 21:08:32 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:10:56 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "2019-03-20 21:15:21 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:15:28 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:15:36 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:15:59 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "2019-03-20 21:16:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", + "2019-03-20 21:26:28 Prefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\... \n", + "\n", + "[632 rows x 4 columns]" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 17 + } + ] + }, + { + "metadata": { + "id": "-3krCPn50csr", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "So from this, in a short interval starting 2019-02-25T20:39, we can see:\n", + "* a Google search for \"teamviewer\"\n", + "* a visit in Chrome to teamviewer.com,\n", + "* then teamviewer.com/en-us/teamviewer-automatic-download/,\n", + "* and lastly a bunch of TeamViewer related files being created.\n", + "\n", + "The web browser and files created were done under the Administrator account (per the path filename), so that's our answer." + ] + }, + { + "metadata": { + "id": "5EzZwgne_V44", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: How Many Times\n", + "At least how many times did the teamviewer_desktop.exe run?" + ] + }, + { + "metadata": { + "id": "--29x7kjADg3", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Prefetch is a great artifact for \"how many times did something run\"-type questions, so let's look for Prefetch execution entries for the program in question:" + ] + }, + { + "metadata": { + "id": "v2ZjHcsv_Voj", + "colab_type": "code", + "outputId": "18a2f000-a6ec-4ee3-9466-f3b7e3ec98e4", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 142 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('data_type:\"windows:prefetch:execution\" AND teamviewer_desktop.exe', return_fields='datetime,timestamp_desc,data_type,executable,run_count,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','executable','run_count','message']]" + ], + "execution_count": 18, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typeexecutablerun_countmessage
02019-03-18 17:59:21Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:...
12019-03-18 18:34:19Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:...
22019-03-18 18:36:49Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc \\\n", + "0 2019-03-18 17:59:21 Previous Last Time Executed \n", + "1 2019-03-18 18:34:19 Previous Last Time Executed \n", + "2 2019-03-18 18:36:49 Last Time Executed \n", + "\n", + " data_type executable run_count \\\n", + "0 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", + "1 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", + "2 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", + "\n", + " message \n", + "0 Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:... \n", + "1 Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:... \n", + "2 Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 18 + } + ] + }, + { + "metadata": { + "id": "QwCaUO1TBLis", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: Execute Where\n", + "After looking at the TEAMVIEWER_DESKTOP.EXE prefetch file, which path was the executable in at the time of execution?\n", + "\n" + ] + }, + { + "metadata": { + "id": "8gu7QiD-Bkou", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "We did all the work for this question with the previous query (the answer is in the message string), but we can explicitly query for the path:" + ] + }, + { + "metadata": { + "id": "Y1jC_-hMBLUG", + "colab_type": "code", + "outputId": "0b77b7ce-841e-4f50-8a1a-9608229be5bb", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 142 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('data_type:\"windows:prefetch:execution\" AND teamviewer_desktop.exe', return_fields='datetime,timestamp_desc,data_type,executable,run_count,path', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','executable','run_count','path']]" + ], + "execution_count": 19, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typeexecutablerun_countpath
02019-03-18 17:59:21Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3\\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE
12019-03-18 18:34:19Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3\\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE
22019-03-18 18:36:49Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3\\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc \\\n", + "0 2019-03-18 17:59:21 Previous Last Time Executed \n", + "1 2019-03-18 18:34:19 Previous Last Time Executed \n", + "2 2019-03-18 18:36:49 Last Time Executed \n", + "\n", + " data_type executable run_count \\\n", + "0 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", + "1 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", + "2 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", + "\n", + " path \n", + "0 \\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE \n", + "1 \\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE \n", + "2 \\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 19 + } + ] + }, + { + "metadata": { + "id": "4Z5KJzwABK7V", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "## Registry Questions\n", + "This last set of questions can be answered using the Windows Registry (and one from event logs)." + ] + }, + { + "metadata": { + "id": "oYn41EUYFf5O", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Lots of registry questions depend on the Current Control Set, so let's verify what it is:" + ] + }, + { + "metadata": { + "id": "qbT0cf4dB_aJ", + "colab_type": "code", + "outputId": "e47fa09b-9d42-4775-e744-284f3004fc23", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 80 + } + }, + "cell_type": "code", + "source": [ + "# Escaping fun: We need to esacpe the slashes in the key_path once for Timesketch and once for Python, so we'll have triple slashes (\\\\\\)\n", + "ts_results = ctf.explore('data_type:\"windows:registry:key_value\" AND key_path:\"HKEY_LOCAL_MACHINE\\\\\\System\\\\\\Select\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','message']]" + ], + "execution_count": 20, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typemessage
02018-04-11 23:38:44Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\Select] Current: [REG_DWORD_LE] 1 Defau...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 2018-04-11 23:38:44 Content Modification Time windows:registry:key_value \n", + "\n", + " message \n", + "0 [HKEY_LOCAL_MACHINE\\System\\Select] Current: [REG_DWORD_LE] 1 Defau... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 20 + } + ] + }, + { + "metadata": { + "id": "FoqCvGtlFnZ1", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "From the message, the Current control set is 1." + ] + }, + { + "metadata": { + "id": "3QuYQux5FtlO", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: What was the timezone offset at the time of imaging? and What is the timezone of the Desktop" + ] + }, + { + "metadata": { + "id": "sX5xYElTHxOh", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "I'm combining these, since the answer is in the same query:" + ] + }, + { + "metadata": { + "id": "f8CE4NYEFzWu", + "colab_type": "code", + "outputId": "91fbcb06-fa73-49dd-a17c-76689ed304be", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 80 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('data_type:\"windows:registry:key_value\" AND key_path:\"HKEY_LOCAL_MACHINE\\\\\\System\\\\\\ControlSet001\\\\\\Control\\\\\\TimeZoneInformation\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','message']]" + ], + "execution_count": 21, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typemessage
02019-03-10 10:00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\TimeZoneInformati...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 2019-03-10 10:00:00 Content Modification Time windows:registry:key_value \n", + "\n", + " message \n", + "0 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\TimeZoneInformati... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 21 + } + ] + }, + { + "metadata": { + "id": "HJDjeFc0bzu4", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "The message is really long; let's pull it out:" + ] + }, + { + "metadata": { + "id": "s8UMrq0tb3u6", + "colab_type": "code", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 54 + }, + "outputId": "2664c305-2f12-4b73-947c-cc7c46d2d399" + }, + "cell_type": "code", + "source": [ + "set(ts_results.message)" + ], + "execution_count": 30, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/plain": [ + "{u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Control\\\\TimeZoneInformation] ActiveTimeBias: 420 Bias: 480 DaylightBias: -60 DaylightName: @tzres.dll,-211 DynamicDaylightTimeDisabled: 0 StandardBias: 0 StandardName: @tzres.dll,-212 TimeZoneKeyName: Pacific Standard Time'}" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 30 + } + ] + }, + { + "metadata": { + "id": "NAloEuihHke2", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "The name of the Timezone is in the message string, as is the ActiveTimeBias, which we can use to get the UTC offset:" + ] + }, + { + "metadata": { + "id": "5R57xnzQGzEB", + "colab_type": "code", + "outputId": "483426e3-ab26-4832-c7d2-8a669aaa16d8", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 34 + } + }, + "cell_type": "code", + "source": [ + "# The ActiveTimeBias is in minutes, so divide by -60 (I don't know why it's stored negative): \n", + "420 / -60" + ], + "execution_count": 166, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/plain": [ + "-7" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 166 + } + ] + }, + { + "metadata": { + "id": "yU8rM-2fQC-g", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: When was the Windows OS installed?" + ] + }, + { + "metadata": { + "id": "yGnx4554QICl", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Plaso actually parses this out as it's own data_type, so querying for it is easy:" + ] + }, + { + "metadata": { + "id": "_DTNDAiAMSgz", + "colab_type": "code", + "outputId": "88c0f22e-d14b-4bf5-f400-c30e46e40202", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 111 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('data_type:\"windows:registry:installation\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','message']]" + ], + "execution_count": 167, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typemessage
01970-01-01 00:00:00Installation Timewindows:registry:installationWindows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\...
12018-07-28 07:27:53Installation Timewindows:registry:installationWindows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 1970-01-01 00:00:00 Installation Time windows:registry:installation \n", + "1 2018-07-28 07:27:53 Installation Time windows:registry:installation \n", + "\n", + " message \n", + "0 Windows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\... \n", + "1 Windows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 167 + } + ] + }, + { + "metadata": { + "id": "h6OG8tRbRf6b", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: What is the IP address of the Desktop?" + ] + }, + { + "metadata": { + "id": "kNmlBEFAR1lI", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "We already confirmed the Control Set is 001, so let's query for the registry key under that control set that holds the Interface information:" + ] + }, + { + "metadata": { + "id": "angYvM_3RfA1", + "colab_type": "code", + "outputId": "2fcd221d-d877-4e00-cefb-0f57f0ff8fad", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 173 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('key_path:\"System\\\\\\ControlSet001\\\\\\Services\\\\\\Tcpip\\\\\\Parameters\\\\\\Interfaces\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results[['datetime','timestamp_desc','data_type','message']]" + ], + "execution_count": 168, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
datetimetimestamp_descdata_typemessage
02018-07-28 07:24:53Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
12018-07-28 07:25:03Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
22018-07-28 07:36:43Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
32019-03-20 20:55:53Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
\n", + "
" + ], + "text/plain": [ + " datetime timestamp_desc data_type \\\n", + "0 2018-07-28 07:24:53 Content Modification Time windows:registry:key_value \n", + "1 2018-07-28 07:25:03 Content Modification Time windows:registry:key_value \n", + "2 2018-07-28 07:36:43 Content Modification Time windows:registry:key_value \n", + "3 2019-03-20 20:55:53 Content Modification Time windows:registry:key_value \n", + "\n", + " message \n", + "0 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... \n", + "1 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... \n", + "2 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... \n", + "3 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 168 + } + ] + }, + { + "metadata": { + "id": "LckTVA9eSDCR", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "There are a few entries, but only the last one has what we want. Reading through it (or using Ctrl+F) we can find the 'IPAddress' is 64.44.141.76." + ] + }, + { + "metadata": { + "id": "55kVv0nOcVKf", + "colab_type": "code", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 105 + }, + "outputId": "5d8e9766-e50c-449a-d7a9-97912fa1144d" + }, + "cell_type": "code", + "source": [ + "set(ts_results.message)" + ], + "execution_count": 169, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/plain": [ + "{u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces\\\\{237df97c-14eb-4ba8-af9e-a99d8dd8b936}] AddressType: [REG_DWORD_LE] 0 DhcpConnForceBroadcastFlag: [REG_DWORD_LE] 0 DhcpDefaultGateway: [REG_MULTI_SZ] 64.44.141.1 DhcpGatewayHardware: [REG_BINARY] DhcpGatewayHardwareCount: [REG_DWORD_LE] 1 DhcpIPAddress: [REG_SZ] 64.44.141.76 DhcpInterfaceOptions: [REG_BINARY] DhcpNameServer: [REG_SZ] 8.8.8.8 8.8.4.4 DhcpServer: [REG_SZ] 167.88.4.2 DhcpSubnetMask: [REG_SZ] 255.255.255.0 DhcpSubnetMaskOpt: [REG_MULTI_SZ] 255.255.255.0 Domain: [REG_SZ] EnableDHCP: [REG_DWORD_LE] 1 IsServerNapAware: [REG_DWORD_LE] 0 Lease: [REG_DWORD_LE] 21600000 LeaseObtainedTime: [REG_DWORD_LE] 28 LeaseTerminatesTime: [REG_DWORD_LE] 21600028 NameServer: [REG_SZ] T1: [REG_DWORD_LE] 10800028 T2: [REG_DWORD_LE] 18900028',\n", + " u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces\\\\{33b71fd7-9aaa-4528-a0e5-006a2123864a}] Domain: [REG_SZ] EnableDHCP: [REG_DWORD_LE] 1 NameServer: [REG_SZ] ',\n", + " u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces\\\\{ac3af346-923f-11e8-87fa-806e6f6e6963}] Value: No values stored in key.',\n", + " u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces] Value: No values stored in key.'}" + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 169 + } + ] + }, + { + "metadata": { + "id": "VXtkOaKTU5YP", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "### Q: Which User Shutdown Windows on February 25th 2019?" + ] + }, + { + "metadata": { + "id": "UbuECyqADgrp", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "Event logs seem like a good place to look for this answer, since a shutdown generates a 1074 event in the System event log. From the question, we have a fairly-narrow timeframe, so let's slice the results down to that after we do our query: " + ] + }, + { + "metadata": { + "id": "6dq7IoM_U7Qo", + "colab_type": "code", + "outputId": "12b401cf-92b2-4f5d-d5aa-2e80668b888f", + "colab": { + "base_uri": "https://localhost:8080/", + "height": 142 + } + }, + "cell_type": "code", + "source": [ + "ts_results = ctf.explore('data_type:\"windows:evtx:record\" AND filename:\"System.evtx\" AND 1074', return_fields='datetime,timestamp_desc,data_type,username,message', as_pandas=True)\n", + "ts_results = ts_results.set_index('datetime')\n", + "ts_results['2019-02-25':'2019-02-26'][['timestamp_desc','data_type','username','message']]" + ], + "execution_count": 170, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
timestamp_descdata_typeusernamemessage
datetime
2019-02-25 20:04:42Content Modification Timewindows:evtx:recordAdministrator[1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32...
2019-02-25 20:13:53Content Modification Timewindows:evtx:recordAdministrator[1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32...
\n", + "
" + ], + "text/plain": [ + " timestamp_desc data_type \\\n", + "datetime \n", + "2019-02-25 20:04:42 Content Modification Time windows:evtx:record \n", + "2019-02-25 20:13:53 Content Modification Time windows:evtx:record \n", + "\n", + " username \\\n", + "datetime \n", + "2019-02-25 20:04:42 Administrator \n", + "2019-02-25 20:13:53 Administrator \n", + "\n", + " message \n", + "datetime \n", + "2019-02-25 20:04:42 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... \n", + "2019-02-25 20:13:53 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... " + ] + }, + "metadata": { + "tags": [] + }, + "execution_count": 170 + } + ] + }, + { + "metadata": { + "id": "AlWim_NuGMeV", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "# Wrap Up\n", + "That's it! Thanks for reading and I hope you found this useful. This walkthrough covered most of the questions from the 'Basic - Desktop' category; I may do other sections as well if there is time/interest. If you found this useful, check out Kristinn's demonstration of [Timesketch and Colab](https://colab.research.google.com/github/google/timesketch/blob/master/notebooks/colab-timesketch-demo.ipynb).\n", + "\n", + "You can get the free, open source tools I used to solve the CTF:\n", + "* Plaso / Log2Timeline: https://github.com/log2timeline/plaso\n", + "* Timesketch: https://github.com/google/timesketch\n", + "* Colab(oratory): https://colab.sandbox.google.com/notebooks/welcome.ipynb " + ] + } + ] +} \ No newline at end of file From b5805d2b7b96b4dd3a1e182b067e954c369a14f1 Mon Sep 17 00:00:00 2001 From: Ryan Benson Date: Mon, 22 Apr 2019 16:21:25 -0700 Subject: [PATCH 2/6] Created using Colaboratory --- notebooks/MUS2019_CTF.ipynb | 1883 ++++++++++++++++++----------------- 1 file changed, 989 insertions(+), 894 deletions(-) diff --git a/notebooks/MUS2019_CTF.ipynb b/notebooks/MUS2019_CTF.ipynb index 7bac7cb350..a8c9e42cd8 100644 --- a/notebooks/MUS2019_CTF.ipynb +++ b/notebooks/MUS2019_CTF.ipynb @@ -84,19 +84,27 @@ }, "cell_type": "markdown", "source": [ - "## Timesketch & Colab Setup\n", - "\n", - "The [Timesketch GitHub](https://github.com/google/timesketch) has Colab ([Timesketch and Colab](https://colab.research.google.com/github/google/timesketch/blob/master/notebooks/colab-timesketch-demo.ipynb)) that walks through how to install, connect, and explore a Sketch using Colab. Please check it out if you want a more thorough explanation of the setup; I'm just going to show the commands you need to run to get it working: " + "## Timesketch & Colab Setup\n" + ] + }, + { + "metadata": { + "id": "0dmFr3P_9Ao7", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ + "First, if you want to run this notebook and play along, click the 'Connect' button at the top right of the page. The [Timesketch GitHub](https://github.com/google/timesketch) has Colab ([Timesketch and Colab](https://colab.research.google.com/github/google/timesketch/blob/master/notebooks/colab-timesketch-demo.ipynb)) that walks through how to install, connect, and explore a Sketch using Colab. Please check it out if you want a more thorough explanation of the setup; I'm just going to show the commands you need to run to get it working: " ] }, { "metadata": { "id": "h35lMbAxIeYE", "colab_type": "code", - "outputId": "86656d91-ba58-4efa-f01a-aa2ecb825068", + "outputId": "df0b6ffe-164a-4651-85b9-1b2ee6519531", "colab": { "base_uri": "https://localhost:8080/", - "height": 255 + "height": 138 } }, "cell_type": "code", @@ -114,20 +122,13 @@ { "output_type": "stream", "text": [ - "Collecting timesketch-api-client\n", - " Downloading https://files.pythonhosted.org/packages/70/70/863ff486c8d2f9ddb5d7edebcde3cc5cff8de3c4a2682b32f6d292b4d34e/timesketch-api-client-20190124.tar.gz\n", + "Requirement already satisfied: timesketch-api-client in /usr/local/lib/python2.7/dist-packages (20190124)\n", "Requirement already satisfied: requests in /usr/local/lib/python2.7/dist-packages (from timesketch-api-client) (2.18.4)\n", "Requirement already satisfied: beautifulsoup4 in /usr/local/lib/python2.7/dist-packages (from timesketch-api-client) (4.6.3)\n", "Requirement already satisfied: idna<2.7,>=2.5 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (2.6)\n", "Requirement already satisfied: urllib3<1.23,>=1.21.1 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (1.22)\n", "Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (2019.3.9)\n", - "Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (3.0.4)\n", - "Building wheels for collected packages: timesketch-api-client\n", - " Building wheel for timesketch-api-client (setup.py) ... \u001b[?25ldone\n", - "\u001b[?25h Stored in directory: /root/.cache/pip/wheels/71/ae/fc/53d5a72e83b0442a3c31788391b1a72a387c9819602ffc49e4\n", - "Successfully built timesketch-api-client\n", - "Installing collected packages: timesketch-api-client\n", - "Successfully installed timesketch-api-client-20190124\n" + "Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (3.0.4)\n" ], "name": "stdout" } @@ -140,7 +141,16 @@ }, "cell_type": "markdown", "source": [ - "### Connect to Timesketch\n", + "### Connect to Timesketch" + ] + }, + { + "metadata": { + "id": "i5JCNPkL87Cq", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ "By default, this will connect to the public demo Timesketch server, which [David Cowen](https://twitter.com/HECFBlog) has graciously allowed to host a copy of the Plaso timeline of the MUS2019-CTF. Thanks Dave!" ] }, @@ -154,12 +164,10 @@ "cell_type": "code", "source": [ "#@title Client Information { run: \"auto\"}\n", - "\n", "SERVER = 'https://demo.timesketch.org' #@param {type: \"string\"}\n", "USER = 'demo' #@param {type: \"string\"}\n", "PASSWORD = 'demo' #@param {type: \"string\"}\n", "\n", - "\n", "ts_client = client.TimesketchApi(SERVER, USER, PASSWORD)" ], "execution_count": 0, @@ -181,11 +189,11 @@ "metadata": { "id": "vsEZI45porba", "colab_type": "code", + "outputId": "f9c554b0-2916-41fd-b4ce-0307f00538fd", "colab": { "base_uri": "https://localhost:8080/", - "height": 85 - }, - "outputId": "5ead42d2-767f-472b-b575-0deceeec9342" + "height": 86 + } }, "cell_type": "code", "source": [ @@ -254,10 +262,19 @@ }, "cell_type": "markdown", "source": [ - "# Questions\n", + "# Questions\n" + ] + }, + { + "metadata": { + "id": "Pfy7e0iO9MJK", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ "![Basic - Desktop Questions](https://dfir.blog/content/images/2019/04/MUS2019-CTF-Basic-Desktop.png)\n", "\n", - "I grouped the questions from the 'Basic - Desktop' section into three categories: NTFS, TeamViewer, and Registry.\n" + "I grouped the questions from the 'Basic - Desktop' section into three categories: NTFS, TeamViewer, and Registry." ] }, { @@ -305,15 +322,18 @@ "metadata": { "id": "0n6k7v-ioy4_", "colab_type": "code", - "outputId": "55609bcf-3cd4-430c-948a-9ca1e9806fb1", + "outputId": "6c496957-ae08-4742-a2e3-e9bd9635c525", "colab": { "base_uri": "https://localhost:8080/", - "height": 204 + "height": 198 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('inode:102698', return_fields='datetime,timestamp_desc,data_type,inode,filename', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'inode:102698', \n", + " return_fields='datetime,timestamp_desc,data_type,inode,filename', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','inode','filename']]" ], "execution_count": 5, @@ -350,7 +370,7 @@ " \n", " \n", " 0\n", - " 2016-04-03 20:18:47\n", + " 2016-04-03 20:18:47+00:00\n", " Creation Time\n", " pe:compilation:compilation_time\n", " 102698\n", @@ -358,7 +378,7 @@ " \n", " \n", " 1\n", - " 2019-02-25 20:40:00\n", + " 2019-02-25 20:40:00+00:00\n", " Creation Time\n", " fs:stat\n", " 102698\n", @@ -366,7 +386,7 @@ " \n", " \n", " 2\n", - " 2019-02-25 20:40:30\n", + " 2019-02-25 20:40:30+00:00\n", " Content Modification Time\n", " fs:stat\n", " 102698\n", @@ -374,7 +394,7 @@ " \n", " \n", " 3\n", - " 2019-02-25 20:40:45\n", + " 2019-02-25 20:40:45+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " 102698\n", @@ -382,7 +402,7 @@ " \n", " \n", " 4\n", - " 2019-02-25 20:41:36\n", + " 2019-02-25 20:41:36+00:00\n", " Last Access Time\n", " fs:stat\n", " 102698\n", @@ -393,12 +413,12 @@ "" ], "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2016-04-03 20:18:47 Creation Time \n", - "1 2019-02-25 20:40:00 Creation Time \n", - "2 2019-02-25 20:40:30 Content Modification Time \n", - "3 2019-02-25 20:40:45 Metadata Modification Time \n", - "4 2019-02-25 20:41:36 Last Access Time \n", + " datetime timestamp_desc \\\n", + "0 2016-04-03 20:18:47+00:00 Creation Time \n", + "1 2019-02-25 20:40:00+00:00 Creation Time \n", + "2 2019-02-25 20:40:30+00:00 Content Modification Time \n", + "3 2019-02-25 20:40:45+00:00 Metadata Modification Time \n", + "4 2019-02-25 20:41:36+00:00 Last Access Time \n", "\n", " data_type inode \\\n", "0 pe:compilation:compilation_time 102698 \n", @@ -456,15 +476,18 @@ "metadata": { "id": "idzQZADYj8LF", "colab_type": "code", - "outputId": "8f4b17f0-8f5f-40d0-9267-0d4ccc6ceded", + "outputId": "da03446f-d2a3-4e12-d3fa-8bf1834f7a52", "colab": { "base_uri": "https://localhost:8080/", - "height": 731 + "height": 708 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('60725', return_fields='datetime,timestamp_desc,data_type,filename,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " '60725', \n", + " return_fields='datetime,timestamp_desc,data_type,filename,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','filename','message']]" ], "execution_count": 6, @@ -501,7 +524,7 @@ " \n", " \n", " 0\n", - " 2019-02-26 23:59:41\n", + " 2019-02-26 23:59:41+00:00\n", " Content Modification Time\n", " windows:evtx:record\n", " /Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O...\n", @@ -509,7 +532,7 @@ " \n", " \n", " 1\n", - " 2019-03-13 18:16:00\n", + " 2019-03-13 18:16:00+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " energy-report-2019-02-19.xml\n", @@ -517,7 +540,7 @@ " \n", " \n", " 2\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...\n", @@ -525,7 +548,7 @@ " \n", " \n", " 3\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...\n", @@ -533,7 +556,7 @@ " \n", " \n", " 4\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...\n", @@ -541,7 +564,7 @@ " \n", " \n", " 5\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...\n", @@ -549,7 +572,7 @@ " \n", " \n", " 6\n", - " 2019-03-13 18:38:16\n", + " 2019-03-13 18:38:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.app.json.new\n", @@ -557,7 +580,7 @@ " \n", " \n", " 7\n", - " 2019-03-13 18:38:16\n", + " 2019-03-13 18:38:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.app.json.new\n", @@ -565,7 +588,7 @@ " \n", " \n", " 8\n", - " 2019-03-13 18:53:16\n", + " 2019-03-13 18:53:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " telemetry.ASM-WindowsDefault.json.new\n", @@ -573,7 +596,7 @@ " \n", " \n", " 9\n", - " 2019-03-13 18:53:17\n", + " 2019-03-13 18:53:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " telemetry.ASM-WindowsDefault.json.new\n", @@ -581,7 +604,7 @@ " \n", " \n", " 10\n", - " 2019-03-13 19:08:17\n", + " 2019-03-13 19:08:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " TELEMETRY.ASM-WINDOWSSQ.json.new\n", @@ -589,7 +612,7 @@ " \n", " \n", " 11\n", - " 2019-03-13 19:08:17\n", + " 2019-03-13 19:08:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " TELEMETRY.ASM-WINDOWSSQ.json.new\n", @@ -597,7 +620,7 @@ " \n", " \n", " 12\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.privacy.json.new\n", @@ -605,7 +628,7 @@ " \n", " \n", " 13\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.privacy.json.new\n", @@ -613,7 +636,7 @@ " \n", " \n", " 14\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Creation Time\n", " fs:stat\n", " /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....\n", @@ -621,7 +644,7 @@ " \n", " \n", " 15\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.privacy.json.new\n", @@ -629,7 +652,7 @@ " \n", " \n", " 16\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.privacy.json\n", @@ -637,7 +660,7 @@ " \n", " \n", " 17\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Last Access Time\n", " fs:stat\n", " /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....\n", @@ -645,7 +668,7 @@ " \n", " \n", " 18\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Content Modification Time\n", " fs:stat\n", " /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....\n", @@ -653,7 +676,7 @@ " \n", " \n", " 19\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....\n", @@ -661,7 +684,7 @@ " \n", " \n", " 20\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.privacy.json.new\n", @@ -669,7 +692,7 @@ " \n", " \n", " 21\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " utc.privacy.json\n", @@ -680,29 +703,29 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2019-02-26 23:59:41 Content Modification Time windows:evtx:record \n", - "1 2019-03-13 18:16:00 Metadata Modification Time fs:ntfs:usn_change \n", - "2 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "3 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "4 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "5 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "6 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", - "7 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", - "8 2019-03-13 18:53:16 Metadata Modification Time fs:ntfs:usn_change \n", - "9 2019-03-13 18:53:17 Metadata Modification Time fs:ntfs:usn_change \n", - "10 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", - "11 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", - "12 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", - "13 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", - "14 2019-03-13 19:23:17 Creation Time fs:stat \n", - "15 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "16 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "17 2019-03-13 19:23:18 Last Access Time fs:stat \n", - "18 2019-03-13 19:23:18 Content Modification Time fs:stat \n", - "19 2019-03-13 19:23:18 Metadata Modification Time fs:stat \n", - "20 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "21 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + " datetime timestamp_desc data_type \\\n", + "0 2019-02-26 23:59:41+00:00 Content Modification Time windows:evtx:record \n", + "1 2019-03-13 18:16:00+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "2 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "3 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "4 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "5 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "6 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "7 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "8 2019-03-13 18:53:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "9 2019-03-13 18:53:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "10 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "11 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "12 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "13 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "14 2019-03-13 19:23:17+00:00 Creation Time fs:stat \n", + "15 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "16 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "17 2019-03-13 19:23:18+00:00 Last Access Time fs:stat \n", + "18 2019-03-13 19:23:18+00:00 Content Modification Time fs:stat \n", + "19 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:stat \n", + "20 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "21 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", "\n", " filename \\\n", "0 /Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O... \n", @@ -774,11 +797,11 @@ "metadata": { "id": "iPCYySiEVB6P", "colab_type": "code", + "outputId": "adcdddab-1419-4641-b7b4-96ef2e494f14", "colab": { "base_uri": "https://localhost:8080/", - "height": 199 - }, - "outputId": "2e96bed7-9f3c-4c36-d020-dd0489bdfa56" + "height": 177 + } }, "cell_type": "code", "source": [ @@ -828,7 +851,7 @@ " MUSCTF-2019\n", " plaso_event\n", " fs:ntfs:usn_change\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...\n", " []\n", " telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...\n", @@ -841,7 +864,7 @@ " MUSCTF-2019\n", " plaso_event\n", " fs:ntfs:usn_change\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...\n", " []\n", " telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...\n", @@ -856,9 +879,9 @@ "2 AWowcLcHTGJyHzo5vZNF 51f20fbeff6b4a7ca2dd3f76c1a41598 MUSCTF-2019 \n", "4 AWowcLcHTGJyHzo5vZNG 51f20fbeff6b4a7ca2dd3f76c1a41598 MUSCTF-2019 \n", "\n", - " _type data_type datetime \\\n", - "2 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16 \n", - "4 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16 \n", + " _type data_type datetime \\\n", + "2 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16+00:00 \n", + "4 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16+00:00 \n", "\n", " filename label \\\n", "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... [] \n", @@ -894,11 +917,11 @@ "metadata": { "id": "7xRO5-FFV_KN", "colab_type": "code", + "outputId": "0c00d9e6-c162-4116-d176-7fd5dd2b5838", "colab": { "base_uri": "https://localhost:8080/", - "height": 34 - }, - "outputId": "9f5df5c7-4cf9-4594-fb32-11a94ecd0774" + "height": 35 + } }, "cell_type": "code", "source": [ @@ -936,15 +959,18 @@ "metadata": { "id": "qzemkUIAl-dX", "colab_type": "code", - "outputId": "f9597053-231c-45f5-f78b-000de17348ce", + "outputId": "4b59ee77-2750-486e-81f9-2163b5764808", "colab": { "base_uri": "https://localhost:8080/", - "height": 731 + "height": 708 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('60725', return_fields='datetime,timestamp_desc,data_type,file_reference,filename,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " '60725', \n", + " return_fields='datetime,timestamp_desc,data_type,file_reference,filename,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','file_reference','filename','message']]" ], "execution_count": 9, @@ -982,7 +1008,7 @@ " \n", " \n", " 0\n", - " 2019-02-26 23:59:41\n", + " 2019-02-26 23:59:41+00:00\n", " Content Modification Time\n", " windows:evtx:record\n", " NaN\n", @@ -991,7 +1017,7 @@ " \n", " \n", " 1\n", - " 2019-03-13 18:16:00\n", + " 2019-03-13 18:16:00+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 2.533275e+15\n", @@ -1000,7 +1026,7 @@ " \n", " \n", " 2\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 2.814750e+15\n", @@ -1009,7 +1035,7 @@ " \n", " \n", " 3\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.096225e+15\n", @@ -1018,7 +1044,7 @@ " \n", " \n", " 4\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 2.814750e+15\n", @@ -1027,7 +1053,7 @@ " \n", " \n", " 5\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.096225e+15\n", @@ -1036,7 +1062,7 @@ " \n", " \n", " 6\n", - " 2019-03-13 18:38:16\n", + " 2019-03-13 18:38:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.377700e+15\n", @@ -1045,7 +1071,7 @@ " \n", " \n", " 7\n", - " 2019-03-13 18:38:16\n", + " 2019-03-13 18:38:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.377700e+15\n", @@ -1054,7 +1080,7 @@ " \n", " \n", " 8\n", - " 2019-03-13 18:53:16\n", + " 2019-03-13 18:53:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.659175e+15\n", @@ -1063,7 +1089,7 @@ " \n", " \n", " 9\n", - " 2019-03-13 18:53:17\n", + " 2019-03-13 18:53:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.659175e+15\n", @@ -1072,7 +1098,7 @@ " \n", " \n", " 10\n", - " 2019-03-13 19:08:17\n", + " 2019-03-13 19:08:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.940650e+15\n", @@ -1081,7 +1107,7 @@ " \n", " \n", " 11\n", - " 2019-03-13 19:08:17\n", + " 2019-03-13 19:08:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 3.940650e+15\n", @@ -1090,7 +1116,7 @@ " \n", " \n", " 12\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 4.222125e+15\n", @@ -1099,7 +1125,7 @@ " \n", " \n", " 13\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 4.222125e+15\n", @@ -1108,7 +1134,7 @@ " \n", " \n", " 14\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Creation Time\n", " fs:stat\n", " NaN\n", @@ -1117,7 +1143,7 @@ " \n", " \n", " 15\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 4.222125e+15\n", @@ -1126,7 +1152,7 @@ " \n", " \n", " 16\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 4.222125e+15\n", @@ -1135,7 +1161,7 @@ " \n", " \n", " 17\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Last Access Time\n", " fs:stat\n", " NaN\n", @@ -1144,7 +1170,7 @@ " \n", " \n", " 18\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Content Modification Time\n", " fs:stat\n", " NaN\n", @@ -1153,7 +1179,7 @@ " \n", " \n", " 19\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " NaN\n", @@ -1162,7 +1188,7 @@ " \n", " \n", " 20\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 4.222125e+15\n", @@ -1171,7 +1197,7 @@ " \n", " \n", " 21\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 4.222125e+15\n", @@ -1183,29 +1209,29 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2019-02-26 23:59:41 Content Modification Time windows:evtx:record \n", - "1 2019-03-13 18:16:00 Metadata Modification Time fs:ntfs:usn_change \n", - "2 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "3 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "4 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "5 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "6 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", - "7 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", - "8 2019-03-13 18:53:16 Metadata Modification Time fs:ntfs:usn_change \n", - "9 2019-03-13 18:53:17 Metadata Modification Time fs:ntfs:usn_change \n", - "10 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", - "11 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", - "12 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", - "13 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", - "14 2019-03-13 19:23:17 Creation Time fs:stat \n", - "15 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "16 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "17 2019-03-13 19:23:18 Last Access Time fs:stat \n", - "18 2019-03-13 19:23:18 Content Modification Time fs:stat \n", - "19 2019-03-13 19:23:18 Metadata Modification Time fs:stat \n", - "20 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "21 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + " datetime timestamp_desc data_type \\\n", + "0 2019-02-26 23:59:41+00:00 Content Modification Time windows:evtx:record \n", + "1 2019-03-13 18:16:00+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "2 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "3 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "4 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "5 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "6 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "7 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "8 2019-03-13 18:53:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "9 2019-03-13 18:53:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "10 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "11 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "12 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "13 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "14 2019-03-13 19:23:17+00:00 Creation Time fs:stat \n", + "15 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "16 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "17 2019-03-13 19:23:18+00:00 Last Access Time fs:stat \n", + "18 2019-03-13 19:23:18+00:00 Content Modification Time fs:stat \n", + "19 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:stat \n", + "20 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "21 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", "\n", " file_reference \\\n", "0 NaN \n", @@ -1301,20 +1327,24 @@ "metadata": { "id": "qM4QlMgqmQRk", "colab_type": "code", - "outputId": "13d5eb34-e618-43d4-eceb-a0103afe821b", + "outputId": "1f7f6f47-dd61-48d5-94a4-d8abe8f122c6", "colab": { "base_uri": "https://localhost:8080/", - "height": 576 + "height": 558 } }, "cell_type": "code", "source": [ - "# Drop any rows with NaN, since they aren't what we're looking for and will break the below function.\n", + "# Drop any rows with NaN, since they aren't what we're looking for and will \n", + "# break the below function.\n", "ts_results = ts_results.dropna()\n", "pd.options.display.max_colwidth = 110\n", "\n", - "# Replace the file_reference hex value with the human-readable MFT-Seq version. This is basically what Plaso does to display the result in the 'message' string we searched for. \n", - "ts_results['file_reference'] = ts_results['file_reference'].map(lambda x: '{0:d}-{1:d}'.format(int(x) & 0xffffffffffff, int(x) >> 48))\n", + "# Replace the file_reference hex value with the human-readable MFT-Seq version. \n", + "# This is basically what Plaso does to display the result in the 'message' \n", + "# string we searched for. \n", + "ts_results['file_reference'] = ts_results['file_reference'].map(\n", + " lambda x: '{0:d}-{1:d}'.format(int(x) & 0xffffffffffff, int(x) >> 48))\n", "ts_results[['datetime','timestamp_desc','data_type','file_reference','filename']]" ], "execution_count": 10, @@ -1351,7 +1381,7 @@ " \n", " \n", " 1\n", - " 2019-03-13 18:16:00\n", + " 2019-03-13 18:16:00+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-9\n", @@ -1359,7 +1389,7 @@ " \n", " \n", " 2\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-10\n", @@ -1367,7 +1397,7 @@ " \n", " \n", " 3\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-11\n", @@ -1375,7 +1405,7 @@ " \n", " \n", " 4\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-10\n", @@ -1383,7 +1413,7 @@ " \n", " \n", " 5\n", - " 2019-03-13 18:23:16\n", + " 2019-03-13 18:23:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-11\n", @@ -1391,7 +1421,7 @@ " \n", " \n", " 6\n", - " 2019-03-13 18:38:16\n", + " 2019-03-13 18:38:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-12\n", @@ -1399,7 +1429,7 @@ " \n", " \n", " 7\n", - " 2019-03-13 18:38:16\n", + " 2019-03-13 18:38:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-12\n", @@ -1407,7 +1437,7 @@ " \n", " \n", " 8\n", - " 2019-03-13 18:53:16\n", + " 2019-03-13 18:53:16+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-13\n", @@ -1415,7 +1445,7 @@ " \n", " \n", " 9\n", - " 2019-03-13 18:53:17\n", + " 2019-03-13 18:53:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-13\n", @@ -1423,7 +1453,7 @@ " \n", " \n", " 10\n", - " 2019-03-13 19:08:17\n", + " 2019-03-13 19:08:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-14\n", @@ -1431,7 +1461,7 @@ " \n", " \n", " 11\n", - " 2019-03-13 19:08:17\n", + " 2019-03-13 19:08:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-14\n", @@ -1439,7 +1469,7 @@ " \n", " \n", " 12\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-15\n", @@ -1447,7 +1477,7 @@ " \n", " \n", " 13\n", - " 2019-03-13 19:23:17\n", + " 2019-03-13 19:23:17+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-15\n", @@ -1455,7 +1485,7 @@ " \n", " \n", " 15\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-15\n", @@ -1463,7 +1493,7 @@ " \n", " \n", " 16\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-15\n", @@ -1471,7 +1501,7 @@ " \n", " \n", " 20\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-15\n", @@ -1479,7 +1509,7 @@ " \n", " \n", " 21\n", - " 2019-03-13 19:23:18\n", + " 2019-03-13 19:23:18+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 60725-15\n", @@ -1490,24 +1520,24 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "1 2019-03-13 18:16:00 Metadata Modification Time fs:ntfs:usn_change \n", - "2 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "3 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "4 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "5 2019-03-13 18:23:16 Metadata Modification Time fs:ntfs:usn_change \n", - "6 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", - "7 2019-03-13 18:38:16 Metadata Modification Time fs:ntfs:usn_change \n", - "8 2019-03-13 18:53:16 Metadata Modification Time fs:ntfs:usn_change \n", - "9 2019-03-13 18:53:17 Metadata Modification Time fs:ntfs:usn_change \n", - "10 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", - "11 2019-03-13 19:08:17 Metadata Modification Time fs:ntfs:usn_change \n", - "12 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", - "13 2019-03-13 19:23:17 Metadata Modification Time fs:ntfs:usn_change \n", - "15 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "16 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "20 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", - "21 2019-03-13 19:23:18 Metadata Modification Time fs:ntfs:usn_change \n", + " datetime timestamp_desc data_type \\\n", + "1 2019-03-13 18:16:00+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "2 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "3 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "4 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "5 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "6 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "7 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "8 2019-03-13 18:53:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "9 2019-03-13 18:53:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "10 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "11 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "12 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "13 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "15 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "16 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "20 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", + "21 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", "\n", " file_reference \\\n", "1 60725-9 \n", @@ -1589,15 +1619,18 @@ "metadata": { "id": "lPObip1NrOtn", "colab_type": "code", - "outputId": "721491c7-fc02-4bb8-ba32-ba5f91e9a527", + "outputId": "9eef9344-be16-4dd8-e6bf-549029a4699b", "colab": { "base_uri": "https://localhost:8080/", - "height": 80 + "height": 78 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('update_sequence_number:546416480', return_fields='datetime,timestamp_desc,data_type,update_sequence_number,filename', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'update_sequence_number:546416480', \n", + " return_fields='datetime,timestamp_desc,data_type,update_sequence_number,filename', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','update_sequence_number','filename']]" ], "execution_count": 11, @@ -1634,7 +1667,7 @@ " \n", " \n", " 0\n", - " 2019-03-16 20:05:37\n", + " 2019-03-16 20:05:37+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 546416480\n", @@ -1645,8 +1678,8 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2019-03-16 20:05:37 Metadata Modification Time fs:ntfs:usn_change \n", + " datetime timestamp_desc data_type \\\n", + "0 2019-03-16 20:05:37+00:00 Metadata Modification Time fs:ntfs:usn_change \n", "\n", " update_sequence_number filename \n", "0 546416480 TransportSecurity~RF134e6674.TMP " @@ -1683,15 +1716,18 @@ "metadata": { "id": "lvxp9ltq0plT", "colab_type": "code", - "outputId": "74383d41-9124-4c64-98eb-4ea036fe42b0", + "outputId": "d8540630-c61c-427f-d6b6-1d20a1187e2d", "colab": { "base_uri": "https://localhost:8080/", - "height": 669 + "height": 648 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('FTK Imager.exe', return_fields='datetime,timestamp_desc,data_type,inode,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'FTK Imager.exe', \n", + " return_fields='datetime,timestamp_desc,data_type,inode,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','inode','message']]" ], "execution_count": 12, @@ -1728,7 +1764,7 @@ " \n", " \n", " 0\n", - " 2012-08-23 20:54:54\n", + " 2012-08-23 20:54:54+00:00\n", " Creation Time\n", " pe:compilation:compilation_time\n", " 99916\n", @@ -1736,7 +1772,7 @@ " \n", " \n", " 1\n", - " 2016-04-13 22:33:42\n", + " 2016-04-13 22:33:42+00:00\n", " Content Modification Time\n", " fs:stat\n", " 99916\n", @@ -1744,7 +1780,7 @@ " \n", " \n", " 2\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " 977\n", @@ -1752,7 +1788,7 @@ " \n", " \n", " 3\n", - " 2019-03-20 13:42:25\n", + " 2019-03-20 13:42:25+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " 99916\n", @@ -1760,7 +1796,7 @@ " \n", " \n", " 4\n", - " 2019-03-20 21:26:49\n", + " 2019-03-20 21:26:49+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1768,7 +1804,7 @@ " \n", " \n", " 5\n", - " 2019-03-20 21:26:49\n", + " 2019-03-20 21:26:49+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1776,7 +1812,7 @@ " \n", " \n", " 6\n", - " 2019-03-20 21:26:49\n", + " 2019-03-20 21:26:49+00:00\n", " Last Access Time\n", " fs:stat\n", " 99916\n", @@ -1784,7 +1820,7 @@ " \n", " \n", " 7\n", - " 2019-03-20 21:26:49\n", + " 2019-03-20 21:26:49+00:00\n", " Creation Time\n", " fs:stat\n", " 99916\n", @@ -1792,7 +1828,7 @@ " \n", " \n", " 8\n", - " 2019-03-20 21:26:49\n", + " 2019-03-20 21:26:49+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1800,7 +1836,7 @@ " \n", " \n", " 9\n", - " 2019-03-20 21:26:49\n", + " 2019-03-20 21:26:49+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1808,7 +1844,7 @@ " \n", " \n", " 10\n", - " 2019-03-20 21:26:49\n", + " 2019-03-20 21:26:49+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1816,7 +1852,7 @@ " \n", " \n", " 11\n", - " 2019-03-20 21:27:02\n", + " 2019-03-20 21:27:02+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " 977\n", @@ -1824,7 +1860,7 @@ " \n", " \n", " 12\n", - " 2019-03-20 21:27:12\n", + " 2019-03-20 21:27:12+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1832,7 +1868,7 @@ " \n", " \n", " 13\n", - " 2019-03-20 21:27:12\n", + " 2019-03-20 21:27:12+00:00\n", " Creation Time\n", " fs:stat\n", " 977\n", @@ -1840,7 +1876,7 @@ " \n", " \n", " 14\n", - " 2019-03-20 21:27:12\n", + " 2019-03-20 21:27:12+00:00\n", " Last Access Time\n", " fs:stat\n", " 977\n", @@ -1848,7 +1884,7 @@ " \n", " \n", " 15\n", - " 2019-03-20 21:27:12\n", + " 2019-03-20 21:27:12+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1856,7 +1892,7 @@ " \n", " \n", " 16\n", - " 2019-03-20 21:27:12\n", + " 2019-03-20 21:27:12+00:00\n", " Metadata Modification Time\n", " fs:ntfs:usn_change\n", " 83366\n", @@ -1864,7 +1900,7 @@ " \n", " \n", " 17\n", - " 2019-03-20 21:27:12\n", + " 2019-03-20 21:27:12+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " 977\n", @@ -1872,7 +1908,7 @@ " \n", " \n", " 18\n", - " 2019-03-20 21:27:12\n", + " 2019-03-20 21:27:12+00:00\n", " Content Modification Time\n", " fs:stat\n", " 977\n", @@ -1880,7 +1916,7 @@ " \n", " \n", " 19\n", - " 2019-03-20 21:28:47\n", + " 2019-03-20 21:28:47+00:00\n", " Content Modification Time\n", " windows:evtx:record\n", " 83669\n", @@ -1891,27 +1927,27 @@ "" ], "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2012-08-23 20:54:54 Creation Time \n", - "1 2016-04-13 22:33:42 Content Modification Time \n", - "2 2018-07-28 08:21:07 Creation Time \n", - "3 2019-03-20 13:42:25 Metadata Modification Time \n", - "4 2019-03-20 21:26:49 Metadata Modification Time \n", - "5 2019-03-20 21:26:49 Metadata Modification Time \n", - "6 2019-03-20 21:26:49 Last Access Time \n", - "7 2019-03-20 21:26:49 Creation Time \n", - "8 2019-03-20 21:26:49 Metadata Modification Time \n", - "9 2019-03-20 21:26:49 Metadata Modification Time \n", - "10 2019-03-20 21:26:49 Metadata Modification Time \n", - "11 2019-03-20 21:27:02 Last Time Executed \n", - "12 2019-03-20 21:27:12 Metadata Modification Time \n", - "13 2019-03-20 21:27:12 Creation Time \n", - "14 2019-03-20 21:27:12 Last Access Time \n", - "15 2019-03-20 21:27:12 Metadata Modification Time \n", - "16 2019-03-20 21:27:12 Metadata Modification Time \n", - "17 2019-03-20 21:27:12 Metadata Modification Time \n", - "18 2019-03-20 21:27:12 Content Modification Time \n", - "19 2019-03-20 21:28:47 Content Modification Time \n", + " datetime timestamp_desc \\\n", + "0 2012-08-23 20:54:54+00:00 Creation Time \n", + "1 2016-04-13 22:33:42+00:00 Content Modification Time \n", + "2 2018-07-28 08:21:07+00:00 Creation Time \n", + "3 2019-03-20 13:42:25+00:00 Metadata Modification Time \n", + "4 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", + "5 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", + "6 2019-03-20 21:26:49+00:00 Last Access Time \n", + "7 2019-03-20 21:26:49+00:00 Creation Time \n", + "8 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", + "9 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", + "10 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", + "11 2019-03-20 21:27:02+00:00 Last Time Executed \n", + "12 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", + "13 2019-03-20 21:27:12+00:00 Creation Time \n", + "14 2019-03-20 21:27:12+00:00 Last Access Time \n", + "15 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", + "16 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", + "17 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", + "18 2019-03-20 21:27:12+00:00 Content Modification Time \n", + "19 2019-03-20 21:28:47+00:00 Content Modification Time \n", "\n", " data_type inode \\\n", "0 pe:compilation:compilation_time 99916 \n", @@ -2001,15 +2037,18 @@ "metadata": { "id": "1gt8_VMxsQ77", "colab_type": "code", - "outputId": "c817d874-1716-452e-985f-e5ede6646ce4", + "outputId": "79526ff9-8c73-46a9-f38d-02400fe75226", "colab": { "base_uri": "https://localhost:8080/", - "height": 1969 + "height": 1907 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('data_type:\"windows:volume:creation\"', return_fields='datetime,timestamp_desc,data_type,device_path,hostname,serial_number,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'data_type:\"windows:volume:creation\"', \n", + " return_fields='datetime,timestamp_desc,data_type,device_path,hostname,serial_number,message', \n", + " as_pandas=True)\n", "pd.options.display.max_colwidth = 70\n", "ts_results[['datetime','timestamp_desc','data_type','device_path','hostname','serial_number','message']]" ], @@ -2049,7 +2088,7 @@ " \n", " \n", " 0\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2059,7 +2098,7 @@ " \n", " \n", " 1\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2069,7 +2108,7 @@ " \n", " \n", " 2\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2079,7 +2118,7 @@ " \n", " \n", " 3\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2089,7 +2128,7 @@ " \n", " \n", " 4\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2099,7 +2138,7 @@ " \n", " \n", " 5\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2109,7 +2148,7 @@ " \n", " \n", " 6\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2119,7 +2158,7 @@ " \n", " \n", " 7\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2129,7 +2168,7 @@ " \n", " \n", " 8\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2139,7 +2178,7 @@ " \n", " \n", " 9\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2149,7 +2188,7 @@ " \n", " \n", " 10\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2159,7 +2198,7 @@ " \n", " \n", " 11\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2169,7 +2208,7 @@ " \n", " \n", " 12\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2179,7 +2218,7 @@ " \n", " \n", " 13\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2189,7 +2228,7 @@ " \n", " \n", " 14\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2199,7 +2238,7 @@ " \n", " \n", " 15\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2209,7 +2248,7 @@ " \n", " \n", " 16\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2219,7 +2258,7 @@ " \n", " \n", " 17\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2229,7 +2268,7 @@ " \n", " \n", " 18\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2239,7 +2278,7 @@ " \n", " \n", " 19\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2249,7 +2288,7 @@ " \n", " \n", " 20\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2259,7 +2298,7 @@ " \n", " \n", " 21\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2269,7 +2308,7 @@ " \n", " \n", " 22\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2279,7 +2318,7 @@ " \n", " \n", " 23\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2289,7 +2328,7 @@ " \n", " \n", " 24\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2299,7 +2338,7 @@ " \n", " \n", " 25\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2309,7 +2348,7 @@ " \n", " \n", " 26\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2319,7 +2358,7 @@ " \n", " \n", " 27\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2329,7 +2368,7 @@ " \n", " \n", " 28\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2339,7 +2378,7 @@ " \n", " \n", " 29\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2359,7 +2398,7 @@ " \n", " \n", " 180\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2369,7 +2408,7 @@ " \n", " \n", " 181\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2379,7 +2418,7 @@ " \n", " \n", " 182\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2389,7 +2428,7 @@ " \n", " \n", " 183\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2399,7 +2438,7 @@ " \n", " \n", " 184\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2409,7 +2448,7 @@ " \n", " \n", " 185\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2419,7 +2458,7 @@ " \n", " \n", " 186\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2429,7 +2468,7 @@ " \n", " \n", " 187\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2439,7 +2478,7 @@ " \n", " \n", " 188\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2449,7 +2488,7 @@ " \n", " \n", " 189\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2459,7 +2498,7 @@ " \n", " \n", " 190\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2469,7 +2508,7 @@ " \n", " \n", " 191\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2479,7 +2518,7 @@ " \n", " \n", " 192\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2489,7 +2528,7 @@ " \n", " \n", " 193\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2499,7 +2538,7 @@ " \n", " \n", " 194\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2509,7 +2548,7 @@ " \n", " \n", " 195\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2519,7 +2558,7 @@ " \n", " \n", " 196\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2529,7 +2568,7 @@ " \n", " \n", " 197\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2539,7 +2578,7 @@ " \n", " \n", " 198\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2549,7 +2588,7 @@ " \n", " \n", " 199\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2559,7 +2598,7 @@ " \n", " \n", " 200\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2569,7 +2608,7 @@ " \n", " \n", " 201\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2579,7 +2618,7 @@ " \n", " \n", " 202\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2589,7 +2628,7 @@ " \n", " \n", " 203\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2599,7 +2638,7 @@ " \n", " \n", " 204\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2609,7 +2648,7 @@ " \n", " \n", " 205\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2619,7 +2658,7 @@ " \n", " \n", " 206\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2629,7 +2668,7 @@ " \n", " \n", " 207\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2639,7 +2678,7 @@ " \n", " \n", " 208\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2649,7 +2688,7 @@ " \n", " \n", " 209\n", - " 2018-07-28 08:21:07\n", + " 2018-07-28 08:21:07+00:00\n", " Creation Time\n", " windows:volume:creation\n", " \\VOLUME{01d4264bee777579-ccee841b}\n", @@ -2663,68 +2702,68 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "1 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "2 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "3 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "4 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "5 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "6 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "7 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "8 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "9 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "10 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "11 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "12 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "13 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "14 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "15 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "16 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "17 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "18 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "19 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "20 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "21 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "22 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "23 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "24 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "25 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "26 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "27 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "28 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "29 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - ".. ... ... ... \n", - "180 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "181 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "182 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "183 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "184 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "185 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "186 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "187 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "188 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "189 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "190 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "191 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "192 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "193 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "194 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "195 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "196 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "197 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "198 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "199 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "200 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "201 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "202 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "203 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "204 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "205 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "206 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "207 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "208 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", - "209 2018-07-28 08:21:07 Creation Time windows:volume:creation \n", + " datetime timestamp_desc data_type \\\n", + "0 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "1 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "2 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "3 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "4 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "5 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "6 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "7 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "8 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "9 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "10 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "11 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "12 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "13 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "14 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "15 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "16 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "17 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "18 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "19 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "20 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "21 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "22 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "23 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "24 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "25 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "26 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "27 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "28 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "29 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + ".. ... ... ... \n", + "180 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "181 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "182 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "183 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "184 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "185 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "186 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "187 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "188 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "189 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "190 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "191 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "192 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "193 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "194 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "195 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "196 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "197 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "198 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "199 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "200 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "201 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "202 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "203 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "204 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "205 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "206 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "207 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "208 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", + "209 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", "\n", " device_path hostname serial_number \\\n", "0 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", @@ -2878,10 +2917,10 @@ "metadata": { "id": "CVcrtsTfvF6T", "colab_type": "code", - "outputId": "51d406f9-ff62-420d-dc6b-6654f8d6e7f3", + "outputId": "9fcf423c-f458-4cbc-ac04-99bca2db5dae", "colab": { "base_uri": "https://localhost:8080/", - "height": 34 + "height": 35 } }, "cell_type": "code", @@ -2939,15 +2978,18 @@ "metadata": { "id": "Hs2NyOf0IUS2", "colab_type": "code", - "outputId": "e540c985-e056-460d-918a-fd572378c5e8", + "outputId": "aac1659f-9b7a-4b0b-855c-ec2791c9806c", "colab": { "base_uri": "https://localhost:8080/", - "height": 1969 + "height": 1907 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('TeamViewer', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'TeamViewer', \n", + " return_fields='datetime,timestamp_desc,data_type,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], "execution_count": 15, @@ -2983,210 +3025,210 @@ " \n", " \n", " 0\n", - " 1970-01-01 00:00:00\n", + " 1970-01-01 00:00:00+00:00\n", " Last Time Executed\n", " windows:registry:userassist\n", " [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explo...\n", " \n", " \n", " 1\n", - " 2007-12-13 09:22:09\n", + " 2007-12-13 09:22:09+00:00\n", " Creation Time\n", " pe:compilation:compilation_time\n", " PE Type: Driver (SYS) Import hash: fcbe966aa9c0053fe3d2d7f07dbdd41d\n", " \n", " \n", " 2\n", - " 2016-04-03 20:18:56\n", + " 2016-04-03 20:18:56+00:00\n", " Creation Time\n", " pe:compilation:compilation_time\n", " PE Type: Executable (EXE) Import hash: 4ea4df5d94204fc550be1874e1b...\n", " \n", " \n", " 3\n", - " 2016-04-03 20:19:02\n", + " 2016-04-03 20:19:02+00:00\n", " Creation Time\n", " pe:compilation:compilation_time\n", " PE Type: Executable (EXE) Import hash: e2a592076b17ef8bfb48b7e0396...\n", " \n", " \n", " 4\n", - " 2017-05-12 08:54:01\n", + " 2017-05-12 08:54:01+00:00\n", " Creation Time\n", " pe:compilation:compilation_time\n", " PE Type: Driver (SYS) Import hash: bd2fee8a544a1c6656edb847a80a08c5\n", " \n", " \n", " 5\n", - " 2018-04-11 23:38:22\n", + " 2018-04-11 23:38:22+00:00\n", " Creation Time\n", " windows:shell_item:file_entry\n", " Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she...\n", " \n", " \n", " 6\n", - " 2018-04-11 23:38:22\n", + " 2018-04-11 23:38:22+00:00\n", " Creation Time\n", " windows:shell_item:file_entry\n", " Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she...\n", " \n", " \n", " 7\n", - " 2018-06-13 07:24:30\n", + " 2018-06-13 07:24:30+00:00\n", " Creation Time\n", " pe:compilation:compilation_time\n", " PE Type: Dynamic Link Library (DLL) Import hash: 0d898c31e89da04c1...\n", " \n", " \n", " 8\n", - " 2018-10-17 12:41:49\n", + " 2018-10-17 12:41:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/License.txt Type: file\n", " \n", " \n", " 9\n", - " 2018-10-17 12:41:49\n", + " 2018-10-17 12:41:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/CopyRights.txt Type: file\n", " \n", " \n", " 10\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.cat Type: file\n", " \n", " \n", " 11\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.inf Type: file\n", " \n", " \n", " 12\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...\n", " \n", " \n", " 13\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...\n", " \n", " \n", " 14\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer/teamviewer_xpsdriverfi...\n", " \n", " \n", " 15\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.sy_ Type: file\n", " \n", " \n", " 16\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.inf Type: file\n", " \n", " \n", " 17\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.sy_ Type: file\n", " \n", " \n", " 18\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...\n", " \n", " \n", " 19\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...\n", " \n", " \n", " 20\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.cat Type: file\n", " \n", " \n", " 21\n", - " 2018-10-17 12:45:49\n", + " 2018-10-17 12:45:49+00:00\n", " Content Modification Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer/x64/TeamViewer_XPSDriv...\n", " \n", " \n", " 22\n", - " 2019-01-15 20:13:48\n", + " 2019-01-15 20:13:48+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path...\n", " \n", " \n", " 23\n", - " 2019-01-15 20:15:41\n", + " 2019-01-15 20:15:41+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path...\n", " \n", " \n", " 24\n", - " 2019-01-16 15:40:57\n", + " 2019-01-16 15:40:57+00:00\n", " Content Modification Time\n", " windows:lnk:link\n", " [Empty description] File size: 47153304 File attribute flags: 0x00...\n", " \n", " \n", " 25\n", - " 2019-01-16 15:40:57\n", + " 2019-01-16 15:40:57+00:00\n", " Content Modification Time\n", " windows:lnk:link\n", " [Empty description] File size: 47153304 File attribute flags: 0x00...\n", " \n", " \n", " 26\n", - " 2019-01-16 15:40:57\n", + " 2019-01-16 15:40:57+00:00\n", " Content Modification Time\n", " windows:lnk:link\n", " [Empty description] File size: 47153304 File attribute flags: 0x00...\n", " \n", " \n", " 27\n", - " 2019-01-16 15:40:58\n", + " 2019-01-16 15:40:58+00:00\n", " Content Modification Time\n", " windows:shell_item:file_entry\n", " Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...\n", " \n", " \n", " 28\n", - " 2019-01-16 15:40:58\n", + " 2019-01-16 15:40:58+00:00\n", " Content Modification Time\n", " windows:shell_item:file_entry\n", " Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...\n", " \n", " \n", " 29\n", - " 2019-01-16 15:40:58\n", + " 2019-01-16 15:40:58+00:00\n", " Content Modification Time\n", " windows:shell_item:file_entry\n", " Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...\n", @@ -3200,210 +3242,210 @@ " \n", " \n", " 636\n", - " 2019-03-20 21:04:58\n", + " 2019-03-20 21:04:58+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file\n", " \n", " \n", " 637\n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file\n", " \n", " \n", " 638\n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ...\n", " \n", " \n", " 639\n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ...\n", " \n", " \n", " 640\n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ...\n", " \n", " \n", " 641\n", - " 2019-03-20 21:05:00\n", + " 2019-03-20 21:05:00+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ...\n", " \n", " \n", " 642\n", - " 2019-03-20 21:05:00\n", + " 2019-03-20 21:05:00+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ...\n", " \n", " \n", " 643\n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ...\n", " \n", " \n", " 644\n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ...\n", " \n", " \n", " 645\n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ...\n", " \n", " \n", " 646\n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ...\n", " \n", " \n", " 647\n", - " 2019-03-20 21:05:02\n", + " 2019-03-20 21:05:02+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ...\n", " \n", " \n", " 648\n", - " 2019-03-20 21:05:02\n", + " 2019-03-20 21:05:02+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ...\n", " \n", " \n", " 649\n", - " 2019-03-20 21:05:19\n", + " 2019-03-20 21:05:19+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300...\n", " \n", " \n", " 650\n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/x64 Type: directory\n", " \n", " \n", " 651\n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer Type: directory\n", " \n", " \n", " 652\n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory\n", " \n", " \n", " 653\n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " TSK:/Program Files (x86)/TeamViewer/outlook Type: directory\n", " \n", " \n", " 654\n", - " 2019-03-20 21:05:24\n", + " 2019-03-20 21:05:24+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS...\n", " \n", " \n", " 655\n", - " 2019-03-20 21:05:43\n", + " 2019-03-20 21:05:43+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par...\n", " \n", " \n", " 656\n", - " 2019-03-20 21:05:59\n", + " 2019-03-20 21:05:59+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...\n", " \n", " \n", " 657\n", - " 2019-03-20 21:06:00\n", + " 2019-03-20 21:06:00+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...\n", " \n", " \n", " 658\n", - " 2019-03-20 21:08:32\n", + " 2019-03-20 21:08:32+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", " 659\n", - " 2019-03-20 21:10:56\n", + " 2019-03-20 21:10:56+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...\n", " \n", " \n", " 660\n", - " 2019-03-20 21:15:21\n", + " 2019-03-20 21:15:21+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", " 661\n", - " 2019-03-20 21:15:28\n", + " 2019-03-20 21:15:28+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", " 662\n", - " 2019-03-20 21:15:36\n", + " 2019-03-20 21:15:36+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", " 663\n", - " 2019-03-20 21:15:59\n", + " 2019-03-20 21:15:59+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...\n", " \n", " \n", " 664\n", - " 2019-03-20 21:16:00\n", + " 2019-03-20 21:16:00+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...\n", " \n", " \n", " 665\n", - " 2019-03-20 21:26:28\n", + " 2019-03-20 21:26:28+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " Prefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\...\n", @@ -3414,68 +3456,68 @@ "" ], "text/plain": [ - " datetime timestamp_desc \\\n", - "0 1970-01-01 00:00:00 Last Time Executed \n", - "1 2007-12-13 09:22:09 Creation Time \n", - "2 2016-04-03 20:18:56 Creation Time \n", - "3 2016-04-03 20:19:02 Creation Time \n", - "4 2017-05-12 08:54:01 Creation Time \n", - "5 2018-04-11 23:38:22 Creation Time \n", - "6 2018-04-11 23:38:22 Creation Time \n", - "7 2018-06-13 07:24:30 Creation Time \n", - "8 2018-10-17 12:41:49 Content Modification Time \n", - "9 2018-10-17 12:41:49 Content Modification Time \n", - "10 2018-10-17 12:45:49 Content Modification Time \n", - "11 2018-10-17 12:45:49 Content Modification Time \n", - "12 2018-10-17 12:45:49 Content Modification Time \n", - "13 2018-10-17 12:45:49 Content Modification Time \n", - "14 2018-10-17 12:45:49 Content Modification Time \n", - "15 2018-10-17 12:45:49 Content Modification Time \n", - "16 2018-10-17 12:45:49 Content Modification Time \n", - "17 2018-10-17 12:45:49 Content Modification Time \n", - "18 2018-10-17 12:45:49 Content Modification Time \n", - "19 2018-10-17 12:45:49 Content Modification Time \n", - "20 2018-10-17 12:45:49 Content Modification Time \n", - "21 2018-10-17 12:45:49 Content Modification Time \n", - "22 2019-01-15 20:13:48 Previous Last Time Executed \n", - "23 2019-01-15 20:15:41 Previous Last Time Executed \n", - "24 2019-01-16 15:40:57 Content Modification Time \n", - "25 2019-01-16 15:40:57 Content Modification Time \n", - "26 2019-01-16 15:40:57 Content Modification Time \n", - "27 2019-01-16 15:40:58 Content Modification Time \n", - "28 2019-01-16 15:40:58 Content Modification Time \n", - "29 2019-01-16 15:40:58 Content Modification Time \n", - ".. ... ... \n", - "636 2019-03-20 21:04:58 Last Access Time \n", - "637 2019-03-20 21:04:59 Last Access Time \n", - "638 2019-03-20 21:04:59 Last Access Time \n", - "639 2019-03-20 21:04:59 Last Access Time \n", - "640 2019-03-20 21:04:59 Last Access Time \n", - "641 2019-03-20 21:05:00 Last Access Time \n", - "642 2019-03-20 21:05:00 Last Access Time \n", - "643 2019-03-20 21:05:01 Last Access Time \n", - "644 2019-03-20 21:05:01 Last Access Time \n", - "645 2019-03-20 21:05:01 Last Access Time \n", - "646 2019-03-20 21:05:01 Last Access Time \n", - "647 2019-03-20 21:05:02 Last Access Time \n", - "648 2019-03-20 21:05:02 Last Access Time \n", - "649 2019-03-20 21:05:19 Content Modification Time \n", - "650 2019-03-20 21:05:20 Last Access Time \n", - "651 2019-03-20 21:05:20 Last Access Time \n", - "652 2019-03-20 21:05:20 Last Access Time \n", - "653 2019-03-20 21:05:20 Last Access Time \n", - "654 2019-03-20 21:05:24 Last Time Executed \n", - "655 2019-03-20 21:05:43 Content Modification Time \n", - "656 2019-03-20 21:05:59 Previous Last Time Executed \n", - "657 2019-03-20 21:06:00 Previous Last Time Executed \n", - "658 2019-03-20 21:08:32 Previous Last Time Executed \n", - "659 2019-03-20 21:10:56 Previous Last Time Executed \n", - "660 2019-03-20 21:15:21 Previous Last Time Executed \n", - "661 2019-03-20 21:15:28 Previous Last Time Executed \n", - "662 2019-03-20 21:15:36 Last Time Executed \n", - "663 2019-03-20 21:15:59 Last Time Executed \n", - "664 2019-03-20 21:16:00 Last Time Executed \n", - "665 2019-03-20 21:26:28 Last Time Executed \n", + " datetime timestamp_desc \\\n", + "0 1970-01-01 00:00:00+00:00 Last Time Executed \n", + "1 2007-12-13 09:22:09+00:00 Creation Time \n", + "2 2016-04-03 20:18:56+00:00 Creation Time \n", + "3 2016-04-03 20:19:02+00:00 Creation Time \n", + "4 2017-05-12 08:54:01+00:00 Creation Time \n", + "5 2018-04-11 23:38:22+00:00 Creation Time \n", + "6 2018-04-11 23:38:22+00:00 Creation Time \n", + "7 2018-06-13 07:24:30+00:00 Creation Time \n", + "8 2018-10-17 12:41:49+00:00 Content Modification Time \n", + "9 2018-10-17 12:41:49+00:00 Content Modification Time \n", + "10 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "11 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "12 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "13 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "14 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "15 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "16 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "17 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "18 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "19 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "20 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "21 2018-10-17 12:45:49+00:00 Content Modification Time \n", + "22 2019-01-15 20:13:48+00:00 Previous Last Time Executed \n", + "23 2019-01-15 20:15:41+00:00 Previous Last Time Executed \n", + "24 2019-01-16 15:40:57+00:00 Content Modification Time \n", + "25 2019-01-16 15:40:57+00:00 Content Modification Time \n", + "26 2019-01-16 15:40:57+00:00 Content Modification Time \n", + "27 2019-01-16 15:40:58+00:00 Content Modification Time \n", + "28 2019-01-16 15:40:58+00:00 Content Modification Time \n", + "29 2019-01-16 15:40:58+00:00 Content Modification Time \n", + ".. ... ... \n", + "636 2019-03-20 21:04:58+00:00 Last Access Time \n", + "637 2019-03-20 21:04:59+00:00 Last Access Time \n", + "638 2019-03-20 21:04:59+00:00 Last Access Time \n", + "639 2019-03-20 21:04:59+00:00 Last Access Time \n", + "640 2019-03-20 21:04:59+00:00 Last Access Time \n", + "641 2019-03-20 21:05:00+00:00 Last Access Time \n", + "642 2019-03-20 21:05:00+00:00 Last Access Time \n", + "643 2019-03-20 21:05:01+00:00 Last Access Time \n", + "644 2019-03-20 21:05:01+00:00 Last Access Time \n", + "645 2019-03-20 21:05:01+00:00 Last Access Time \n", + "646 2019-03-20 21:05:01+00:00 Last Access Time \n", + "647 2019-03-20 21:05:02+00:00 Last Access Time \n", + "648 2019-03-20 21:05:02+00:00 Last Access Time \n", + "649 2019-03-20 21:05:19+00:00 Content Modification Time \n", + "650 2019-03-20 21:05:20+00:00 Last Access Time \n", + "651 2019-03-20 21:05:20+00:00 Last Access Time \n", + "652 2019-03-20 21:05:20+00:00 Last Access Time \n", + "653 2019-03-20 21:05:20+00:00 Last Access Time \n", + "654 2019-03-20 21:05:24+00:00 Last Time Executed \n", + "655 2019-03-20 21:05:43+00:00 Content Modification Time \n", + "656 2019-03-20 21:05:59+00:00 Previous Last Time Executed \n", + "657 2019-03-20 21:06:00+00:00 Previous Last Time Executed \n", + "658 2019-03-20 21:08:32+00:00 Previous Last Time Executed \n", + "659 2019-03-20 21:10:56+00:00 Previous Last Time Executed \n", + "660 2019-03-20 21:15:21+00:00 Previous Last Time Executed \n", + "661 2019-03-20 21:15:28+00:00 Previous Last Time Executed \n", + "662 2019-03-20 21:15:36+00:00 Last Time Executed \n", + "663 2019-03-20 21:15:59+00:00 Last Time Executed \n", + "664 2019-03-20 21:16:00+00:00 Last Time Executed \n", + "665 2019-03-20 21:26:28+00:00 Last Time Executed \n", "\n", " data_type \\\n", "0 windows:registry:userassist \n", @@ -3641,10 +3683,10 @@ "metadata": { "id": "fxJN_YxSScJu", "colab_type": "code", - "outputId": "eaac39ec-d30c-4879-c08e-2a178b8c39cb", + "outputId": "a165a854-993f-47f9-ac7d-9d41d1caa63d", "colab": { "base_uri": "https://localhost:8080/", - "height": 311 + "height": 346 } }, "cell_type": "code", @@ -3654,11 +3696,19 @@ ], "execution_count": 16, "outputs": [ + { + "output_type": "stream", + "text": [ + "/usr/local/lib/python2.7/dist-packages/pandas/core/arrays/datetimes.py:1172: UserWarning: Converting to PeriodArray/Index representation will drop timezone information.\n", + " \"will drop timezone information.\", UserWarning)\n" + ], + "name": "stderr" + }, { "output_type": "execute_result", "data": { "text/plain": [ - "" + "" ] }, "metadata": { @@ -3669,7 +3719,7 @@ { "output_type": "display_data", "data": { - "image/png": "iVBORw0KGgoAAAANSUhEUgAAAXsAAAEVCAYAAAABwEUhAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz\nAAALEgAACxIB0t1+/AAAADl0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uIDIuMi40LCBo\ndHRwOi8vbWF0cGxvdGxpYi5vcmcv7US4rQAAIABJREFUeJzt3XuYZFV57/Hvr7uHyzDcaZBwGyEI\nh5gwygQviQbUEDGeCIYoHA9KJKLnoNEYc2I0F/XEmKjEE+9CIBCPIigSiRJhJCAQBZkZhuF+Z4Rh\nwjQMlxkuw3TXmz/2qu5dNdXdu25du6p/n+fpp6rW3lVr7erqt1e9e+21FBGYmdlgG+p1A8zMrPsc\n7M3M5gEHezOzecDB3sxsHnCwNzObBxzszczmAQd7M7N5wMHezGwecLA3M5sHRnrdAIA99tgjFi9e\n3OtmmJn1lRUrVjwaEaNF9i1FsF+8eDHLly/vdTPMzPqKpDVF9501jSPpHEnrJd2SK7tA0qr084Ck\nVal8saRnc9u+2tohmJlZJxXp2Z8LfBH452pBRLy1el/SGcCTuf3vjYglnWqgmZm1b9ZgHxFXS1rc\naJskAW8BXtPZZpmZWSe1OxrnVcAjEXF3ruyFkm6U9GNJr5ruiZJOk7Rc0vKxsbE2m2FmZjNpN9if\nBJyfe7wO2D8iXgJ8EPimpJ0aPTEizoyIpRGxdHS00MlkMzNrUcvBXtII8GbggmpZRGyOiMfS/RXA\nvcCL2m2kmZm1p52e/euAOyLioWqBpFFJw+n+gcDBwH3tNdHMrLwqlaAfVvwrMvTyfOCnwCGSHpJ0\natp0IrUpHIBXA6vTUMzvAO+JiA2dbLCZWZn89heu5axryt+nLTIa56Rpyk9pUHYRcFH7zTIz6w8P\nPf4Max9/ttfNmJXnxjEza0dA+ZM4DvZmZm0JoA9S9g72ZmbtiAiiD/r2DvZmZm2oRPZTdg72ZmZt\nCMJpHDOzQZcF+vJHewd7M7M2+AStmdl8EA72ZmYDL/BoHDOzgRfu2ZuZDb5KhIdempkNugCncczM\nBl1k0b70HOzNzNrUB7Hewd7MrFXVRUsGYvESMzNrrBrjyx/qHezNzFpWDfIejWNmNsAqTuOYmQ0+\np3HMzOaByfH1fRDtZw32ks6RtF7SLbmyj0laK2lV+nlDbtufSbpH0p2SfqtbDTcz67Wpnn35o32R\nnv25wOsblH8uIpakn0sBJB0GnAj8UnrOlyUNd6qxZmZl1Acp+9mDfURcDWwo+HpvAr4VEZsj4n7g\nHuDINtpnZlZakz37QQj2M3ivpNUpzbNrKtsHeDC3z0OpbCuSTpO0XNLysbGxNpphZtYb1fRNpQ+i\nfavB/ivAQcASYB1wRrMvEBFnRsTSiFg6OjraYjPMzHqn0j/nZ1sL9hHxSERMREQFOIupVM1aYL/c\nrvumMjOzgTM1XUKPG1JAS8Fe0t65h8cD1ZE6lwAnStpW0guBg4GftddEM7NyGNu4ueZxNLhXVkWG\nXp4P/BQ4RNJDkk4FPi3pZkmrgaOBPwKIiFuBC4HbgB8Cp0fERNdab2Y2R668cz2/+skfcdWd6yfL\n+ukE7chsO0TESQ2Kz55h/08Cn2ynUWZmZXPTg08AsPLnT3DUIXtmhYOeszczm29GhgTARKUyWTYf\nRuOYmc0rw0NZuBzPTXHZT2kcB3szswKGU7ScmJiK7JOzXvaiQU1ysDczK6Bhz7562wddewd7M7MC\nFgxXc/Zbp3H6gYO9mVkBQ8qCfW3PfsAvqjIzm28ajcaZGnpZ/mjvYG9mVsDI8PQ5+3z8LysHezOz\nAiZH41QajcZxz97MbCB4nL2Z2TwwmbOfaDD0sgftaZaDvZlZAUq3tT37/pkcx8HezKyAaoyvmRvH\no3HMzAZLNaDne/ZVDYpKx8HezKyAmOzZNzpBW/5o72BvZlZAdZjleMOhl+XnYG9m1oSJhhOh9aYt\nzXCwNzMroBrQG43G6YNY72BvZlZENWVTu1JV9U75w72DvZlZAZM9+4kGJ2h70J5mzRrsJZ0jab2k\nW3Jln5F0h6TVki6WtEsqXyzpWUmr0s9Xu9l4M7O5Ug3oEzXjLAdrDdpzgdfXlS0DXhwRvwLcBfxZ\nbtu9EbEk/bynM800M+utqTTOgM6NExFXAxvqyi6PiPH08Dpg3y60zcysPBqcoK0MUrAv4J3Av+Ue\nv1DSjZJ+LOlV0z1J0mmSlktaPjY21oFmmJl1T/UK2olGK1X1pEXNaSvYS/ooMA58IxWtA/aPiJcA\nHwS+KWmnRs+NiDMjYmlELB0dHW2nGWZmXVeZ7Nk3mBunD7r2LQd7SacAbwTeFulII2JzRDyW7q8A\n7gVe1IF2mpn11EzTJfSDloK9pNcD/wf4nYh4Jlc+Kmk43T8QOBi4rxMNNTPrpUYToUUfjcYZmW0H\nSecDRwF7SHoI+Cuy0TfbAsuUrbh+XRp582rgE5K2ABXgPRGxoeELm5n1kckpjhuNsy9/rJ892EfE\nSQ2Kz55m34uAi9ptlJlZ6TSYCG1y01y3pQW+gtbMrIBGF1VNznrZB117B3szswIqlWrPvtFKVeXn\nYG9mVkA1oOezOLHVnfJysDczK6DR0oOe4tjMbMA0ystP9fbLH+4d7M3MmjTZo++joZcO9mZmBeR7\n79UROVNpnPJHewd7M7MC8r336lh7r0FrZjZg8vH8+Yls+KXTOGZmAyafxqkuTdgPF1NVOdibmRVQ\nk8ap9uzTY4/GMTMbQE7jmJkNqEqlQRoHj8YxMxso0eC+e/ZmZgMmH9Ar9RdV9aA9zXKwNzMrIH8S\ntv5iKvfszcwGRE0aZ6v0TfmjvYO9mVkRue57pS5902hGzLJxsDczK6DSMGffPxdXOdibmRWQH15Z\nqZvHvvyhvmCwl3SOpPWSbsmV7SZpmaS70+2uqVySPi/pHkmrJb20W403M5sr+c77VM5+8E7Qngu8\nvq7sw8AVEXEwcEV6DHAscHD6OQ34SvvNNDPrrcZpHNJt+aN9oWAfEVcDG+qK3wScl+6fBxyXK//n\nyFwH7CJp70401sysV2rTOKlsnoyz3ysi1qX7/wnsle7vAzyY2++hVFZD0mmSlktaPjY21kYzzMzm\nQKOefYNtZdWRE7SRfYdp6nAj4syIWBoRS0dHRzvRDDOzrml4UVW6HfRZLx+ppmfS7fpUvhbYL7ff\nvqnMzKxvNTxBS+1tmbUT7C8B3pHuvwP4Xq787WlUzsuBJ3PpHjOzvpQP6Fvl7Psg2o8U2UnS+cBR\nwB6SHgL+Cvhb4EJJpwJrgLek3S8F3gDcAzwD/H6H22xmNucqNVfQ9t+C44WCfUScNM2m1zbYN4DT\n22mUmVnZNJz1ssG2svIVtGZmTapP3/RBrHewNzMromEah9p0Tpk52JuZFVCbxqkt64NY72BvZlZE\n4549Nbdl5mBvZlZA7eIlnuLYzGwgNZ71Mt3OfXOa5mBvZlZA1KRxUpnXoDUzGywNx9nX9PbLHfEd\n7M3MCshfJdto0ZKSx3oHezOzIiqNhl7mtpc81jvYm5kV0TiNs3Vvv6wc7M3MCphppapse7k52JuZ\nFdDoZGxtHn+uW9QcB3szswKi0RW0NT37ckd7B3szswICkNL9Ridoyx3rHezNzIqoBAynaN8wZ+9g\nb2bW/yKCoaFqsG+Qs3cax8ys/wUwkoK9L6oyMxtQEdEgjZPv2Zebg72ZWQERNEjj5LeXO9wXWnC8\nEUmHABfkig4E/hLYBXgXMJbKPxIRl7bcQjOzEoiYSuP040VVLQf7iLgTWAIgaRhYC1wM/D7wuYj4\nbEdaaGZWApXcCdpGi5ZEpSfNKqxTaZzXAvdGxJoOvZ6ZWakEuaGXlQZpnJL37TsV7E8Ezs89fq+k\n1ZLOkbRroydIOk3ScknLx8bGGu1iZlYaETBc7dnnymhwv4zaDvaStgF+B/h2KvoKcBBZimcdcEaj\n50XEmRGxNCKWjo6OttsMM7OuysbZZ/fbneL40pvX8ZnL7uhU0wrpRM/+WGBlRDwCEBGPRMRERFSA\ns4AjO1CHmVlP5dM4DXP2TXTtf3T7I3x35dqOtm82nQj2J5FL4UjaO7fteOCWDtRhZtZTETGZxmk8\nEVozrwUTlbnN+7Q8GgdA0g7AbwLvzhV/WtISsmN/oG6bmVlfquRy9vULjmdlxYP3RCWa2r8T2gr2\nEfE0sHtd2clttcjMrIQCGNL0PftmuvYTEcxxx95X0JqZFRERjAxXc/apLL+9ideqVIKJSvDs8xM8\nPz43A/Qd7M3MCohoMM6+xaGXE5WgUgl++wvX8MELV3WymdNysDczKyDIT3E8VZbfXlQlIkvlVGIy\nNdRtDvZmZgVUKrmhl3SgZ58CfvWkb7c52JuZFRBE7gRtKmtxiuNKZP88KhXcszczK5OIbA3aITVe\nvKTSxPCaaq9+ohIMz1EUdrA3MytgKtir4Xz2zXAax8yspIJAKAX7VNZGzr56Fa3TOGZmJZKtVJX1\n7ttdcLz6/C0TFffszczKpBJTPftqL77SRs8eYHzCPXszs1IJpk7QVhrkcZrJ30+knccr7tmbmZVK\ndoJWKJ+zz21vZmKzmEzjBHMU6x3szcyKiAhE1rvvxEVVVUPu2ZuZlcdUGke5idBamwotH+yHnbM3\nMyuPiCzQD2maxUua6NnnUz7O2ZuZlUglpXGmu6iqqRO0+TSOe/ZmZuVRvYI2f4I230Nvrmc/dd89\nezOzEsly9qqZGyffnW/moqqanL2DvZlZeUQ+jZMWl6oZetnEglP5bwRzlcZpaw1aAEkPABuBCWA8\nIpZK2g24AFhMtuj4WyLi8XbrMjPrlfysl1MnaFucLqGmZ9+5Ns6kU9UcHRFLImJpevxh4IqIOBi4\nIj02M+tb1fns1YmJ0HrQs+/W/5Q3Aeel++cBx3WpHjOzOVGZPEGbu6iqxdeayKV8+inYB3C5pBWS\nTktle0XEunT/P4G9OlCPmVnPRIOJ0PppnH3bOXvg1yNiraQ9gWWS7shvjIiQtNXbkP4xnAaw//77\nd6AZZmbdUzMRWgrWlRZz9n05XUJErE2364GLgSOBRyTtDZBu1zd43pkRsTQilo6OjrbbDDOzrqpO\nhJZfvCSviVUJa0/Q9kMaR9IOknas3geOAW4BLgHekXZ7B/C9duoxM+u1/ERoDUfjNJHHqU3jdKyJ\nM2o3jbMXcLGy/0wjwDcj4oeSbgAulHQqsAZ4S5v1mJn1VJClcLKcfZvTJfTbOPuIuA84vEH5Y8Br\n23ltM7MyqURMpXGqF1W1eoI2NxrHV9CamZVIBFuncVqd4tizXpqZlVPDlao6sHiJ+uEErZnZfBER\nk0Mvq734mgXHC75OpW7YTl+MxjEzmy/yJ2in4vVU4K4P4tOZqPsK0G9z45iZDbTK5BW006xU1cTr\n5PXTdAlmZgOv0eIlreTs66dC9glaM7MSabR4SX40TtHpEurTOH0zXYKZ2XwwdYJWDdM4RfM4Ez5B\na2ZWXtVx9vmLqjoyGsc9ezOz8shG4wimuaiq/sTrdOrTOHPUsXewNzMropIbZz8Zr1s5QVs/9NJp\nHDOz8sincRqtVFU8jVP72GkcM7MSifxEaDFVlt9ehEfjmJmV2NQ4+3zOPre94Ot4ugQzsxILmFyD\nttFFVS0PvXTP3sysPCIizY0zlbJpZQ3ardI47tmbmZVHJdj6oqr89krj5231Ou7Zm5mVVxBT89lX\nJgtz24upnxzTs16amZVI4xO0LYzGqYv2XrzEzKxEsnH2qrmoqhNTHJd+NI6k/SRdKek2SbdKen8q\n/5iktZJWpZ83dK65Zma9kaVx6i6qauEK2l6Nxhlp47njwB9HxEpJOwIrJC1L2z4XEZ9tv3lmZuUQ\nsfVKVa0sON6ri6paDvYRsQ5Yl+5vlHQ7sE+nGmZmVibVlaryOfvqCJ2IrU+8Tvs6/XxRlaTFwEuA\n61PReyWtlnSOpF2nec5pkpZLWj42NtaJZpiZdU22eElK4+Ry9tVx8q2mcYb6ZTSOpEXARcAHIuIp\n4CvAQcASsp7/GY2eFxFnRsTSiFg6OjrabjPMzLoqG41TuwYtZBdaZfeKRfuthl72Q89e0gKyQP+N\niPguQEQ8EhETEVEBzgKObL+ZZma9Ux1WObl4SW6lKjXZs99qNE7ZL6pSdoRnA7dHxN/nyvfO7XY8\ncEvrzTMz671qfJ5ccDxdVBVM9cyLDr3cOo1T8hO0wK8BJwM3S1qVyj4CnCRpCdmxPwC8u60Wmpn1\nWDU8D0nphGy1Zx+TPfOWpzieozROO6NxriX7VlPv0tabY2ZWPpWaNA65oZfNLyvY16NxzMwGWT6N\nk7+oqpIbjTPbGrTX3D3G+ESlf0fjmJkNumpwn5wILbdS1eRonBli/Yo1Gzj57J9xxrK7+m+6BDOz\n+aK2Z1+bny8yzv7pzRMArFzzeINZLx3szcxKoRrIh7Zag3ZqNM1MSZznx7PhO08+u6UmjVMd3TMX\nHOzNzGax9QnaqSmOp9I404f7jZu3AFmwz6dx5iqFAw72ZmazqobnqXH2UxdVFRlnv/G5cQCeeKa2\nZz9XY+zBwd6sa+5/9Gm+ft2aXjfDOqDaa6+mcfJz40xdQTtDzz4F+2e3TLBlYmr9QvfszQbAd1Y8\nyF/8yy1sHp/odVOsTfmTqrWzXsbk0MmZTtA+9dyWyftrH3928v4cduwd7M26ZVPqzVVHYlgfmxyN\no60uqhoqkMZ56tnxyfsP5YO90zhm/W/j5uwPvBr0rX9Vx9kP1V1URT5nP0O035jr2T/69PMAbDM8\nNGfDLsHB3qxrqkG+OhLD+le1Jy+ovagqLVVYvT+djc+Ns8eibQB4bNNmAEaG5Zy92SDY5J592z7+\nr7fysUtu7XUzpqY4lmouqiq6eMnG57aw/24LAXg0BfsFw0NzmsZpZ9ZLM5vBZLDf7GDfqp/c89ic\npjqmMzXrZf0atFNXwM429PKg0UVst2CIRzdlaZwF7tmbDYZqj97BvnVjmzbz+DPP97oZUxdC1a1U\nVYkoPPRyx+1G2HXhNpPj7EeGnLM3GwjVE7QbncZpyfPjFTY8/Twbnn6+8FzxXVOXs4/IgnsEDBcY\nernxuS3suN0Cdl24zWTZghHN2YyX4GBv1jXu2benmtvePF7h2S29Hb6aX7wkn6OvGXo5TbSfqARP\nPz/BjtuNsNsOuWA/PDRnC5eAg71ZV4xPTAUon6BtzdjGzZP3H3+mtyOaJufG0dRiJZWsez+Vxpnm\nueuezMbV77FoG3ZZuGCyfMHQkHP2Zv0ufyGVe/atWZ8P9k/3Nm8fuTTOyHAWoJ+fqKSefe0+9a6/\nbwMARxywW23PfkS+qMqs3+XH1jtn35p8z35Dr4N9uh2S2G/XbAjlmseeqR16CVx91xhLPnF5TXt/\ncu9j7LpwAYe+YMeanP2we/Zm/S8f4PNXT1px6zc+N3m/1yNyKrmrqg4c3QGA+8aeJojcFbTBj+8a\n44lntrDqwccB+OCFq7ho5UO8/MDdGRoS2y7IQu7vvnRfhjUg0yVIer2kOyXdI+nD3ajjtoef4rgv\n/Qf3rN/UjZc3a1k+deM0TmseeWozC1LKpNdpnCoBL9wjC/b3jm2iUplaQ/avf3A7/3bzOgC+dOW9\nnP6NlXx35VoO2H0hpx/9i0AW5P/ktw7hU2/+ZYakyZE8c6ErVUkaBr4EHAscBpwk6bBO17PHjttw\n89on+faKBzv90qXw6KbNfPmqexws+lD1pOwuCxf499eCSiW4+q4xjnzhbkiwoccnaPMrVS3cZoRf\n2Hk77hvbVDMaB+DhJ7NvIyvWPM4PUuC/4LRX8OJ9dgZgr5224/Sjf5FtRrKrZ+cyjdOtK2iPBO6J\niPsAJH0LeBNwWycr2XPH7XjNoXty0YqH2GvH7Tr50qXw/dUPs/LnT/Cz+zfw6oNHe90ca8Jt654C\n4AU7bcfDTzzLOdfe3+MW9ZdHNj7H2iee5U+PPZRbH36K6+57rKfvYTWNVI3NB+25iBU/f5znxyvs\nnjvpmrfz9gs44Yh9ecHOjWPTsOb2BG23gv0+QL67/RDwsvwOkk4DTgPYf//9W67o5JcfwLLbHuET\n3+/o/5FSWDAsjjlsL5bd/ghX3TnW6+ZYkxZtO8IrD9qDc/7j/oH8fHbbXjttyzGH7cU3rlvD9fdv\n4Gf3b+hpeyQmA/cRB+zKNXc/CsAxh72Aa+95lCMX78bPHtjAyS8/gK9ft4af/tlrWLjN9CH2wNEd\neG5LZdrtnaZuXJkm6QTg9RHxB+nxycDLIuK9jfZfunRpLF++vOX6nt48zvhEj6+w64IFI9lXxk2b\nx5kYwOMbdNsuGGLbkSGeem585olTrKHttxlmm5EhxicqpVgTYGRY7LBtFrwjYvL3utP2I5MLj0ca\ndx+58ffdJGlFRCwtsm+3evZrgf1yj/dNZV1R/QUMqkUDfnyDbuftF8y+k01rZHiInReWa+CgpJrf\nazWuVwP8XAT6ZnXrHbwBOFjSCyVtA5wIXNKluszMbBZd6TJGxLik9wKXAcPAORHR+0mpzczmqa7l\nByLiUuDSbr2+mZkVV65EmJmZdYWDvZnZPOBgb2Y2DzjYm5nNA125qKrpRkhjwBPAkw027wFsmWbb\nzh0sXwA82uU68uV7pPqm279Tdc/0/nWqjnx59bhm278Tdc/2Hnay7vrjavV1ij4nX183j6/V97DV\nuhv9nXWr7nbew2bfv27WkVf/OTwkInacZt9a2TqKvf8BzpymfPkM2zpWDizvdh31xzXT/p2qe6b3\nrxvHV/8+drPu2d7DDtfdkc9H0efk6+vm8bX6HrZad6P3sVt1t/MeNvv+dbOO6epr9HimnzKlcf61\nhW3dLh/0uueijkGpu5OvU8bjc93lr7stpUjjzETS8ig490M/1DPX9Q3qcQ1yXXNZ36Ae11zV1ev3\nr5n6y9Szn86ZA1bPXNc3qMc1yHXNZX2DelxzVVev37/C9Ze+Z29mZu3rh569mZm1ycHezGweKEWw\nl3ScpJB0aJdePyT9/9zjEUljkr7fjfpy9cz5Suiz1SnpKkktn1Dq9u+qQX0flXSrpNWSVkl62ezP\narmufSV9T9Ldku6V9A9piu7p9v+ApIUt1BOSzsg9/pCkj7XY7JnqmUjv2a2SbpL0x5Lm5G9+Lj77\nueOr/iyeYd+jWvl770Xs6NbfWCmCPXAScG26LSwtbF7E08CLJW2fHv8mXVxMZcC19LtqhaRXAG8E\nXhoRvwK8jtrlLjtZl4DvAv8SEQcDLwIWAZ+c4WkfAJoO9sBm4M2S9mjhuc14NiKWRMQvkX3mjwX+\nqst1zqXq8VV/HuhCHW3HDknNzi7clXjY82AvaRHw68CpZIucVP8LXy3pB5LulPTVao9E0iZJZ0i6\nCXhFE1VdCvx2un8ScH6uDUdK+qmkGyX9RNIhqfxqSUty+10r6fAmj6+mRyHpi5JOSfcfkPRxSSsl\n3dyp/+Qz1dnm6073u5ru+N4g6Q5JKyR9voXe0N7AoxGxGSAiHo2IhyUdIenH6XUvk7R3qu+q1Btf\nJekWSUc2UddrgOci4p9SXRPAHwHvlLSDpM+m11wt6X2S/hD4BeBKSVc2eVzjZKMo/qh+g6TFkv49\n1XOFpP0l7SxpTe5vYAdJD0oqvARWRKwnW/P5vcoMS/qMpBtSXe/OteFP0+fxJkl/2+Sx5Y9lUTqG\n6uf7TbljvF3SWelbx+W5YNqWmY4L2KlRTCmgldhxiqRLJP07cEUT7e9aPOx5sAfeBPwwIu4CHpN0\nRCo/EngfcBhwEPDmVL4DcH1EHB4R1zZRz7eAEyVtB/wKcH1u2x3AqyLiJcBfAn+Tys8GTgGQ9CJg\nu4i4qcnjm82jEfFS4CvAhzr82p023e9qK+l9/hpwbEQcAYy2UN/lwH6S7pL0ZUm/kQLcF4AT0uue\nQ23ve2FELAH+d9pW1C8BK/IFEfEU8HPgD4DFwJL0DeMbEfF54GHg6Ig4uoVj+xLwNkk715V/ATiv\nWg/w+Yh4ElgF/Eba543AZRGxpZkKI+I+ssWE9iQLJk9GxK8Cvwq8S9nKcseS/Z5fFhGHA59u4diq\nngOOT5/vo4EzpMn1+g4GvpS+dTwB/G4Lr7+9plI4F6eyhseVtk0XU2bTSuwAeCnZ5/Q3KK5r8bAM\nwf4ksjeTdFv96vKziLgv9bDOJ/tvBzABXNRsJRGxmuwP9iS2XlRlZ+Dbkm4BPkf2hw/wbeCNKcC8\nEzi32XoL+G66XZHaV2bT/a4aORS4LyLuT4/Pn2HfhiJiE3AEWY90DLgAeDfwYmCZpFXAn5OtcVx1\nfnru1WQ9uV2arbeBo4CvRcR4eu0N7b5g+kfyz8Af1m16BfDNdP/rTH3uLwDemu6fmB634xjg7ek9\nvB7YnSwAvw74p4h4JrWznWMV8DeSVgM/AvYB9krb7o+IVel+q5/9fBrn+FQ23XHB9DFlRi3GDoBl\nLbx/XYuHPV3JWtJuZF+ff1lSkPU6AvhBus2rPn4uHXArLgE+S/bHu3uu/P8CV0bE8cpO8lwFEBHP\nSFpG9t/2LWSBp1nj1P5T3a5u++Z0O0Hnfh+z1dm0GX5X3+t0XXnpd30VcJWkm4HTgVsjYrqvrNN9\nbmZzG3BCvkDSTsD+wANF29uk/wesBP6pwL6XkAXO3cg+h//ebGWSDiT7nK0nC8Tvi4jL6vb5rWZf\ndwZvI/tGd0REbJH0AFOfj825/SaAjqRxmP64jqL1zwY0GTuSp5t4/a7Hw1737E8Avh4RB0TE4ojY\nD7gfeBVwZPpaOUTWo2kmZTOdc4CPR8TNdeU7M3XS5ZS6bf8IfB64ISIeb6HONcBhkrZNvczXtvAa\nZahzut/V0DR13QkcqKkREm+tf8HZSDpE0sG5oiXA7cCospO3SFogKd+bemsq/3Wyr/PTzR5Y7wpg\noaS3p+cPA2eQfZu7DHi30om29EcJsBEoNuNgA6nXdyFZ6qHqJ6RcLVmwvCbtuwm4AfgH4PvNdngk\njQJfBb4Y2ZWUlwH/q5r3l/QiSTsAy4DfVxpllDvWVuwMrE+B/mjggDZeq6jpjgvaiymtxI5mdTUe\n9jrYnwRcXFd2USq/Afgi2R/3/Q32a1pEPJRyrfU+DXxK0o3U9a4jYgXwFMV6X5NSYNgcEQ+S/UHf\nkm5vbKXtJahzut/ViY3qioi31y6wAAAE50lEQVRnyfLmP5S0giwwFg28VYuA8yTdllIBh5HlRU8A\n/i6dlFoFvDL3nOfS7/Gr1AbRGaUAeDzwe5LuBu4iyzl/hOwf/s+B1anO/5GedmY6vmZP0OadQTZt\nbdX7yILtauBk4P25bRcA/5PiKZxqTvtWsjTK5cDH07Z/JPs2szKlIL4GjETED8l6sctTKqTp80jV\nzyHZOYel6RvZ28ny293W8LjStpZjSiuxowVdjYelnC4hfeX6UES8sQRt+QWyr2aHRkSliecdDpwV\nEc2MCGlLL+qciaRFEbEpnZT7EnB3RHyui/VdRfa5Wd6tOmx2Zfsc9rtOxcNe9+xLLX2lvx74aJOB\n/j1kJ1H+vFttK0OdBbwr9Q5vJfu6+7Uet8e6rKSfQ6OkPXszM+ss9+zNzOYBB3sza5mk/SRdmU6i\n3yrp/al8N0nLlM0ztEzSrqn8UGVXnG6W9KG613q/squUb5X0gV4czyBzsDezdowDfxwRhwEvB06X\ndBjwYeCKNM/QFekxwAayC8k+m38RSS8G3kV2pejhZBcz/uLcHML84GBvZi2LiHURsTLd30g2NHAf\nsgsRz0u7nQccl/ZZHxE3APVTPfw3ssv+n0lXKv+Y4tMZWAEO9mbWEekCupeQjWDbKyLWpU3/ydQ0\nCdO5BXiVpN3TBV1vAPbrUlPnpZ5Ol2Bmg0HZbI0XAR+IiKc0Od9ZdsFauvx/WhFxu6S/I7vw62my\ni+VanRbFGnDP3szakqYmuIhsNtDqxH6PaGrq6b3J5uOZUUScHRFHRMSrgcfJrmK2DnGwN7OWpauj\nzwZuj4i/z226BHhHuv8OsgnzZnutPdPt/mT5+m/O/Axrhi+qMrOWpQnnrgFuBqpXmX+ELG9/Idms\noWuAt0TEBkkvAJYDO6X9NwGHpdTPNWQzSm4BPhgRhRf9sNk52JuZzQNO45iZzQMO9mZm84CDvZnZ\nPOBgb2Y2DzjYm5nNAw72NrAkfax+ZsW67celSbtme52a/SR9QtLrOtVOs7ngYG/z2XFk69o2tV9E\n/GVE/KhrrTLrAgd7GyiSPirpLknXAoeksndJukHSTZIukrRQ0iuB3wE+kxblPij9/FDSCknXpLnX\nG+13rqQT0ms/IOlTadtySS+VdJmke9MSfdV2/Ulqw2pJH2/QdLOu8kRoNjAkHQGcCCwh+2yvBFYA\n342Is9I+fw2cGhFfkHQJ8P2I+E7adgXwnoi4W9LLgC9HxGsa7Fdf9c8jYomkzwHnAr8GbEc2k+NX\nJR0DHEw2V7uASyS9OiKu7tqbYVbHwd4GyauAiyPiGYAUpAFenIL8LsAi4LL6J6ZZG18JfDsXzLct\nWG+1npuBRWle941pNaZdgGPSz41pv0Vkwd/B3uaMg73NB+cCx0XETZJOAY5qsM8Q8ERELGnh9Ten\n20rufvXxCFlv/lMR8bUWXtusI5yzt0FyNXCcpO0l7Qj891S+I7AuTcX7ttz+G9M2IuIp4H5JvwfZ\nbI6SDq/fr0WXAe9M3x6QtE91hkezueJgbwMjLY93AXAT8G/ADWnTX5DNwvgfwB25p3wL+BNJN0o6\niOwfwamSbgJuJVtar9F+zbbrcrLpen8q6WbgO7T3z8OsaZ710sxsHnDP3sxsHnCwNzObBxzszczm\nAQd7M7N5wMHezGwecLA3M5sHHOzNzOaB/wJaATXysKXs2wAAAABJRU5ErkJggg==\n", + "image/png": "iVBORw0KGgoAAAANSUhEUgAAAXoAAAEVCAYAAADuAi4fAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz\nAAALEgAACxIB0t1+/AAAADl0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uIDIuMi40LCBo\ndHRwOi8vbWF0cGxvdGxpYi5vcmcv7US4rQAAIABJREFUeJzt3XuYZFV57/Hvr3qG6wzXaQhyyQAO\nGDQ6ygSTHFFAY4TjiZh4kHl8ElEieiJGTUyO0RhNjuZiQE/UoIGAYCK3iERUBAlykaMiPVyGQYY7\nA4MD0zPg3C/dXe/5Y+9dtbu6qrvr1r2r5vd5nn6qau1de63qrn5r1bvXXksRgZmZ9a/SbDfAzMy6\ny4HezKzPOdCbmfU5B3ozsz7nQG9m1ucc6M3M+pwDvZlZn3OgNzPrcw70ZmZ9bs5sNwBgwYIFsXDh\nwtluhplZT1m2bNm6iBicar9CBPqFCxcyNDQ0280wM+spklZNZ78pUzeSLpG0VtKKXNlVku5Nf56U\ndG9avlDStty2r7T+EszMrBOm06O/FPgS8LWsICLent2XdD6wIbf/YxGxuFMNNDOz9kwZ6CPidkkL\n622TJOAM4JTONsvMzDql3VE3JwLPRcQjubIjJd0j6TZJJzZ6oqRzJA1JGhoeHm6zGWZm1ki7gX4p\ncEXu8RrgiIh4JfAnwOWS9qn3xIi4MCKWRMSSwcEpTxqbmVmLWg70kuYAvwtclZVFxI6IWJ/eXwY8\nBhzTbiPNzKx17fTo3wCsjIjVWYGkQUkD6f2jgEXA4+010cys/5TLM7e633SGV14B/Bg4VtJqSWen\nm85kfNoG4LXA8nS45TeA90XE851ssJlZr3v6+a0c+4nv8dCzm2akvumMulnaoPysOmXXANe03ywz\ns/61dtN2RsaCn2/YxrG/NL/r9XmuGzOzGRZZ1maGsjcO9GZmM6wa52cm0jvQm5nNsOxEbLk8M/U5\n0JuZzbAZztw40JuZzbQsRx/h1I2ZWV/KAvxMDaV3oDczm2FR5143OdCbmc2waupmZupzoDczm2HZ\nsEqfjDUz61NZbr7sk7FmZv0pOxnr1I2ZWZ/yOHozs37ncfRmZv2t7NSNmVl/qwyv9Dh6M7P+VMnR\nu0dvZtafPOrGzKzPeRy9mVnf85WxZmZ9rXBLCUq6RNJaSStyZZ+S9Iyke9Of03Lb/kLSo5IekvTb\n3Wq4mVmvKmLq5lLgTXXKPx8Ri9Of6wEkHQecCbw0fc4FkgY61Vgzs35QuEnNIuJ24PlpHu8twJUR\nsSMingAeBU5oo31mZn2nl6YpPlfS8jS1s39adijwdG6f1WnZBJLOkTQkaWh4eLiNZpiZ9ZZqir44\nqZt6vgwcDSwG1gDnN3uAiLgwIpZExJLBwcEWm2Fm1nt6YinBiHguIsYiogxcRDU98wxweG7Xw9Iy\nMzNLxQxfGttSoJd0SO7hW4FsRM51wJmSdpd0JLAI+Gl7TTQz613rN+9grKbrXriTsZKuAH4MHCtp\ntaSzgc9Kul/ScuBk4MMAEfEAcDXwM+AG4P0RMda11puZFdgLW3Zy/Kf/i8/esHJc+UyfjJ0z1Q4R\nsbRO8cWT7P8Z4DPtNMrMrB9s3D4CwPdWPMtfnPYrlfIijqM3M7MWDJQEwOhYeVy5JzUzM+sTc0pJ\niB2dkKMff9ttDvRmZl2ipEM/IdB7KUEzsz6RxfHa1I2XEjQz6xNZQJ84vDK7dY/ezKynZWF8Qo6+\nh+a6MTOzSZTTAD/xZGzBLpgyM7P21KZuPI7ezKxPNAzkPhlrZtYfGsb5mW2GA72ZWbc0CuhZ7r48\nQ/MUO9CbmXVJo9SNr4w1M+sTU6TonaM3M+t1jaY48AVTZmZ9olEY74mlBM3MbGoNc/S9sJSgmZlN\nrfHwSl8Za2bWF6bq0ftkrJlZj2sUyD0FgplZn+iZ1I2kSyStlbQiV/aPklZKWi7pWkn7peULJW2T\ndG/685VuNt7MrMgaDZ8sYurmUuBNNWU3AS+LiJcDDwN/kdv2WEQsTn/e15lmmpn1nqmGTxZmHH1E\n3A48X1P2/YgYTR/+BDisC20zM+tpjS6Yyua4KVKPfirvBr6Xe3ykpHsk3SbpxEZPknSOpCFJQ8PD\nwx1ohplZseR79PmgH3XKuqmtQC/p48Ao8PW0aA1wRES8EvgT4HJJ+9R7bkRcGBFLImLJ4OBgO80w\nMyuoaiDPLz5SxBx9XZLOAt4MvCPSj6WI2BER69P7y4DHgGM60E4zs56T79GPjOV79D0wBYKkNwF/\nDvxORGzNlQ9KGkjvHwUsAh7vREPNzHpNvse+c6xcuZ8F+Jk6GTtnqh0kXQGcBCyQtBr4JMkom92B\nmyQB/CQdYfNa4G8kjQBl4H0R8XzdA5uZ9bn8BVEjuUA/00sJThnoI2JpneKLG+x7DXBNu40yM+sH\nMS51Uw30XkrQzKxP5EfVjIxW75cr0xT3wKgbMzNrLB/GR8q5Hn2vjLoxM7PJNcrRe4UpM7M+MS5H\nP9qD4+jNzGxy+R59fnillxI0M+sT43L0dUfdOHVjZtbTolGOfobH0TvQm5l1ST6Qj445R29m1nem\nmgLB4+jNzHpc4+GVBVtK0MzMWtPwZKxTN2Zm/aHRFAiV7R51Y2bW2xrn6D3qxsysL4xbSjBXXk3d\nuEdvZtbT8qmZ8WvG+mSsmVlfyPfoy7kH1eGVM9MOB3ozsy7J9+LHpXGcujEz6w/5OD7+4iinbszM\n+sL4HD0T7zt1Y2bW23KLSo3r0RdyKUFJl0haK2lFruwASTdJeiS93T8tl6QvSHpU0nJJr+pW483M\niiwfxsdiYu++aOPoLwXeVFP2UeDmiFgE3Jw+BjgVWJT+nAN8uf1mmpn1nnKd4A4FXUowIm4Hnq8p\nfgtwWXr/MuD0XPnXIvETYD9Jh3SisWZmPaXB8Mqi9ujrOTgi1qT3nwUOTu8fCjyd2291WjaOpHMk\nDUkaGh4ebqMZZmbFVG44vLIHlxKMpNVNNTkiLoyIJRGxZHBwsBPNMDMrlHxQHJfGqbtH97QT6J/L\nUjLp7dq0/Bng8Nx+h6VlZma7lPE5+on3eyF1cx3wzvT+O4Fv5cr/IB198+vAhlyKx8xslzH+gqlc\nec1tt82Zzk6SrgBOAhZIWg18Evh74GpJZwOrgDPS3a8HTgMeBbYC7+pwm83MekLUGTuf3J9Y1k3T\nCvQRsbTBptfX2TeA97fTKDOzfjA+R58r76HUjZmZTWL8kMqJp2A9142ZWY9rNOom2+DZK83Mely5\nwclYLyVoZtYnGp2MrVwZ2wPj6M3MbBJZQB8oqWauG/fozcz6QhbQB0pirO5Sgu7Rm5n1tCygzymp\nfurGPXozs95WSd1INROYeSlBM7O+UEndDKhmrpvKDjPCgd7MrEvG9+gLvpSgmZk1L+vFD5Q0q5Oa\nOdCbmXVJOTe8sv7JWPfozcx6WuNx9ONvu82B3sysS8rjUjcTJzjrqaUEzcxsoiyO1w6vrI66cerG\nzKynRQQSSLVrxnocvZlZX4iAkkRJ9cfR+8pYM7MeV45ApDn68vjy/G23OdCbmXVJkPToJc91Y2bW\nl8oRIChNyNGPv+22aS0OXo+kY4GrckVHAX8F7Ae8BxhOyz8WEde33EIzs14VSZAvTRh1E+Nuu63l\nQB8RDwGLASQNAM8A1wLvAj4fEed1pIVmZj0qydFrYo++R1M3rwcei4hVHTqemVnPi7RHr9oefeW2\nt07GnglckXt8rqTlki6RtH+9J0g6R9KQpKHh4eF6u5iZ9bRyJEG+JGqGV/bYUoKSdgN+B/iPtOjL\nwNEkaZ01wPn1nhcRF0bEkohYMjg42G4zzMwKJ0gumCpNmKY4u20+0t/84HN85rs/a+o5nejRnwrc\nHRHPAUTEcxExFhFl4CLghA7UYWbWc9JBN0mgz42jb2fUzQ9WruXqodVNPacTgX4pubSNpENy294K\nrOhAHWZmPSciKJU0YQqE6tnY5o9ZjqDc5GxoLY+6AZC0N/BbwHtzxZ+VtJjkJTxZs83MbJdRzvXo\nx8qdGUc/Vg7Gmkz5tBXoI2ILcGBN2e+3c0wzs34RRDLXTQlGxjqzlOBYmXEfGtPhK2PNzLokGXUz\n8WRsO+PoyxGUI9g+Mjbt5zjQm5l1SRLIVefK2PS2heTNWDkYKwcfu/b+aT/Hgd7MrEsiIp0CoWYc\nfWV788ccKwfloKkTsg70ZmZdEuNSN/ny1i+YyvLzIw70ZmazrxxRmaZ43KibSo6+hdRN+pyR0fIU\ne1Y50JuZdUmQDa/s3FKCWcpmZMyB3sxs1kVlrhtR73qploZXZj36MaduzMxmXbY4eKlEzVw37efo\nd7pHb2Y2+xouJVhz24xyOHVjZlYY5ajOXjmu997GBVNjztGbmRVHsvDIxBWmqqmb1i6YAhgZdY7e\nzGzWJUsJ1hlHX3PbDPfozcwKJEgumKqdpri9cfTJrU/GmpkVQDLqRgzUDq/swDj6nb5gysxs9mWL\ng09YSrCc3baRo3eP3sxs9iU5ek0YR59pb3ilT8aamc26bFIzNZjUrJVI7wumzMwKpFyZAqHBNMUt\nHHPMOXozsyKJSo4+P3tlW0sJtvCcttaMBZD0JLAJGANGI2KJpAOAq4CFJAuEnxERL7Rbl5lZLxm/\nlGC1vJ2lBJtdLxY616M/OSIWR8SS9PFHgZsjYhFwc/rYzGyXEpX56GunKc5umw/arYzU6Vbq5i3A\nZen9y4DTu1SPmVlhlYPKlbH1piluqUffwpM6EegD+L6kZZLOScsOjog16f1ngYM7UI+ZWU9Jroyd\nONdNe0sJNv+ctnP0wGsi4hlJBwE3SVqZ3xgRIWnCy0k/FM4BOOKIIzrQDDOzYqnMR99wmuIWUjez\n0aOPiGfS27XAtcAJwHOSDgFIb9fWed6FEbEkIpYMDg622wwzs8LJZq9sNI6+J07GStpb0vzsPvBG\nYAVwHfDOdLd3At9qpx4zs15Unb1y/Dj6LFa3NLyyhUDfburmYOBaSdmxLo+IGyTdBVwt6WxgFXBG\nm/WYmfWcrEc/UGrQo2/hmDMe6CPiceAVdcrXA69v59hmZr2uHMmwm4ZLCfbQqBszM6sjIJe6qT/H\nTbNz0hdpHL2Z2S4vu2CqlKS3Kz34eouQTJd79GZmBZLNXllK4nx1rdj8Pk0dL1pK9zjQm5l1Sbky\nBYLSx0l5tJi6aeVELDjQm5l1TbZmbKkS6LMe/cQTs9Mx6kBvZlYskZuPHvLTE1f3aWYsfSvj7sGB\n3sysa6JywdT41M34UTfTP55TN2ZmBRMkJ2I14WRsVMqaUW5hQjNwoDcz65pyRJq6SYdXpoE6AgZq\nhlxORytDK8GB3sysa5IpECYOryxHUCqNP0E7HU7dmJkVTBKXk7luksfVcfRZ8G8mdPtkrJlZwSRX\nxlJ3HH31aln36M3Melb1ythqUM8C+0DtSJxpcKA3MyuYIJvrJnlcjurJ11ILuRsHejOzginHxCtj\ns1BdjfNNpG6cozczK5ZIh1fmx9FnqZvaGS2no5UpisGB3sysa9J1R8YF9XJN6qap4ZXu0ZuZFUsy\njFKU0kg7Vo5KqqZywVQTx3OO3sysYJIrY2ty9FmPPsvRN5W6aa0dDvRmZl2SjZevHUcP1dRNoU/G\nSjpc0i2SfibpAUkfTMs/JekZSfemP6e1WoeZWS8rV2avTB5HRCUnn10t29zsla116ee09KzEKPCn\nEXG3pPnAMkk3pds+HxHntXFsM7OeV52Pvtqjr6ZuWgn0rbWj5UAfEWuANen9TZIeBA5t9XhmZv0m\nKjn65HF+HL1aGUc/mydjJS0EXgncmRadK2m5pEsk7d/gOedIGpI0NDw83IlmmJkVSjZ52fiTsTWj\nbpo5GTtbwyslzQOuAT4UERuBLwNHA4tJevzn13teRFwYEUsiYsng4GC7zTAzK5wkR6+64+hrZ7Sc\njlnp0UuaSxLkvx4R3wSIiOciYiwiysBFwAnt1GFm1qsioFSiMo6+HFEZOK9eWHhESSsvBh6MiM/l\nyg/J7fZWYEWrdZiZ9bJsPvr88MosJ5/l7Zs6Xos9+nZG3fw34PeB+yXdm5Z9DFgqaTHJ59aTwHvb\nqMPMrIc1vmCqleGVozMd6CPiDpJpHGpd3+oxzcz6SblmKcH8OPp88J/28TwFgplZsUTNydhyNUU/\n7aUEN2wbYdmqFwBPamZmVjhZj74yTXE56lwwNXnw/uCV9/B7X/4Rm3eMelIzM7Oiyeajz4L6WFRn\nr6xOUzz5MVau2QTAU+u3Tpg+Yboc6M3MumTimrHVk6/ZBVNTJW/233s3AFat31KZAmHugAO9mVkh\nBKQ5+uTxuGmK0+g7Vdp9/73mAvDk+q2Vk7FzS82Fbgd6M7MuiYg0R19vHP30Fh7JhlSuWr+lcjJ2\n7hwHerNCuXroaVY+u3G2m2GzoLo4ePY4mp4CYeO2EQCeXL+lEvSdujErmL/8zxVcfudTs90MmwVB\nUJJyF0c1vzj4hjTQr8qnbgbcozcrjO0jY+wcLVd6ZbZrKSdJ+uo4+nJ+PvrkdqpAn7131mzYzo7R\nMQB2c+rGrDg2bR8dd2u7mMpSgsnDfJqmmqNvHOlHxsps2TnGwfvsDsD6zTsB2M09erPi2LR9JL11\noN8VVZcSrJ6MbWYpwex9c+SCvQFYu2kH4NSNWaFsTP9RN2536qZbNm0f4ZTzbmXoyednuykTJAuP\naNxVsM0sJZjl549cMA+AtZu2Az4Za1Yo7tF33xPrtvD4ui3c+/QvZrspE5QnLCVIU0sJZoH+qKxH\nv9E9erPC2bgt7dH7ZGzXPLsh6eWuS/PXRZItDq5x0xRPP3WzsdKjH5+68clYswLJevSbd462PMWs\nTe65jUmgf37LjlluyXhZQE9y9EnZuHH005imOOvRH3HgXswpqfJ4jue6MSuOLDcfAZt2OH3TDc+m\ngX59wXr0+Vz8+Hx8+gEwjStjs/fPfnvOrcx5M1CSJzUzK5J8bn6TT8h2xbMbkp78ui3FCvRZTz0/\nqdnYuGmKk9vJUjerX9jGQEnsu9dcDswCffrB0Uywd6A366J8bj7L11tnFTZ1k96WBHPSUTI7RsuV\n8vzVso388JFhjv/l/dl9zgAHzksCfanUfK/egd6si9yj776ipm6qPXpx8D57sPucEo8Pb64uJViq\npm7ufuoFfvWTN7L6ha2V5w9v2sGKZzbyumMGAThg7+Siqd0GSpRKyk1zPDUHerMu2rh9tDKMzkMs\nu+O5DduRYOvOMbbtHJvt5lRkHXUp6YG/+KB5PLx2c93Uza0PDbNpxyg/eTy5FuCHjwxz6j/dDlAJ\n9FnP/w9PPIqBoqRuJL1J0kOSHpX00cn2fWx4MztHy91qitms2bh9hIPn71G5b521eccom3aMcuSB\nyfDD9QVK31QCPUlAPubg+Tzy3KYJC4988Mp7uO2htQB8+76f8+ffuI/zbnwISXz4Dcfw0hftA8AH\nTlnEJ958HB845cUMlKpz3E9HVwK9pAHgn4FTgeOApZKOa7T/1p1j3PDAs91oSiFFBP/+k1XcV8AL\nPKyzNm0f5dD996zct866YUUSN05+yUFAsdI31Xnnk8eLDp7Hmg3bK0Mks9TNmg3buW/1BgBue3iY\nq4dWc9/qDbznxCP54BsWVUbnHPtL8zn7NUdWliZspkc/p1MvqsYJwKMR8TiApCuBtwA/q7fzbgMl\nLrjlUdZtKs6ncTc9vm4z//6Tp5i/xxz++JRFTQ+Vst7x7IZtnLhokGWrXuC2h4dbXtzZ6rvip0/x\n4oPmcdqvHsLFdzzB1UNPs2zVC7PdLAB2puv+Zam7Yw6aD8DlP02mrN5Rk8VYMG931m3ewSuP2I+5\nAyXOWHJ4w2MPlJpbN7Zbgf5Q4Onc49XAq/M7SDoHOAdgwWFHsvLZTfzNd+p+DvSl337pwSxfvYHP\nXP/gbDfFuuwlh8xn+eq9+MHKtfxg5drZbk7f+ezvvZyFB+7FnnMH+HoB5/1/0X7JN7qXH7Yve8wt\n8e37fs5ASbz6yAO4/M6neO/rjuJrP1rFR954DJ/+7oN87ozFlSthGzlywTyOHtzKsmm2QZMN7WmV\npLcBb4qIP0wf/z7w6og4t97+S5YsiVvu+DHlXSVNL9h3z7mMjJXZuqM4J4+sC9K/9c7RcqFOFPaL\nUgnm75Gsqbp9ZIwdI8UKIvn2QbWNc+eIvXabQ7kclEqacDtdkpZFxJKp9utWj/4ZIP+947C0rKH8\nL2NXMXegxL57eeDTrmC3OaWm5yex5uwxd4A95g7MdjMmVdvGLKjX3nZat955dwGLJB0paTfgTOC6\nLtVlZmaT6EqPPiJGJZ0L3AgMAJdExAPdqMvMzCbXrdQNEXE9cH23jm9mZtPjpKGZWZ9zoDcz63MO\n9GZmfc6B3sysz3XlgqmmGyFtAh6qKd4X2NDgKVNtmwusa+F59bY185wFuXrbaX8z2xYAIzNUV+22\n/Oud6nmdfs3rOnzMqZ5T77W2U9d0t9XWO5Pvq1Z/x0X5322mjTP9vzud+qZzvGMjYn6DfaoiXax2\nNn+AoTplF06y/6Tb6h2v1WM285x8ve20v5ltwNBM1VW7rZm/W6dfczde2xTPqfuemunf8Uy+r7r0\ne5yx/91m2jjT/7vTqa/V/8F6P0VO3Xy7INuK0o7JthWlHZNtK0o7Jts22XMmU5Q2FmVbUdox2bai\ntGOyba0eb4KipG6GYhrzNczW8Ypc72y91tmse1f6Pbve/qy3U/VN9zhF6dFfWPDjFbne2Xqts1n3\nrvR7dr39WW+n6pvWcQrRozczs+4pSo/ezMy6xIHezKzP9VyglxSS/j33eI6kYUnfmcE2bJ6pupqt\nW9KtkjpyUknS6env+yWdOF4T9X5c0gOSlku6V9Krp35WR+o9TNK3JD0i6TFJ/5ROs91o/w9J2qvN\nOkPS+bnHH5H0qXaOOY06x9Lf6wOS7pP0p5JmNBbM9P9Q7jVnPwsn2fekduJJEWJUrZ4L9MAW4GWS\n9kwf/xZTLGpiLVsK3JHezghJvwG8GXhVRLwceAPjl6XsVr0Cvgn8Z0QsAo4B5gGfmeRpHwLaCvTA\nDuB3JS1o8zjN2BYRiyPipST/P6cCn5zB+mdD9pqznye7WFfbMUpSR2cW7sVAD8n0x/89vb8UuCLb\nIOkEST+WdI+kH0k6Ni2/XdLi3H53SHpFqw2o/dSX9CVJZ6X3n5T015LulnR/p3vEk9XdwTrmAa8B\nziZZOGaq13yapJWSlkn6Qhu9l0OAdRGxAyAi1kXEzyUdL+m29Pg3SjokrffWtOd9r6QVkk5osd5T\ngO0R8dW03jHgw8C7Je0t6bz0+MslfUDSHwMvAm6RdEuLdQKMkoyc+HDtBkkLJf0grfNmSUdI2lfS\nqqwHnrbtaUktLdEWEWtJ1m4+V4kBSf8o6a603vfm2vO/0/fzfZL+vrWXO+71zUtfV/Z/8pbc635Q\n0kXpt47v54Jmx0z2WoF9JH1X0kOSvtLCN55WYtRZkq6T9APg5nZeW61eDfRXAmdK2gN4OXBnbttK\n4MSIeCXwV8DfpuUXA2cBSDoG2CMi7utiG9dFxKuALwMf6WI93fIW4IaIeBhYL+n4Rjumf4d/AU6N\niOOBwTbq/T5wuKSHJV0g6XVpEPsi8Lb0+Jcwvqe9V0QsBv4o3daKl8L4tZYjYiPwFPCHwEJgcfot\n4+sR8QXg58DJEXFyi3Vm/hl4h6R9a8q/CFyW1Ql8ISI2APcCr0v3eTNwY0SMtFp5RDxOskDQQSQf\n7Bsi4teAXwPeo2SluFNJ3hOvjohXAJ9ttb6c7cBb0/+Tk4Hz029WAIuAf06/dfwC+L0269pT1bTN\ntWlZ3deabjsB+ABwHHA08LtN1tdKjAJ4Fcn7/HV0UNcWHummiFiuJMe2lImLm+wLXCZpERAkc2cA\n/AfwCUl/BrwbuLTLzfxmeruM5t8kRbAU+Kf0/pXp40a99JcAj0fEE+njK0h6iU2LiM3ph8qJJP/8\nVwGfBl4G3JTGgQFgTe5pV6TPvV3SPpL2i4hftFJ/AycBF0TEaFrP8x08NhGxUdLXgD8GtuU2/QbV\n986/UQ2uVwFvB24h+bZ1QQeb80bg5ZLelj7elyTovgH4akRsTdvcid+BgL+V9FqgDBwKHJxueyIi\n7k3vLyP5oG3HtrQzkNfote4Efpp+ACLpCpJvt9+YbmUtxiiAmzr9/oIeDfSp64DzSP4JD8yV/x/g\nloh4a/qLvhUgIrZKuomkV3IG0LCHOk2jjP9GtEfN9h3p7Rid/z1PVXdbJB1Aksr4VUlBElgD+FY3\n682kaZNbgVsl3Q+8H3ggIn6j0VOmeDwdPwPeli+QtA9wBPBkC8dr1v8F7ga+Oo19ryMJkAeQvI9/\n0E7Fko4ieZ+uJQm+H4iIG2v2+e126mjgHSTf/o6PiBFJT1J9T+3I7TcGdDx1Q+PXehKdeU81FaNS\nW1qoZ0q9mrqB5Cv6X0fE/TXl+1I98XFWzbZ/Bb4A3BURL7RZ/yrgOEm7S9oPeH2bxytS3W8D/i0i\nfjkiFkbE4cATJO+XevU+BByl6kiGt7dasaRj055OZjHwIDCo5EQtkuZKemlun7en5a8h+SreaMa/\nydwM7CXpD9JjDQDnk3zzuxF4r9ITZGmABdgETD1z4DSkvbirSdIJmR+Rnh8hCYo/TPfdDNxF8o3r\nO+kHY0skDQJfAb4UydWTNwL/K8v5SzpG0t7ATcC7lI4yyv0O2rEvsDYN8icDv9yBYzaj0WsFOCFN\nWZVI3l93tHD8VmJUV/Rsjz4iVpME7VqfJfla9JfAd2ues0zSRqbXa6or/WffERFPS7oaWEESBO9p\n9ZgFrHsp8A81ZdeQBJ0J9UbENkl/BNwgaQtJEGrVPOCL6QfJKPAoSRroQuALaR57DkkPOFtwfruk\ne0i+Ar+7lUojIiS9FbhA0idIPtSuBz5G0qM8BlguaQS4CPhS2qYbJP28A3l6SD5Yzs09/gDw1TTd\nOAy8K7ftKpJ05Ekt1LOnpHtJfl+jJGmhz6Xb/pUkTXJ3mi8fBk6PiBuUDGYYkrST6u+madn7mOS8\nw7fTb21DJLnrmVT3tabb7iL5G7+YJEV2bb0DTKaVGNUtu9QUCJJeRPI16SURUW7xGK8ALoqIVkd3\ntGw2656KpHlpfl0kJxcfiYjoqR4PAAAEE0lEQVTPz0C9twIfiYihbtdlnVHk93G/6uXUTVPSr+R3\nAh9vI8i/j+TE3192sm1Fr3ua3pP2Eh8g+Wr6L7PcHiugHngf96VdqkdvZrYr2mV69GZmuyoHejPr\nGkmHS7pF0s+UXOX6wbT8AEk3KZlX6CZJ+6flL1Fy1egOSR+pOdYHlVyd/ICkD83G6+lVDvRm1k2j\nwJ9GxHHArwPvl3Qc8FHg5nReoZvTxwDPk1w4dl7+IJJeBryH5IrVVwBvlvTimXkJvc+B3sy6JiLW\nRMTd6f1NJNdEHEpy4eJl6W6XkQ5rjIi1EXEXUDulw68Ad0bE1vQK5dvozSvOZ4UDvZnNiPSCuleS\njH47OCKyaSyepTr1QSMrgBMlHZhetHUacHiXmtp3evaCKTPrHUpmQ70G+FA6t09lW3qx2qTD/yLi\nQUn/QDLp3RaSid1aviJ4V+MevZl1VTrFwDUks35mk/09p+pU04eQzLMzqYi4OCKOj4jXAi8AD3er\nzf3Ggd7Muia9Uvpi4MGI+Fxu03XAO9P77ySZMG+qYx2U3h5Bkp+/vLOt7V++YMrMuiadaO6HwP0k\nUxFDMkfOnSTzJh1BMknfGRHxvKRfIpn3Zp90/83AcWm654cks0COAH8SER1dnKOfOdCbmfU5p27M\nzPqcA72ZWZ9zoDcz63MO9GZmfc6B3syszznQW9+S9KnaGRBrtp+eTrA11XHG7SfpbyS9oVPtNOs2\nB3rblZ0OTBnoa/eLiL+KiP/qWqvMOsyB3vqKpI9LeljSHcCxadl7JN0l6T5J10jaS9JvAr8D/KOk\neyUdnf7cIGmZpB+mc6PX2+9SSW9Lj/2kpL9Ltw1JepWkGyU9li6bl7Xrz9I2LJf017Pwq7FdmCc1\ns74h6XjgTGAxyXv7bmAZ8M2IuCjd59PA2RHxRUnXAd+JiG+k224G3hcRj0h6NXBBRJxSZ7/aqp+K\niMWSPg9cCvw3YA+SGRe/IumNwCKSudQFXCfptRFxe9d+GWY5DvTWT04Ero2IrQBpgAZ4WRrg9wPm\nATfWPjGdXfE3gf/IBfLdp1lvVs/9wLx03vVN6SpJ+wFvTH/uSfebRxL4HehtRjjQ267gUuD0iLhP\n0lnASXX2KQG/iIjFLRx/R3pbzt3PHs8h6cX/XUT8SwvHNmubc/TWT24HTpe0p6T5wP9Iy+cDa9Lp\nct+R239Tuo2I2Ag8Iel/QjLroqRX1O7XohuBd6ffGpB0aDYTo9lMcKC3vpEuWXcVcB/wPeCudNMn\nSGZL/H/AytxTrgT+TNI9ko4m+RA4W9J9wAMky93V26/Zdn2fZErdH0u6H/gG7X1wmDXFs1eamfU5\n9+jNzPqcA72ZWZ9zoDcz63MO9GZmfc6B3syszznQm5n1OQd6M7M+9/8BNyPuxB3IAqUAAAAASUVO\nRK5CYII=\n", "text/plain": [ "
" ] @@ -3694,15 +3744,18 @@ "metadata": { "id": "y-hGtMtYyrt6", "colab_type": "code", - "outputId": "563e3970-164d-445c-d516-ae548e6fa7db", + "outputId": "c349f903-6fc4-44ae-f722-0ef6865de6f4", "colab": { "base_uri": "https://localhost:8080/", - "height": 3020 + "height": 2974 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('TeamViewer', return_fields='datetime,timestamp_desc,data_type,filename,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'TeamViewer', \n", + " return_fields='datetime,timestamp_desc,data_type,filename,message', \n", + " as_pandas=True)\n", "ts_results = ts_results.set_index('datetime')\n", "ts_results['2019-02-20':][['timestamp_desc','data_type','filename','message']]" ], @@ -3745,210 +3798,210 @@ " \n", " \n", " \n", - " 2019-02-25 18:28:14\n", + " 2019-02-25 18:28:14+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/PICKERHOST.EXE-93018817.pf\n", " Prefetch [PICKERHOST.EXE] was executed - run count 4 path: \\WINDOW...\n", " \n", " \n", - " 2019-02-25 20:39:27\n", + " 2019-02-25 20:39:27+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/CHROME.EXE-5FE9909D.pf\n", " Prefetch [CHROME.EXE] was executed - run count 3 path: \\PROGRAM FI...\n", " \n", " \n", - " 2019-02-25 20:39:41\n", + " 2019-02-25 20:39:41+00:00\n", " Last Visited Time\n", " chrome:cache:entry\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " Original URL: https://www.google.com/search?q=teamviewer&oq=teamv&...\n", " \n", " \n", - " 2019-02-25 20:39:41\n", + " 2019-02-25 20:39:41+00:00\n", " Last Visited Time\n", " chrome:history:page_visited\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " https://www.google.com/search?q=teamviewer&oq=teamv&aqs=chrome.1.6...\n", " \n", " \n", - " 2019-02-25 20:39:46\n", + " 2019-02-25 20:39:46+00:00\n", " Last Visited Time\n", " chrome:history:page_visited\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " https://www.teamviewer.com/en-us/ (Home - TeamViewer) [count: 0] T...\n", " \n", " \n", - " 2019-02-25 20:39:46\n", + " 2019-02-25 20:39:46+00:00\n", " Last Visited Time\n", " chrome:cache:entry\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " Original URL: https://static.teamviewer.com/resources/2018/10/logo...\n", " \n", " \n", - " 2019-02-25 20:39:54\n", + " 2019-02-25 20:39:54+00:00\n", " Last Visited Time\n", " chrome:cache:entry\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " Original URL: https://www.teamviewer.com/en-us/teamviewer-automati...\n", " \n", " \n", - " 2019-02-25 20:39:55\n", + " 2019-02-25 20:39:55+00:00\n", " Last Visited Time\n", " chrome:history:page_visited\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " https://www.teamviewer.com/en-us/teamviewer-automatic-download/ (T...\n", " \n", " \n", - " 2019-02-25 20:39:59\n", + " 2019-02-25 20:39:59+00:00\n", " Last Visited Time\n", " chrome:cache:entry\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " Original URL: https://tracking.g2crowd.com/attribution_tracking/co...\n", " \n", " \n", - " 2019-02-25 20:40:00\n", + " 2019-02-25 20:40:00+00:00\n", " Last Visited Time\n", " chrome:cache:entry\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " Original URL: https://bat.bing.com/action/0?ti=5712416&Ver=2&mid=4...\n", " \n", " \n", - " 2019-02-25 20:40:00\n", + " 2019-02-25 20:40:00+00:00\n", " Last Visited Time\n", " chrome:cache:entry\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " Original URL: https://bat.bing.com/action/0?ti=26037780&Ver=2&mid=...\n", " \n", " \n", - " 2019-02-25 20:40:10\n", + " 2019-02-25 20:40:10+00:00\n", " Last Visited Time\n", " chrome:cache:entry\n", " /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...\n", " Original URL: https://static.teamviewer.com/resources/2018/10/team...\n", " \n", " \n", - " 2019-02-25 20:40:47\n", + " 2019-02-25 20:40:47+00:00\n", " Content Modification Time\n", " fs:stat\n", " /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini\n", " TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...\n", " \n", " \n", - " 2019-02-25 20:40:47\n", + " 2019-02-25 20:40:47+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/tvinfo.ini\n", " TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file\n", " \n", " \n", - " 2019-02-25 20:40:47\n", + " 2019-02-25 20:40:47+00:00\n", " Creation Time\n", " fs:stat\n", " /Users/Administrator/AppData/Local/Temp/TeamViewer\n", " TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer Type: direc...\n", " \n", " \n", - " 2019-02-25 20:40:47\n", + " 2019-02-25 20:40:47+00:00\n", " Creation Time\n", " fs:stat\n", " /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini\n", " TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...\n", " \n", " \n", - " 2019-02-25 20:40:47\n", + " 2019-02-25 20:40:47+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini\n", " TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...\n", " \n", " \n", - " 2019-02-25 20:40:47\n", + " 2019-02-25 20:40:47+00:00\n", " Metadata Modification Time\n", " fs:stat\n", " /Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_.exe\n", " TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_...\n", " \n", " \n", - " 2019-02-25 20:40:47\n", + " 2019-02-25 20:40:47+00:00\n", " Content Modification Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/tvinfo.ini\n", " TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file\n", " \n", " \n", - " 2019-02-25 20:40:49\n", + " 2019-02-25 20:40:49+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/TEAMVIEWER_.EXE-70DEDD02.pf\n", " Prefetch [TEAMVIEWER_.EXE] was executed - run count 1 path: \\USERS...\n", " \n", " \n", - " 2019-02-25 20:41:04\n", + " 2019-02-25 20:41:04+00:00\n", " Creation Time\n", " fs:stat\n", " /Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install.log\n", " TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install...\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Creation Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer\n", " TSK:/Program Files (x86)/TeamViewer Type: directory\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Content Modification Time\n", " windows:shell_item:file_entry\n", " /Users/Public/Desktop/TeamViewer 14.lnk\n", " Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she...\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Content Modification Time\n", " windows:shell_item:file_entry\n", " /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk\n", " Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she...\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Creation Time\n", " windows:shell_item:file_entry\n", " /Users/Administrator/AppData/Roaming/Microsoft/Windows/SendTo/Team...\n", " Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Creation Time\n", " windows:shell_item:file_entry\n", " /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk\n", " Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Creation Time\n", " windows:shell_item:file_entry\n", " /Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/TeamViewer...\n", " Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Creation Time\n", " windows:shell_item:file_entry\n", " /Users/SelmaBouvier/AppData/Roaming/Microsoft/Windows/SendTo/TeamV...\n", " Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...\n", " \n", " \n", - " 2019-02-25 20:41:06\n", + " 2019-02-25 20:41:06+00:00\n", " Creation Time\n", " windows:shell_item:file_entry\n", " /Users/Public/Desktop/TeamViewer 14.lnk\n", " Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...\n", " \n", " \n", - " 2019-02-25 20:41:11\n", + " 2019-02-25 20:41:11+00:00\n", " Creation Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/License.txt\n", @@ -3962,210 +4015,210 @@ " ...\n", " \n", " \n", - " 2019-03-20 21:04:58\n", + " 2019-03-20 21:04:58+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Note.exe\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file\n", " \n", " \n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/uninstall.exe\n", " TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file\n", " \n", " \n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:04:59\n", + " 2019-03-20 21:04:59+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:00\n", + " 2019-03-20 21:05:00+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:00\n", + " 2019-03-20 21:05:00+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:01\n", + " 2019-03-20 21:05:01+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:02\n", + " 2019-03-20 21:05:02+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:02\n", + " 2019-03-20 21:05:02+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll\n", " TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ...\n", " \n", " \n", - " 2019-03-20 21:05:19\n", + " 2019-03-20 21:05:19+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " /Windows/appcompat/Programs/Amcache.hve\n", " [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300...\n", " \n", " \n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/x64\n", " TSK:/Program Files (x86)/TeamViewer/x64 Type: directory\n", " \n", " \n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/Printer\n", " TSK:/Program Files (x86)/TeamViewer/Printer Type: directory\n", " \n", " \n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/Printer/x64\n", " TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory\n", " \n", " \n", - " 2019-03-20 21:05:20\n", + " 2019-03-20 21:05:20+00:00\n", " Last Access Time\n", " fs:stat\n", " /Program Files (x86)/TeamViewer/outlook\n", " TSK:/Program Files (x86)/TeamViewer/outlook Type: directory\n", " \n", " \n", - " 2019-03-20 21:05:24\n", + " 2019-03-20 21:05:24+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/RUNDLL32.EXE-F52D40E6.pf\n", " Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS...\n", " \n", " \n", - " 2019-03-20 21:05:43\n", + " 2019-03-20 21:05:43+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " /Windows/System32/config/SYSTEM\n", " [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par...\n", " \n", " \n", - " 2019-03-20 21:05:59\n", + " 2019-03-20 21:05:59+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf\n", " Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...\n", " \n", " \n", - " 2019-03-20 21:06:00\n", + " 2019-03-20 21:06:00+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf\n", " Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...\n", " \n", " \n", - " 2019-03-20 21:08:32\n", + " 2019-03-20 21:08:32+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/DLLHOST.EXE-95989D99.pf\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", - " 2019-03-20 21:10:56\n", + " 2019-03-20 21:10:56+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf\n", " Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...\n", " \n", " \n", - " 2019-03-20 21:15:21\n", + " 2019-03-20 21:15:21+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/DLLHOST.EXE-95989D99.pf\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", - " 2019-03-20 21:15:28\n", + " 2019-03-20 21:15:28+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/DLLHOST.EXE-95989D99.pf\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", - " 2019-03-20 21:15:36\n", + " 2019-03-20 21:15:36+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/DLLHOST.EXE-95989D99.pf\n", " Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...\n", " \n", " \n", - " 2019-03-20 21:15:59\n", + " 2019-03-20 21:15:59+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf\n", " Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...\n", " \n", " \n", - " 2019-03-20 21:16:00\n", + " 2019-03-20 21:16:00+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf\n", " Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...\n", " \n", " \n", - " 2019-03-20 21:26:28\n", + " 2019-03-20 21:26:28+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " /Windows/Prefetch/RUNDLL32.EXE-A7B4E4F7.pf\n", @@ -4177,261 +4230,261 @@ "" ], "text/plain": [ - " timestamp_desc \\\n", - "datetime \n", - "2019-02-25 18:28:14 Previous Last Time Executed \n", - "2019-02-25 20:39:27 Previous Last Time Executed \n", - "2019-02-25 20:39:41 Last Visited Time \n", - "2019-02-25 20:39:41 Last Visited Time \n", - "2019-02-25 20:39:46 Last Visited Time \n", - "2019-02-25 20:39:46 Last Visited Time \n", - "2019-02-25 20:39:54 Last Visited Time \n", - "2019-02-25 20:39:55 Last Visited Time \n", - "2019-02-25 20:39:59 Last Visited Time \n", - "2019-02-25 20:40:00 Last Visited Time \n", - "2019-02-25 20:40:00 Last Visited Time \n", - "2019-02-25 20:40:10 Last Visited Time \n", - "2019-02-25 20:40:47 Content Modification Time \n", - "2019-02-25 20:40:47 Metadata Modification Time \n", - "2019-02-25 20:40:47 Creation Time \n", - "2019-02-25 20:40:47 Creation Time \n", - "2019-02-25 20:40:47 Metadata Modification Time \n", - "2019-02-25 20:40:47 Metadata Modification Time \n", - "2019-02-25 20:40:47 Content Modification Time \n", - "2019-02-25 20:40:49 Last Time Executed \n", - "2019-02-25 20:41:04 Creation Time \n", - "2019-02-25 20:41:06 Creation Time \n", - "2019-02-25 20:41:06 Content Modification Time \n", - "2019-02-25 20:41:06 Content Modification Time \n", - "2019-02-25 20:41:06 Creation Time \n", - "2019-02-25 20:41:06 Creation Time \n", - "2019-02-25 20:41:06 Creation Time \n", - "2019-02-25 20:41:06 Creation Time \n", - "2019-02-25 20:41:06 Creation Time \n", - "2019-02-25 20:41:11 Creation Time \n", - "... ... \n", - "2019-03-20 21:04:58 Last Access Time \n", - "2019-03-20 21:04:59 Last Access Time \n", - "2019-03-20 21:04:59 Last Access Time \n", - "2019-03-20 21:04:59 Last Access Time \n", - "2019-03-20 21:04:59 Last Access Time \n", - "2019-03-20 21:05:00 Last Access Time \n", - "2019-03-20 21:05:00 Last Access Time \n", - "2019-03-20 21:05:01 Last Access Time \n", - "2019-03-20 21:05:01 Last Access Time \n", - "2019-03-20 21:05:01 Last Access Time \n", - "2019-03-20 21:05:01 Last Access Time \n", - "2019-03-20 21:05:02 Last Access Time \n", - "2019-03-20 21:05:02 Last Access Time \n", - "2019-03-20 21:05:19 Content Modification Time \n", - "2019-03-20 21:05:20 Last Access Time \n", - "2019-03-20 21:05:20 Last Access Time \n", - "2019-03-20 21:05:20 Last Access Time \n", - "2019-03-20 21:05:20 Last Access Time \n", - "2019-03-20 21:05:24 Last Time Executed \n", - "2019-03-20 21:05:43 Content Modification Time \n", - "2019-03-20 21:05:59 Previous Last Time Executed \n", - "2019-03-20 21:06:00 Previous Last Time Executed \n", - "2019-03-20 21:08:32 Previous Last Time Executed \n", - "2019-03-20 21:10:56 Previous Last Time Executed \n", - "2019-03-20 21:15:21 Previous Last Time Executed \n", - "2019-03-20 21:15:28 Previous Last Time Executed \n", - "2019-03-20 21:15:36 Last Time Executed \n", - "2019-03-20 21:15:59 Last Time Executed \n", - "2019-03-20 21:16:00 Last Time Executed \n", - "2019-03-20 21:26:28 Last Time Executed \n", + " timestamp_desc \\\n", + "datetime \n", + "2019-02-25 18:28:14+00:00 Previous Last Time Executed \n", + "2019-02-25 20:39:27+00:00 Previous Last Time Executed \n", + "2019-02-25 20:39:41+00:00 Last Visited Time \n", + "2019-02-25 20:39:41+00:00 Last Visited Time \n", + "2019-02-25 20:39:46+00:00 Last Visited Time \n", + "2019-02-25 20:39:46+00:00 Last Visited Time \n", + "2019-02-25 20:39:54+00:00 Last Visited Time \n", + "2019-02-25 20:39:55+00:00 Last Visited Time \n", + "2019-02-25 20:39:59+00:00 Last Visited Time \n", + "2019-02-25 20:40:00+00:00 Last Visited Time \n", + "2019-02-25 20:40:00+00:00 Last Visited Time \n", + "2019-02-25 20:40:10+00:00 Last Visited Time \n", + "2019-02-25 20:40:47+00:00 Content Modification Time \n", + "2019-02-25 20:40:47+00:00 Metadata Modification Time \n", + "2019-02-25 20:40:47+00:00 Creation Time \n", + "2019-02-25 20:40:47+00:00 Creation Time \n", + "2019-02-25 20:40:47+00:00 Metadata Modification Time \n", + "2019-02-25 20:40:47+00:00 Metadata Modification Time \n", + "2019-02-25 20:40:47+00:00 Content Modification Time \n", + "2019-02-25 20:40:49+00:00 Last Time Executed \n", + "2019-02-25 20:41:04+00:00 Creation Time \n", + "2019-02-25 20:41:06+00:00 Creation Time \n", + "2019-02-25 20:41:06+00:00 Content Modification Time \n", + "2019-02-25 20:41:06+00:00 Content Modification Time \n", + "2019-02-25 20:41:06+00:00 Creation Time \n", + "2019-02-25 20:41:06+00:00 Creation Time \n", + "2019-02-25 20:41:06+00:00 Creation Time \n", + "2019-02-25 20:41:06+00:00 Creation Time \n", + "2019-02-25 20:41:06+00:00 Creation Time \n", + "2019-02-25 20:41:11+00:00 Creation Time \n", + "... ... \n", + "2019-03-20 21:04:58+00:00 Last Access Time \n", + "2019-03-20 21:04:59+00:00 Last Access Time \n", + "2019-03-20 21:04:59+00:00 Last Access Time \n", + "2019-03-20 21:04:59+00:00 Last Access Time \n", + "2019-03-20 21:04:59+00:00 Last Access Time \n", + "2019-03-20 21:05:00+00:00 Last Access Time \n", + "2019-03-20 21:05:00+00:00 Last Access Time \n", + "2019-03-20 21:05:01+00:00 Last Access Time \n", + "2019-03-20 21:05:01+00:00 Last Access Time \n", + "2019-03-20 21:05:01+00:00 Last Access Time \n", + "2019-03-20 21:05:01+00:00 Last Access Time \n", + "2019-03-20 21:05:02+00:00 Last Access Time \n", + "2019-03-20 21:05:02+00:00 Last Access Time \n", + "2019-03-20 21:05:19+00:00 Content Modification Time \n", + "2019-03-20 21:05:20+00:00 Last Access Time \n", + "2019-03-20 21:05:20+00:00 Last Access Time \n", + "2019-03-20 21:05:20+00:00 Last Access Time \n", + "2019-03-20 21:05:20+00:00 Last Access Time \n", + "2019-03-20 21:05:24+00:00 Last Time Executed \n", + "2019-03-20 21:05:43+00:00 Content Modification Time \n", + "2019-03-20 21:05:59+00:00 Previous Last Time Executed \n", + "2019-03-20 21:06:00+00:00 Previous Last Time Executed \n", + "2019-03-20 21:08:32+00:00 Previous Last Time Executed \n", + "2019-03-20 21:10:56+00:00 Previous Last Time Executed \n", + "2019-03-20 21:15:21+00:00 Previous Last Time Executed \n", + "2019-03-20 21:15:28+00:00 Previous Last Time Executed \n", + "2019-03-20 21:15:36+00:00 Last Time Executed \n", + "2019-03-20 21:15:59+00:00 Last Time Executed \n", + "2019-03-20 21:16:00+00:00 Last Time Executed \n", + "2019-03-20 21:26:28+00:00 Last Time Executed \n", "\n", - " data_type \\\n", - "datetime \n", - "2019-02-25 18:28:14 windows:prefetch:execution \n", - "2019-02-25 20:39:27 windows:prefetch:execution \n", - "2019-02-25 20:39:41 chrome:cache:entry \n", - "2019-02-25 20:39:41 chrome:history:page_visited \n", - "2019-02-25 20:39:46 chrome:history:page_visited \n", - "2019-02-25 20:39:46 chrome:cache:entry \n", - "2019-02-25 20:39:54 chrome:cache:entry \n", - "2019-02-25 20:39:55 chrome:history:page_visited \n", - "2019-02-25 20:39:59 chrome:cache:entry \n", - "2019-02-25 20:40:00 chrome:cache:entry \n", - "2019-02-25 20:40:00 chrome:cache:entry \n", - "2019-02-25 20:40:10 chrome:cache:entry \n", - "2019-02-25 20:40:47 fs:stat \n", - "2019-02-25 20:40:47 fs:stat \n", - "2019-02-25 20:40:47 fs:stat \n", - "2019-02-25 20:40:47 fs:stat \n", - "2019-02-25 20:40:47 fs:stat \n", - "2019-02-25 20:40:47 fs:stat \n", - "2019-02-25 20:40:47 fs:stat \n", - "2019-02-25 20:40:49 windows:prefetch:execution \n", - "2019-02-25 20:41:04 fs:stat \n", - "2019-02-25 20:41:06 fs:stat \n", - "2019-02-25 20:41:06 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06 windows:shell_item:file_entry \n", - "2019-02-25 20:41:11 fs:stat \n", - "... ... \n", - "2019-03-20 21:04:58 fs:stat \n", - "2019-03-20 21:04:59 fs:stat \n", - "2019-03-20 21:04:59 fs:stat \n", - "2019-03-20 21:04:59 fs:stat \n", - "2019-03-20 21:04:59 fs:stat \n", - "2019-03-20 21:05:00 fs:stat \n", - "2019-03-20 21:05:00 fs:stat \n", - "2019-03-20 21:05:01 fs:stat \n", - "2019-03-20 21:05:01 fs:stat \n", - "2019-03-20 21:05:01 fs:stat \n", - "2019-03-20 21:05:01 fs:stat \n", - "2019-03-20 21:05:02 fs:stat \n", - "2019-03-20 21:05:02 fs:stat \n", - "2019-03-20 21:05:19 windows:registry:key_value \n", - "2019-03-20 21:05:20 fs:stat \n", - "2019-03-20 21:05:20 fs:stat \n", - "2019-03-20 21:05:20 fs:stat \n", - "2019-03-20 21:05:20 fs:stat \n", - "2019-03-20 21:05:24 windows:prefetch:execution \n", - "2019-03-20 21:05:43 windows:registry:key_value \n", - "2019-03-20 21:05:59 windows:prefetch:execution \n", - "2019-03-20 21:06:00 windows:prefetch:execution \n", - "2019-03-20 21:08:32 windows:prefetch:execution \n", - "2019-03-20 21:10:56 windows:prefetch:execution \n", - "2019-03-20 21:15:21 windows:prefetch:execution \n", - "2019-03-20 21:15:28 windows:prefetch:execution \n", - "2019-03-20 21:15:36 windows:prefetch:execution \n", - "2019-03-20 21:15:59 windows:prefetch:execution \n", - "2019-03-20 21:16:00 windows:prefetch:execution \n", - "2019-03-20 21:26:28 windows:prefetch:execution \n", + " data_type \\\n", + "datetime \n", + "2019-02-25 18:28:14+00:00 windows:prefetch:execution \n", + "2019-02-25 20:39:27+00:00 windows:prefetch:execution \n", + "2019-02-25 20:39:41+00:00 chrome:cache:entry \n", + "2019-02-25 20:39:41+00:00 chrome:history:page_visited \n", + "2019-02-25 20:39:46+00:00 chrome:history:page_visited \n", + "2019-02-25 20:39:46+00:00 chrome:cache:entry \n", + "2019-02-25 20:39:54+00:00 chrome:cache:entry \n", + "2019-02-25 20:39:55+00:00 chrome:history:page_visited \n", + "2019-02-25 20:39:59+00:00 chrome:cache:entry \n", + "2019-02-25 20:40:00+00:00 chrome:cache:entry \n", + "2019-02-25 20:40:00+00:00 chrome:cache:entry \n", + "2019-02-25 20:40:10+00:00 chrome:cache:entry \n", + "2019-02-25 20:40:47+00:00 fs:stat \n", + "2019-02-25 20:40:47+00:00 fs:stat \n", + "2019-02-25 20:40:47+00:00 fs:stat \n", + "2019-02-25 20:40:47+00:00 fs:stat \n", + "2019-02-25 20:40:47+00:00 fs:stat \n", + "2019-02-25 20:40:47+00:00 fs:stat \n", + "2019-02-25 20:40:47+00:00 fs:stat \n", + "2019-02-25 20:40:49+00:00 windows:prefetch:execution \n", + "2019-02-25 20:41:04+00:00 fs:stat \n", + "2019-02-25 20:41:06+00:00 fs:stat \n", + "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", + "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", + "2019-02-25 20:41:11+00:00 fs:stat \n", + "... ... \n", + "2019-03-20 21:04:58+00:00 fs:stat \n", + "2019-03-20 21:04:59+00:00 fs:stat \n", + "2019-03-20 21:04:59+00:00 fs:stat \n", + "2019-03-20 21:04:59+00:00 fs:stat \n", + "2019-03-20 21:04:59+00:00 fs:stat \n", + "2019-03-20 21:05:00+00:00 fs:stat \n", + "2019-03-20 21:05:00+00:00 fs:stat \n", + "2019-03-20 21:05:01+00:00 fs:stat \n", + "2019-03-20 21:05:01+00:00 fs:stat \n", + "2019-03-20 21:05:01+00:00 fs:stat \n", + "2019-03-20 21:05:01+00:00 fs:stat \n", + "2019-03-20 21:05:02+00:00 fs:stat \n", + "2019-03-20 21:05:02+00:00 fs:stat \n", + "2019-03-20 21:05:19+00:00 windows:registry:key_value \n", + "2019-03-20 21:05:20+00:00 fs:stat \n", + "2019-03-20 21:05:20+00:00 fs:stat \n", + "2019-03-20 21:05:20+00:00 fs:stat \n", + "2019-03-20 21:05:20+00:00 fs:stat \n", + "2019-03-20 21:05:24+00:00 windows:prefetch:execution \n", + "2019-03-20 21:05:43+00:00 windows:registry:key_value \n", + "2019-03-20 21:05:59+00:00 windows:prefetch:execution \n", + "2019-03-20 21:06:00+00:00 windows:prefetch:execution \n", + "2019-03-20 21:08:32+00:00 windows:prefetch:execution \n", + "2019-03-20 21:10:56+00:00 windows:prefetch:execution \n", + "2019-03-20 21:15:21+00:00 windows:prefetch:execution \n", + "2019-03-20 21:15:28+00:00 windows:prefetch:execution \n", + "2019-03-20 21:15:36+00:00 windows:prefetch:execution \n", + "2019-03-20 21:15:59+00:00 windows:prefetch:execution \n", + "2019-03-20 21:16:00+00:00 windows:prefetch:execution \n", + "2019-03-20 21:26:28+00:00 windows:prefetch:execution \n", "\n", - " filename \\\n", - "datetime \n", - "2019-02-25 18:28:14 /Windows/Prefetch/PICKERHOST.EXE-93018817.pf \n", - "2019-02-25 20:39:27 /Windows/Prefetch/CHROME.EXE-5FE9909D.pf \n", - "2019-02-25 20:39:41 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:41 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:46 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:46 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:54 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:55 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:59 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:10 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47 /Program Files (x86)/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer \n", - "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47 /Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_.exe \n", - "2019-02-25 20:40:47 /Program Files (x86)/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:49 /Windows/Prefetch/TEAMVIEWER_.EXE-70DEDD02.pf \n", - "2019-02-25 20:41:04 /Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install.log \n", - "2019-02-25 20:41:06 /Program Files (x86)/TeamViewer \n", - "2019-02-25 20:41:06 /Users/Public/Desktop/TeamViewer 14.lnk \n", - "2019-02-25 20:41:06 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", - "2019-02-25 20:41:06 /Users/Administrator/AppData/Roaming/Microsoft/Windows/SendTo/Team... \n", - "2019-02-25 20:41:06 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", - "2019-02-25 20:41:06 /Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/TeamViewer... \n", - "2019-02-25 20:41:06 /Users/SelmaBouvier/AppData/Roaming/Microsoft/Windows/SendTo/TeamV... \n", - "2019-02-25 20:41:06 /Users/Public/Desktop/TeamViewer 14.lnk \n", - "2019-02-25 20:41:11 /Program Files (x86)/TeamViewer/License.txt \n", - "... ... \n", - "2019-03-20 21:04:58 /Program Files (x86)/TeamViewer/TeamViewer_Note.exe \n", - "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/uninstall.exe \n", - "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll \n", - "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll \n", - "2019-03-20 21:04:59 /Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll \n", - "2019-03-20 21:05:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll \n", - "2019-03-20 21:05:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll \n", - "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll \n", - "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll \n", - "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll \n", - "2019-03-20 21:05:01 /Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll \n", - "2019-03-20 21:05:02 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll \n", - "2019-03-20 21:05:02 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll \n", - "2019-03-20 21:05:19 /Windows/appcompat/Programs/Amcache.hve \n", - "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/x64 \n", - "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/Printer \n", - "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/Printer/x64 \n", - "2019-03-20 21:05:20 /Program Files (x86)/TeamViewer/outlook \n", - "2019-03-20 21:05:24 /Windows/Prefetch/RUNDLL32.EXE-F52D40E6.pf \n", - "2019-03-20 21:05:43 /Windows/System32/config/SYSTEM \n", - "2019-03-20 21:05:59 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", - "2019-03-20 21:06:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", - "2019-03-20 21:08:32 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:10:56 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", - "2019-03-20 21:15:21 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:15:28 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:15:36 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:15:59 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", - "2019-03-20 21:16:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", - "2019-03-20 21:26:28 /Windows/Prefetch/RUNDLL32.EXE-A7B4E4F7.pf \n", + " filename \\\n", + "datetime \n", + "2019-02-25 18:28:14+00:00 /Windows/Prefetch/PICKERHOST.EXE-93018817.pf \n", + "2019-02-25 20:39:27+00:00 /Windows/Prefetch/CHROME.EXE-5FE9909D.pf \n", + "2019-02-25 20:39:41+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:41+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:46+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:46+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:54+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:55+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:39:59+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:00+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:00+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:10+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", + "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47+00:00 /Program Files (x86)/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer \n", + "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_.exe \n", + "2019-02-25 20:40:47+00:00 /Program Files (x86)/TeamViewer/tvinfo.ini \n", + "2019-02-25 20:40:49+00:00 /Windows/Prefetch/TEAMVIEWER_.EXE-70DEDD02.pf \n", + "2019-02-25 20:41:04+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install.log \n", + "2019-02-25 20:41:06+00:00 /Program Files (x86)/TeamViewer \n", + "2019-02-25 20:41:06+00:00 /Users/Public/Desktop/TeamViewer 14.lnk \n", + "2019-02-25 20:41:06+00:00 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", + "2019-02-25 20:41:06+00:00 /Users/Administrator/AppData/Roaming/Microsoft/Windows/SendTo/Team... \n", + "2019-02-25 20:41:06+00:00 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", + "2019-02-25 20:41:06+00:00 /Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/TeamViewer... \n", + "2019-02-25 20:41:06+00:00 /Users/SelmaBouvier/AppData/Roaming/Microsoft/Windows/SendTo/TeamV... \n", + "2019-02-25 20:41:06+00:00 /Users/Public/Desktop/TeamViewer 14.lnk \n", + "2019-02-25 20:41:11+00:00 /Program Files (x86)/TeamViewer/License.txt \n", + "... ... \n", + "2019-03-20 21:04:58+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Note.exe \n", + "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/uninstall.exe \n", + "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll \n", + "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll \n", + "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll \n", + "2019-03-20 21:05:00+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll \n", + "2019-03-20 21:05:00+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll \n", + "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll \n", + "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll \n", + "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll \n", + "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll \n", + "2019-03-20 21:05:02+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll \n", + "2019-03-20 21:05:02+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll \n", + "2019-03-20 21:05:19+00:00 /Windows/appcompat/Programs/Amcache.hve \n", + "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/x64 \n", + "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/Printer \n", + "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/Printer/x64 \n", + "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/outlook \n", + "2019-03-20 21:05:24+00:00 /Windows/Prefetch/RUNDLL32.EXE-F52D40E6.pf \n", + "2019-03-20 21:05:43+00:00 /Windows/System32/config/SYSTEM \n", + "2019-03-20 21:05:59+00:00 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", + "2019-03-20 21:06:00+00:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", + "2019-03-20 21:08:32+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:10:56+00:00 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", + "2019-03-20 21:15:21+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:15:28+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:15:36+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", + "2019-03-20 21:15:59+00:00 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", + "2019-03-20 21:16:00+00:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", + "2019-03-20 21:26:28+00:00 /Windows/Prefetch/RUNDLL32.EXE-A7B4E4F7.pf \n", "\n", - " message \n", - "datetime \n", - "2019-02-25 18:28:14 Prefetch [PICKERHOST.EXE] was executed - run count 4 path: \\WINDOW... \n", - "2019-02-25 20:39:27 Prefetch [CHROME.EXE] was executed - run count 3 path: \\PROGRAM FI... \n", - "2019-02-25 20:39:41 Original URL: https://www.google.com/search?q=teamviewer&oq=teamv&... \n", - "2019-02-25 20:39:41 https://www.google.com/search?q=teamviewer&oq=teamv&aqs=chrome.1.6... \n", - "2019-02-25 20:39:46 https://www.teamviewer.com/en-us/ (Home - TeamViewer) [count: 0] T... \n", - "2019-02-25 20:39:46 Original URL: https://static.teamviewer.com/resources/2018/10/logo... \n", - "2019-02-25 20:39:54 Original URL: https://www.teamviewer.com/en-us/teamviewer-automati... \n", - "2019-02-25 20:39:55 https://www.teamviewer.com/en-us/teamviewer-automatic-download/ (T... \n", - "2019-02-25 20:39:59 Original URL: https://tracking.g2crowd.com/attribution_tracking/co... \n", - "2019-02-25 20:40:00 Original URL: https://bat.bing.com/action/0?ti=5712416&Ver=2&mid=4... \n", - "2019-02-25 20:40:00 Original URL: https://bat.bing.com/action/0?ti=26037780&Ver=2&mid=... \n", - "2019-02-25 20:40:10 Original URL: https://static.teamviewer.com/resources/2018/10/team... \n", - "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", - "2019-02-25 20:40:47 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", - "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer Type: direc... \n", - "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", - "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", - "2019-02-25 20:40:47 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_... \n", - "2019-02-25 20:40:47 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", - "2019-02-25 20:40:49 Prefetch [TEAMVIEWER_.EXE] was executed - run count 1 path: \\USERS... \n", - "2019-02-25 20:41:04 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install... \n", - "2019-02-25 20:41:06 TSK:/Program Files (x86)/TeamViewer Type: directory \n", - "2019-02-25 20:41:06 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", - "2019-02-25 20:41:06 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", - "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:11 TSK:/Program Files (x86)/TeamViewer/License.txt Type: file \n", - "... ... \n", - "2019-03-20 21:04:58 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file \n", - "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file \n", - "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ... \n", - "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ... \n", - "2019-03-20 21:04:59 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ... \n", - "2019-03-20 21:05:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ... \n", - "2019-03-20 21:05:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ... \n", - "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ... \n", - "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ... \n", - "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ... \n", - "2019-03-20 21:05:01 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ... \n", - "2019-03-20 21:05:02 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ... \n", - "2019-03-20 21:05:02 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ... \n", - "2019-03-20 21:05:19 [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300... \n", - "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/x64 Type: directory \n", - "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/Printer Type: directory \n", - "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory \n", - "2019-03-20 21:05:20 TSK:/Program Files (x86)/TeamViewer/outlook Type: directory \n", - "2019-03-20 21:05:24 Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS... \n", - "2019-03-20 21:05:43 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par... \n", - "2019-03-20 21:05:59 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "2019-03-20 21:06:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", - "2019-03-20 21:08:32 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:10:56 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "2019-03-20 21:15:21 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:15:28 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:15:36 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:15:59 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "2019-03-20 21:16:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", - "2019-03-20 21:26:28 Prefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\... \n", + " message \n", + "datetime \n", + "2019-02-25 18:28:14+00:00 Prefetch [PICKERHOST.EXE] was executed - run count 4 path: \\WINDOW... \n", + "2019-02-25 20:39:27+00:00 Prefetch [CHROME.EXE] was executed - run count 3 path: \\PROGRAM FI... \n", + "2019-02-25 20:39:41+00:00 Original URL: https://www.google.com/search?q=teamviewer&oq=teamv&... \n", + "2019-02-25 20:39:41+00:00 https://www.google.com/search?q=teamviewer&oq=teamv&aqs=chrome.1.6... \n", + "2019-02-25 20:39:46+00:00 https://www.teamviewer.com/en-us/ (Home - TeamViewer) [count: 0] T... \n", + "2019-02-25 20:39:46+00:00 Original URL: https://static.teamviewer.com/resources/2018/10/logo... \n", + "2019-02-25 20:39:54+00:00 Original URL: https://www.teamviewer.com/en-us/teamviewer-automati... \n", + "2019-02-25 20:39:55+00:00 https://www.teamviewer.com/en-us/teamviewer-automatic-download/ (T... \n", + "2019-02-25 20:39:59+00:00 Original URL: https://tracking.g2crowd.com/attribution_tracking/co... \n", + "2019-02-25 20:40:00+00:00 Original URL: https://bat.bing.com/action/0?ti=5712416&Ver=2&mid=4... \n", + "2019-02-25 20:40:00+00:00 Original URL: https://bat.bing.com/action/0?ti=26037780&Ver=2&mid=... \n", + "2019-02-25 20:40:10+00:00 Original URL: https://static.teamviewer.com/resources/2018/10/team... \n", + "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", + "2019-02-25 20:40:47+00:00 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", + "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer Type: direc... \n", + "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", + "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", + "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_... \n", + "2019-02-25 20:40:47+00:00 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", + "2019-02-25 20:40:49+00:00 Prefetch [TEAMVIEWER_.EXE] was executed - run count 1 path: \\USERS... \n", + "2019-02-25 20:41:04+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install... \n", + "2019-02-25 20:41:06+00:00 TSK:/Program Files (x86)/TeamViewer Type: directory \n", + "2019-02-25 20:41:06+00:00 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", + "2019-02-25 20:41:06+00:00 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", + "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", + "2019-02-25 20:41:11+00:00 TSK:/Program Files (x86)/TeamViewer/License.txt Type: file \n", + "... ... \n", + "2019-03-20 21:04:58+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file \n", + "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file \n", + "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ... \n", + "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ... \n", + "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ... \n", + "2019-03-20 21:05:00+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ... \n", + "2019-03-20 21:05:00+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ... \n", + "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ... \n", + "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ... \n", + "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ... \n", + "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ... \n", + "2019-03-20 21:05:02+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ... \n", + "2019-03-20 21:05:02+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ... \n", + "2019-03-20 21:05:19+00:00 [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300... \n", + "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/x64 Type: directory \n", + "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/Printer Type: directory \n", + "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory \n", + "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/outlook Type: directory \n", + "2019-03-20 21:05:24+00:00 Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS... \n", + "2019-03-20 21:05:43+00:00 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par... \n", + "2019-03-20 21:05:59+00:00 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "2019-03-20 21:06:00+00:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", + "2019-03-20 21:08:32+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:10:56+00:00 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "2019-03-20 21:15:21+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:15:28+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:15:36+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", + "2019-03-20 21:15:59+00:00 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", + "2019-03-20 21:16:00+00:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", + "2019-03-20 21:26:28+00:00 Prefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\... \n", "\n", "[632 rows x 4 columns]" ] @@ -4484,15 +4537,18 @@ "metadata": { "id": "v2ZjHcsv_Voj", "colab_type": "code", - "outputId": "18a2f000-a6ec-4ee3-9466-f3b7e3ec98e4", + "outputId": "af260df5-3132-48fe-f0e7-469dc0535105", "colab": { "base_uri": "https://localhost:8080/", - "height": 142 + "height": 138 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('data_type:\"windows:prefetch:execution\" AND teamviewer_desktop.exe', return_fields='datetime,timestamp_desc,data_type,executable,run_count,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'data_type:\"windows:prefetch:execution\" AND teamviewer_desktop.exe', \n", + " return_fields='datetime,timestamp_desc,data_type,executable,run_count,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','executable','run_count','message']]" ], "execution_count": 18, @@ -4530,7 +4586,7 @@ " \n", " \n", " 0\n", - " 2019-03-18 17:59:21\n", + " 2019-03-18 17:59:21+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " TEAMVIEWER_DESKTOP.EXE\n", @@ -4539,7 +4595,7 @@ " \n", " \n", " 1\n", - " 2019-03-18 18:34:19\n", + " 2019-03-18 18:34:19+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " TEAMVIEWER_DESKTOP.EXE\n", @@ -4548,7 +4604,7 @@ " \n", " \n", " 2\n", - " 2019-03-18 18:36:49\n", + " 2019-03-18 18:36:49+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " TEAMVIEWER_DESKTOP.EXE\n", @@ -4560,10 +4616,10 @@ "" ], "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2019-03-18 17:59:21 Previous Last Time Executed \n", - "1 2019-03-18 18:34:19 Previous Last Time Executed \n", - "2 2019-03-18 18:36:49 Last Time Executed \n", + " datetime timestamp_desc \\\n", + "0 2019-03-18 17:59:21+00:00 Previous Last Time Executed \n", + "1 2019-03-18 18:34:19+00:00 Previous Last Time Executed \n", + "2 2019-03-18 18:36:49+00:00 Last Time Executed \n", "\n", " data_type executable run_count \\\n", "0 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", @@ -4609,15 +4665,18 @@ "metadata": { "id": "Y1jC_-hMBLUG", "colab_type": "code", - "outputId": "0b77b7ce-841e-4f50-8a1a-9608229be5bb", + "outputId": "73b93cf8-4e5e-4fbd-d5ba-5e81c213eca5", "colab": { "base_uri": "https://localhost:8080/", - "height": 142 + "height": 138 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('data_type:\"windows:prefetch:execution\" AND teamviewer_desktop.exe', return_fields='datetime,timestamp_desc,data_type,executable,run_count,path', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'data_type:\"windows:prefetch:execution\" AND teamviewer_desktop.exe', \n", + " return_fields='datetime,timestamp_desc,data_type,executable,run_count,path', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','executable','run_count','path']]" ], "execution_count": 19, @@ -4655,7 +4714,7 @@ " \n", " \n", " 0\n", - " 2019-03-18 17:59:21\n", + " 2019-03-18 17:59:21+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " TEAMVIEWER_DESKTOP.EXE\n", @@ -4664,7 +4723,7 @@ " \n", " \n", " 1\n", - " 2019-03-18 18:34:19\n", + " 2019-03-18 18:34:19+00:00\n", " Previous Last Time Executed\n", " windows:prefetch:execution\n", " TEAMVIEWER_DESKTOP.EXE\n", @@ -4673,7 +4732,7 @@ " \n", " \n", " 2\n", - " 2019-03-18 18:36:49\n", + " 2019-03-18 18:36:49+00:00\n", " Last Time Executed\n", " windows:prefetch:execution\n", " TEAMVIEWER_DESKTOP.EXE\n", @@ -4685,10 +4744,10 @@ "" ], "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2019-03-18 17:59:21 Previous Last Time Executed \n", - "1 2019-03-18 18:34:19 Previous Last Time Executed \n", - "2 2019-03-18 18:36:49 Last Time Executed \n", + " datetime timestamp_desc \\\n", + "0 2019-03-18 17:59:21+00:00 Previous Last Time Executed \n", + "1 2019-03-18 18:34:19+00:00 Previous Last Time Executed \n", + "2 2019-03-18 18:36:49+00:00 Last Time Executed \n", "\n", " data_type executable run_count \\\n", "0 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", @@ -4733,16 +4792,19 @@ "metadata": { "id": "qbT0cf4dB_aJ", "colab_type": "code", - "outputId": "e47fa09b-9d42-4775-e744-284f3004fc23", + "outputId": "665acf8d-0728-4b5d-ec63-9aee1c4d0a77", "colab": { "base_uri": "https://localhost:8080/", - "height": 80 + "height": 78 } }, "cell_type": "code", "source": [ "# Escaping fun: We need to esacpe the slashes in the key_path once for Timesketch and once for Python, so we'll have triple slashes (\\\\\\)\n", - "ts_results = ctf.explore('data_type:\"windows:registry:key_value\" AND key_path:\"HKEY_LOCAL_MACHINE\\\\\\System\\\\\\Select\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'data_type:\"windows:registry:key_value\" AND key_path:\"HKEY_LOCAL_MACHINE\\\\\\System\\\\\\Select\"', \n", + " return_fields='datetime,timestamp_desc,data_type,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], "execution_count": 20, @@ -4778,7 +4840,7 @@ " \n", " \n", " 0\n", - " 2018-04-11 23:38:44\n", + " 2018-04-11 23:38:44+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [HKEY_LOCAL_MACHINE\\System\\Select] Current: [REG_DWORD_LE] 1 Defau...\n", @@ -4788,8 +4850,11 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2018-04-11 23:38:44 Content Modification Time windows:registry:key_value \n", + " datetime timestamp_desc \\\n", + "0 2018-04-11 23:38:44+00:00 Content Modification Time \n", + "\n", + " data_type \\\n", + "0 windows:registry:key_value \n", "\n", " message \n", "0 [HKEY_LOCAL_MACHINE\\System\\Select] Current: [REG_DWORD_LE] 1 Defau... " @@ -4836,15 +4901,18 @@ "metadata": { "id": "f8CE4NYEFzWu", "colab_type": "code", - "outputId": "91fbcb06-fa73-49dd-a17c-76689ed304be", + "outputId": "73033525-4826-48e4-9acc-2694ccd54522", "colab": { "base_uri": "https://localhost:8080/", - "height": 80 + "height": 78 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('data_type:\"windows:registry:key_value\" AND key_path:\"HKEY_LOCAL_MACHINE\\\\\\System\\\\\\ControlSet001\\\\\\Control\\\\\\TimeZoneInformation\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'data_type:\"windows:registry:key_value\" AND key_path:\"HKEY_LOCAL_MACHINE\\\\\\System\\\\\\ControlSet001\\\\\\Control\\\\\\TimeZoneInformation\"', \n", + " return_fields='datetime,timestamp_desc,data_type,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], "execution_count": 21, @@ -4880,7 +4948,7 @@ " \n", " \n", " 0\n", - " 2019-03-10 10:00:00\n", + " 2019-03-10 10:00:00+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\TimeZoneInformati...\n", @@ -4890,8 +4958,11 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2019-03-10 10:00:00 Content Modification Time windows:registry:key_value \n", + " datetime timestamp_desc \\\n", + "0 2019-03-10 10:00:00+00:00 Content Modification Time \n", + "\n", + " data_type \\\n", + "0 windows:registry:key_value \n", "\n", " message \n", "0 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\TimeZoneInformati... " @@ -4918,17 +4989,17 @@ "metadata": { "id": "s8UMrq0tb3u6", "colab_type": "code", + "outputId": "31e99d39-5d7a-4b76-b7aa-28b428fac200", "colab": { "base_uri": "https://localhost:8080/", - "height": 54 - }, - "outputId": "2664c305-2f12-4b73-947c-cc7c46d2d399" + "height": 55 + } }, "cell_type": "code", "source": [ "set(ts_results.message)" ], - "execution_count": 30, + "execution_count": 22, "outputs": [ { "output_type": "execute_result", @@ -4940,7 +5011,7 @@ "metadata": { "tags": [] }, - "execution_count": 30 + "execution_count": 22 } ] }, @@ -4958,10 +5029,10 @@ "metadata": { "id": "5R57xnzQGzEB", "colab_type": "code", - "outputId": "483426e3-ab26-4832-c7d2-8a669aaa16d8", + "outputId": "5cf3049b-7856-46d3-de99-29a0a0cc9d37", "colab": { "base_uri": "https://localhost:8080/", - "height": 34 + "height": 35 } }, "cell_type": "code", @@ -4969,7 +5040,7 @@ "# The ActiveTimeBias is in minutes, so divide by -60 (I don't know why it's stored negative): \n", "420 / -60" ], - "execution_count": 166, + "execution_count": 23, "outputs": [ { "output_type": "execute_result", @@ -4981,7 +5052,7 @@ "metadata": { "tags": [] }, - "execution_count": 166 + "execution_count": 23 } ] }, @@ -5009,18 +5080,21 @@ "metadata": { "id": "_DTNDAiAMSgz", "colab_type": "code", - "outputId": "88c0f22e-d14b-4bf5-f400-c30e46e40202", + "outputId": "fc505133-a8a6-4944-d7ab-4fbba126be77", "colab": { "base_uri": "https://localhost:8080/", - "height": 111 + "height": 108 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('data_type:\"windows:registry:installation\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'data_type:\"windows:registry:installation\"', \n", + " return_fields='datetime,timestamp_desc,data_type,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], - "execution_count": 167, + "execution_count": 24, "outputs": [ { "output_type": "execute_result", @@ -5053,14 +5127,14 @@ " \n", " \n", " 0\n", - " 1970-01-01 00:00:00\n", + " 1970-01-01 00:00:00+00:00\n", " Installation Time\n", " windows:registry:installation\n", " Windows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\...\n", " \n", " \n", " 1\n", - " 2018-07-28 07:27:53\n", + " 2018-07-28 07:27:53+00:00\n", " Installation Time\n", " windows:registry:installation\n", " Windows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\...\n", @@ -5070,9 +5144,9 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 1970-01-01 00:00:00 Installation Time windows:registry:installation \n", - "1 2018-07-28 07:27:53 Installation Time windows:registry:installation \n", + " datetime timestamp_desc data_type \\\n", + "0 1970-01-01 00:00:00+00:00 Installation Time windows:registry:installation \n", + "1 2018-07-28 07:27:53+00:00 Installation Time windows:registry:installation \n", "\n", " message \n", "0 Windows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\... \n", @@ -5082,7 +5156,7 @@ "metadata": { "tags": [] }, - "execution_count": 167 + "execution_count": 24 } ] }, @@ -5110,18 +5184,21 @@ "metadata": { "id": "angYvM_3RfA1", "colab_type": "code", - "outputId": "2fcd221d-d877-4e00-cefb-0f57f0ff8fad", + "outputId": "4c908f3a-3133-4c39-a237-f76bc594f5da", "colab": { "base_uri": "https://localhost:8080/", - "height": 173 + "height": 168 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('key_path:\"System\\\\\\ControlSet001\\\\\\Services\\\\\\Tcpip\\\\\\Parameters\\\\\\Interfaces\"', return_fields='datetime,timestamp_desc,data_type,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'key_path:\"System\\\\\\ControlSet001\\\\\\Services\\\\\\Tcpip\\\\\\Parameters\\\\\\Interfaces\"', \n", + " return_fields='datetime,timestamp_desc,data_type,message', \n", + " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], - "execution_count": 168, + "execution_count": 25, "outputs": [ { "output_type": "execute_result", @@ -5154,28 +5231,28 @@ " \n", " \n", " 0\n", - " 2018-07-28 07:24:53\n", + " 2018-07-28 07:24:53+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...\n", " \n", " \n", " 1\n", - " 2018-07-28 07:25:03\n", + " 2018-07-28 07:25:03+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...\n", " \n", " \n", " 2\n", - " 2018-07-28 07:36:43\n", + " 2018-07-28 07:36:43+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...\n", " \n", " \n", " 3\n", - " 2019-03-20 20:55:53\n", + " 2019-03-20 20:55:53+00:00\n", " Content Modification Time\n", " windows:registry:key_value\n", " [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...\n", @@ -5185,11 +5262,17 @@ "" ], "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2018-07-28 07:24:53 Content Modification Time windows:registry:key_value \n", - "1 2018-07-28 07:25:03 Content Modification Time windows:registry:key_value \n", - "2 2018-07-28 07:36:43 Content Modification Time windows:registry:key_value \n", - "3 2019-03-20 20:55:53 Content Modification Time windows:registry:key_value \n", + " datetime timestamp_desc \\\n", + "0 2018-07-28 07:24:53+00:00 Content Modification Time \n", + "1 2018-07-28 07:25:03+00:00 Content Modification Time \n", + "2 2018-07-28 07:36:43+00:00 Content Modification Time \n", + "3 2019-03-20 20:55:53+00:00 Content Modification Time \n", + "\n", + " data_type \\\n", + "0 windows:registry:key_value \n", + "1 windows:registry:key_value \n", + "2 windows:registry:key_value \n", + "3 windows:registry:key_value \n", "\n", " message \n", "0 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... \n", @@ -5201,7 +5284,7 @@ "metadata": { "tags": [] }, - "execution_count": 168 + "execution_count": 25 } ] }, @@ -5219,17 +5302,17 @@ "metadata": { "id": "55kVv0nOcVKf", "colab_type": "code", + "outputId": "963f38c6-87c3-466a-ae5b-b42bf3ebabf1", "colab": { "base_uri": "https://localhost:8080/", - "height": 105 - }, - "outputId": "5d8e9766-e50c-449a-d7a9-97912fa1144d" + "height": 106 + } }, "cell_type": "code", "source": [ "set(ts_results.message)" ], - "execution_count": 169, + "execution_count": 26, "outputs": [ { "output_type": "execute_result", @@ -5244,7 +5327,7 @@ "metadata": { "tags": [] }, - "execution_count": 169 + "execution_count": 26 } ] }, @@ -5272,19 +5355,22 @@ "metadata": { "id": "6dq7IoM_U7Qo", "colab_type": "code", - "outputId": "12b401cf-92b2-4f5d-d5aa-2e80668b888f", + "outputId": "fb428b62-f3e0-4a92-841f-0f7c63486326", "colab": { "base_uri": "https://localhost:8080/", - "height": 142 + "height": 138 } }, "cell_type": "code", "source": [ - "ts_results = ctf.explore('data_type:\"windows:evtx:record\" AND filename:\"System.evtx\" AND 1074', return_fields='datetime,timestamp_desc,data_type,username,message', as_pandas=True)\n", + "ts_results = ctf.explore(\n", + " 'data_type:\"windows:evtx:record\" AND filename:\"System.evtx\" AND 1074', \n", + " return_fields='datetime,timestamp_desc,data_type,username,message', \n", + " as_pandas=True)\n", "ts_results = ts_results.set_index('datetime')\n", "ts_results['2019-02-25':'2019-02-26'][['timestamp_desc','data_type','username','message']]" ], - "execution_count": 170, + "execution_count": 27, "outputs": [ { "output_type": "execute_result", @@ -5323,14 +5409,14 @@ " \n", " \n", " \n", - " 2019-02-25 20:04:42\n", + " 2019-02-25 20:04:42+00:00\n", " Content Modification Time\n", " windows:evtx:record\n", " Administrator\n", " [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32...\n", " \n", " \n", - " 2019-02-25 20:13:53\n", + " 2019-02-25 20:13:53+00:00\n", " Content Modification Time\n", " windows:evtx:record\n", " Administrator\n", @@ -5341,26 +5427,26 @@ "" ], "text/plain": [ - " timestamp_desc data_type \\\n", - "datetime \n", - "2019-02-25 20:04:42 Content Modification Time windows:evtx:record \n", - "2019-02-25 20:13:53 Content Modification Time windows:evtx:record \n", + " timestamp_desc data_type \\\n", + "datetime \n", + "2019-02-25 20:04:42+00:00 Content Modification Time windows:evtx:record \n", + "2019-02-25 20:13:53+00:00 Content Modification Time windows:evtx:record \n", "\n", - " username \\\n", - "datetime \n", - "2019-02-25 20:04:42 Administrator \n", - "2019-02-25 20:13:53 Administrator \n", + " username \\\n", + "datetime \n", + "2019-02-25 20:04:42+00:00 Administrator \n", + "2019-02-25 20:13:53+00:00 Administrator \n", "\n", - " message \n", - "datetime \n", - "2019-02-25 20:04:42 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... \n", - "2019-02-25 20:13:53 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... " + " message \n", + "datetime \n", + "2019-02-25 20:04:42+00:00 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... \n", + "2019-02-25 20:13:53+00:00 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... " ] }, "metadata": { "tags": [] }, - "execution_count": 170 + "execution_count": 27 } ] }, @@ -5371,7 +5457,16 @@ }, "cell_type": "markdown", "source": [ - "# Wrap Up\n", + "# Wrap Up" + ] + }, + { + "metadata": { + "id": "BbHOAd3X9Sq-", + "colab_type": "text" + }, + "cell_type": "markdown", + "source": [ "That's it! Thanks for reading and I hope you found this useful. This walkthrough covered most of the questions from the 'Basic - Desktop' category; I may do other sections as well if there is time/interest. If you found this useful, check out Kristinn's demonstration of [Timesketch and Colab](https://colab.research.google.com/github/google/timesketch/blob/master/notebooks/colab-timesketch-demo.ipynb).\n", "\n", "You can get the free, open source tools I used to solve the CTF:\n", From ba00a957fb09c3911b0784e643e83270350457fa Mon Sep 17 00:00:00 2001 From: Ryan Benson Date: Mon, 22 Apr 2019 20:49:45 -0700 Subject: [PATCH 3/6] Created using Colaboratory --- notebooks/MUS2019_CTF.ipynb | 4509 +---------------------------------- 1 file changed, 75 insertions(+), 4434 deletions(-) diff --git a/notebooks/MUS2019_CTF.ipynb b/notebooks/MUS2019_CTF.ipynb index a8c9e42cd8..d747a39169 100644 --- a/notebooks/MUS2019_CTF.ipynb +++ b/notebooks/MUS2019_CTF.ipynb @@ -101,11 +101,7 @@ "metadata": { "id": "h35lMbAxIeYE", "colab_type": "code", - "outputId": "df0b6ffe-164a-4651-85b9-1b2ee6519531", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 138 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -117,22 +113,8 @@ "import pandas as pd\n", "pd.options.display.max_colwidth = 60" ], - "execution_count": 1, - "outputs": [ - { - "output_type": "stream", - "text": [ - "Requirement already satisfied: timesketch-api-client in /usr/local/lib/python2.7/dist-packages (20190124)\n", - "Requirement already satisfied: requests in /usr/local/lib/python2.7/dist-packages (from timesketch-api-client) (2.18.4)\n", - "Requirement already satisfied: beautifulsoup4 in /usr/local/lib/python2.7/dist-packages (from timesketch-api-client) (4.6.3)\n", - "Requirement already satisfied: idna<2.7,>=2.5 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (2.6)\n", - "Requirement already satisfied: urllib3<1.23,>=1.21.1 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (1.22)\n", - "Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (2019.3.9)\n", - "Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/dist-packages (from requests->timesketch-api-client) (3.0.4)\n" - ], - "name": "stdout" - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -189,11 +171,7 @@ "metadata": { "id": "vsEZI45porba", "colab_type": "code", - "outputId": "f9c554b0-2916-41fd-b4ce-0307f00538fd", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 86 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -201,19 +179,8 @@ "for i, sketch in enumerate(sketches):\n", " print('[{0:d}] {1:s}'.format(i, sketch.name))" ], - "execution_count": 3, - "outputs": [ - { - "output_type": "stream", - "text": [ - "[0] MUSCTF 2019\n", - "[1] The Greendale incident - 2019\n", - "[2] test1Untitled sketch\n", - "[3] The Greendale investigation\n" - ], - "name": "stdout" - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -322,11 +289,7 @@ "metadata": { "id": "0n6k7v-ioy4_", "colab_type": "code", - "outputId": "6c496957-ae08-4742-a2e3-e9bd9635c525", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 198 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -336,111 +299,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','inode','filename']]" ], - "execution_count": 5, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typeinodefilename
02016-04-03 20:18:47+00:00Creation Timepe:compilation:compilation_time102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
12019-02-25 20:40:00+00:00Creation Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
22019-02-25 20:40:30+00:00Content Modification Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
32019-02-25 20:40:45+00:00Metadata Modification Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
42019-02-25 20:41:36+00:00Last Access Timefs:stat102698/Users/Administrator/Downloads/TeamViewer_Setup.exe
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2016-04-03 20:18:47+00:00 Creation Time \n", - "1 2019-02-25 20:40:00+00:00 Creation Time \n", - "2 2019-02-25 20:40:30+00:00 Content Modification Time \n", - "3 2019-02-25 20:40:45+00:00 Metadata Modification Time \n", - "4 2019-02-25 20:41:36+00:00 Last Access Time \n", - "\n", - " data_type inode \\\n", - "0 pe:compilation:compilation_time 102698 \n", - "1 fs:stat 102698 \n", - "2 fs:stat 102698 \n", - "3 fs:stat 102698 \n", - "4 fs:stat 102698 \n", - "\n", - " filename \n", - "0 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", - "1 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", - "2 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", - "3 /Users/Administrator/Downloads/TeamViewer_Setup.exe \n", - "4 /Users/Administrator/Downloads/TeamViewer_Setup.exe " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 5 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -476,11 +336,7 @@ "metadata": { "id": "idzQZADYj8LF", "colab_type": "code", - "outputId": "da03446f-d2a3-4e12-d3fa-8bf1834f7a52", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 708 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -490,298 +346,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','filename','message']]" ], - "execution_count": 6, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typefilenamemessage
02019-02-26 23:59:41+00:00Content Modification Timewindows:evtx:record/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O...[2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A...
12019-03-13 18:16:00+00:00Metadata Modification Timefs:ntfs:usn_changeenergy-report-2019-02-19.xmlenergy-report-2019-02-19.xml File reference: 60725-9 Par...
22019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
32019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
42019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
52019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_changetelemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
62019-03-13 18:38:16+00:00Metadata Modification Timefs:ntfs:usn_changeutc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
72019-03-13 18:38:16+00:00Metadata Modification Timefs:ntfs:usn_changeutc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
82019-03-13 18:53:16+00:00Metadata Modification Timefs:ntfs:usn_changetelemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
92019-03-13 18:53:17+00:00Metadata Modification Timefs:ntfs:usn_changetelemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
102019-03-13 19:08:17+00:00Metadata Modification Timefs:ntfs:usn_changeTELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
112019-03-13 19:08:17+00:00Metadata Modification Timefs:ntfs:usn_changeTELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
122019-03-13 19:23:17+00:00Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
132019-03-13 19:23:17+00:00Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
142019-03-13 19:23:17+00:00Creation Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
152019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
162019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_changeutc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
172019-03-13 19:23:18+00:00Last Access Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
182019-03-13 19:23:18+00:00Content Modification Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
192019-03-13 19:23:18+00:00Metadata Modification Timefs:stat/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
202019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_changeutc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
212019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_changeutc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2019-02-26 23:59:41+00:00 Content Modification Time windows:evtx:record \n", - "1 2019-03-13 18:16:00+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "2 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "3 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "4 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "5 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "6 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "7 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "8 2019-03-13 18:53:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "9 2019-03-13 18:53:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "10 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "11 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "12 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "13 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "14 2019-03-13 19:23:17+00:00 Creation Time fs:stat \n", - "15 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "16 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "17 2019-03-13 19:23:18+00:00 Last Access Time fs:stat \n", - "18 2019-03-13 19:23:18+00:00 Content Modification Time fs:stat \n", - "19 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:stat \n", - "20 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "21 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "\n", - " filename \\\n", - "0 /Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O... \n", - "1 energy-report-2019-02-19.xml \n", - "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "6 utc.app.json.new \n", - "7 utc.app.json.new \n", - "8 telemetry.ASM-WindowsDefault.json.new \n", - "9 telemetry.ASM-WindowsDefault.json.new \n", - "10 TELEMETRY.ASM-WINDOWSSQ.json.new \n", - "11 TELEMETRY.ASM-WINDOWSSQ.json.new \n", - "12 utc.privacy.json.new \n", - "13 utc.privacy.json.new \n", - "14 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "15 utc.privacy.json.new \n", - "16 utc.privacy.json \n", - "17 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "18 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "19 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "20 utc.privacy.json.new \n", - "21 utc.privacy.json \n", - "\n", - " message \n", - "0 [2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A... \n", - "1 energy-report-2019-02-19.xml File reference: 60725-9 Par... \n", - "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "6 utc.app.json.new File reference: 60725-12 Parent file re... \n", - "7 utc.app.json.new File reference: 60725-12 Parent file re... \n", - "8 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", - "9 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", - "10 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", - "11 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", - "12 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "13 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "14 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "15 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "16 utc.privacy.json File reference: 60725-15 Parent file re... \n", - "17 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "18 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "19 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "20 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "21 utc.privacy.json File reference: 60725-15 Parent file re... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 6 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -797,111 +363,14 @@ "metadata": { "id": "iPCYySiEVB6P", "colab_type": "code", - "outputId": "adcdddab-1419-4641-b7b4-96ef2e494f14", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 177 - } + "colab": {} }, "cell_type": "code", "source": [ "ts_results[ts_results.message.str.contains('60725-10')]" ], - "execution_count": 7, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
_id_index_source_typedata_typedatetimefilenamelabelmessagetimestamp_desc
2AWowcLcHTGJyHzo5vZNF51f20fbeff6b4a7ca2dd3f76c1a41598MUSCTF-2019plaso_eventfs:ntfs:usn_change2019-03-13 18:23:16+00:00telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...[]telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...Metadata Modification Time
4AWowcLcHTGJyHzo5vZNG51f20fbeff6b4a7ca2dd3f76c1a41598MUSCTF-2019plaso_eventfs:ntfs:usn_change2019-03-13 18:23:16+00:00telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...[]telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...Metadata Modification Time
\n", - "
" - ], - "text/plain": [ - " _id _index _source \\\n", - "2 AWowcLcHTGJyHzo5vZNF 51f20fbeff6b4a7ca2dd3f76c1a41598 MUSCTF-2019 \n", - "4 AWowcLcHTGJyHzo5vZNG 51f20fbeff6b4a7ca2dd3f76c1a41598 MUSCTF-2019 \n", - "\n", - " _type data_type datetime \\\n", - "2 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16+00:00 \n", - "4 plaso_event fs:ntfs:usn_change 2019-03-13 18:23:16+00:00 \n", - "\n", - " filename label \\\n", - "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... [] \n", - "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... [] \n", - "\n", - " message \\\n", - "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "\n", - " timestamp_desc \n", - "2 Metadata Modification Time \n", - "4 Metadata Modification Time " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 7 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -917,31 +386,14 @@ "metadata": { "id": "7xRO5-FFV_KN", "colab_type": "code", - "outputId": "0c00d9e6-c162-4116-d176-7fd5dd2b5838", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 35 - } + "colab": {} }, "cell_type": "code", "source": [ "set(ts_results[ts_results.message.str.contains('60725-10')].filename)" ], - "execution_count": 8, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/plain": [ - "{u'telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new'}" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 8 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -959,11 +411,7 @@ "metadata": { "id": "qzemkUIAl-dX", "colab_type": "code", - "outputId": "4b59ee77-2750-486e-81f9-2163b5764808", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 708 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -973,345 +421,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','file_reference','filename','message']]" ], - "execution_count": 9, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typefile_referencefilenamemessage
02019-02-26 23:59:41+00:00Content Modification Timewindows:evtx:recordNaN/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O...[2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A...
12019-03-13 18:16:00+00:00Metadata Modification Timefs:ntfs:usn_change2.533275e+15energy-report-2019-02-19.xmlenergy-report-2019-02-19.xml File reference: 60725-9 Par...
22019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change2.814750e+15telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
32019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change3.096225e+15telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
42019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change2.814750e+15telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be...
52019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change3.096225e+15telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce...
62019-03-13 18:38:16+00:00Metadata Modification Timefs:ntfs:usn_change3.377700e+15utc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
72019-03-13 18:38:16+00:00Metadata Modification Timefs:ntfs:usn_change3.377700e+15utc.app.json.newutc.app.json.new File reference: 60725-12 Parent file re...
82019-03-13 18:53:16+00:00Metadata Modification Timefs:ntfs:usn_change3.659175e+15telemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
92019-03-13 18:53:17+00:00Metadata Modification Timefs:ntfs:usn_change3.659175e+15telemetry.ASM-WindowsDefault.json.newtelemetry.ASM-WindowsDefault.json.new File reference: 60...
102019-03-13 19:08:17+00:00Metadata Modification Timefs:ntfs:usn_change3.940650e+15TELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
112019-03-13 19:08:17+00:00Metadata Modification Timefs:ntfs:usn_change3.940650e+15TELEMETRY.ASM-WINDOWSSQ.json.newTELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1...
122019-03-13 19:23:17+00:00Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
132019-03-13 19:23:17+00:00Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
142019-03-13 19:23:17+00:00Creation Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
152019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
162019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
172019-03-13 19:23:18+00:00Last Access Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
182019-03-13 19:23:18+00:00Content Modification Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
192019-03-13 19:23:18+00:00Metadata Modification Timefs:statNaN/ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc....TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/...
202019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.json.newutc.privacy.json.new File reference: 60725-15 Parent fil...
212019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change4.222125e+15utc.privacy.jsonutc.privacy.json File reference: 60725-15 Parent file re...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2019-02-26 23:59:41+00:00 Content Modification Time windows:evtx:record \n", - "1 2019-03-13 18:16:00+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "2 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "3 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "4 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "5 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "6 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "7 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "8 2019-03-13 18:53:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "9 2019-03-13 18:53:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "10 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "11 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "12 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "13 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "14 2019-03-13 19:23:17+00:00 Creation Time fs:stat \n", - "15 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "16 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "17 2019-03-13 19:23:18+00:00 Last Access Time fs:stat \n", - "18 2019-03-13 19:23:18+00:00 Content Modification Time fs:stat \n", - "19 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:stat \n", - "20 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "21 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "\n", - " file_reference \\\n", - "0 NaN \n", - "1 2.533275e+15 \n", - "2 2.814750e+15 \n", - "3 3.096225e+15 \n", - "4 2.814750e+15 \n", - "5 3.096225e+15 \n", - "6 3.377700e+15 \n", - "7 3.377700e+15 \n", - "8 3.659175e+15 \n", - "9 3.659175e+15 \n", - "10 3.940650e+15 \n", - "11 3.940650e+15 \n", - "12 4.222125e+15 \n", - "13 4.222125e+15 \n", - "14 NaN \n", - "15 4.222125e+15 \n", - "16 4.222125e+15 \n", - "17 NaN \n", - "18 NaN \n", - "19 NaN \n", - "20 4.222125e+15 \n", - "21 4.222125e+15 \n", - "\n", - " filename \\\n", - "0 /Windows/System32/winevt/Logs/Microsoft-Windows-Store%4O... \n", - "1 energy-report-2019-02-19.xml \n", - "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "6 utc.app.json.new \n", - "7 utc.app.json.new \n", - "8 telemetry.ASM-WindowsDefault.json.new \n", - "9 telemetry.ASM-WindowsDefault.json.new \n", - "10 TELEMETRY.ASM-WINDOWSSQ.json.new \n", - "11 TELEMETRY.ASM-WINDOWSSQ.json.new \n", - "12 utc.privacy.json.new \n", - "13 utc.privacy.json.new \n", - "14 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "15 utc.privacy.json.new \n", - "16 utc.privacy.json \n", - "17 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "18 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "19 /ProgramData/Microsoft/Diagnosis/DownloadedSettings/utc.... \n", - "20 utc.privacy.json.new \n", - "21 utc.privacy.json \n", - "\n", - " message \n", - "0 [2006 / 0x07d6] Source Name: Microsoft-Windows-Install-A... \n", - "1 energy-report-2019-02-19.xml File reference: 60725-9 Par... \n", - "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64be... \n", - "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdce... \n", - "6 utc.app.json.new File reference: 60725-12 Parent file re... \n", - "7 utc.app.json.new File reference: 60725-12 Parent file re... \n", - "8 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", - "9 telemetry.ASM-WindowsDefault.json.new File reference: 60... \n", - "10 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", - "11 TELEMETRY.ASM-WINDOWSSQ.json.new File reference: 60725-1... \n", - "12 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "13 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "14 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "15 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "16 utc.privacy.json File reference: 60725-15 Parent file re... \n", - "17 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "18 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "19 TSK:/ProgramData/Microsoft/Diagnosis/DownloadedSettings/... \n", - "20 utc.privacy.json.new File reference: 60725-15 Parent fil... \n", - "21 utc.privacy.json File reference: 60725-15 Parent file re... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 9 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -1327,11 +438,7 @@ "metadata": { "id": "qM4QlMgqmQRk", "colab_type": "code", - "outputId": "1f7f6f47-dd61-48d5-94a4-d8abe8f122c6", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 558 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -1347,243 +454,8 @@ " lambda x: '{0:d}-{1:d}'.format(int(x) & 0xffffffffffff, int(x) >> 48))\n", "ts_results[['datetime','timestamp_desc','data_type','file_reference','filename']]" ], - "execution_count": 10, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typefile_referencefilename
12019-03-13 18:16:00+00:00Metadata Modification Timefs:ntfs:usn_change60725-9energy-report-2019-02-19.xml
22019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change60725-10telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new
32019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change60725-11telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new
42019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change60725-10telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new
52019-03-13 18:23:16+00:00Metadata Modification Timefs:ntfs:usn_change60725-11telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new
62019-03-13 18:38:16+00:00Metadata Modification Timefs:ntfs:usn_change60725-12utc.app.json.new
72019-03-13 18:38:16+00:00Metadata Modification Timefs:ntfs:usn_change60725-12utc.app.json.new
82019-03-13 18:53:16+00:00Metadata Modification Timefs:ntfs:usn_change60725-13telemetry.ASM-WindowsDefault.json.new
92019-03-13 18:53:17+00:00Metadata Modification Timefs:ntfs:usn_change60725-13telemetry.ASM-WindowsDefault.json.new
102019-03-13 19:08:17+00:00Metadata Modification Timefs:ntfs:usn_change60725-14TELEMETRY.ASM-WINDOWSSQ.json.new
112019-03-13 19:08:17+00:00Metadata Modification Timefs:ntfs:usn_change60725-14TELEMETRY.ASM-WINDOWSSQ.json.new
122019-03-13 19:23:17+00:00Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
132019-03-13 19:23:17+00:00Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
152019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
162019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json
202019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json.new
212019-03-13 19:23:18+00:00Metadata Modification Timefs:ntfs:usn_change60725-15utc.privacy.json
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "1 2019-03-13 18:16:00+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "2 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "3 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "4 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "5 2019-03-13 18:23:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "6 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "7 2019-03-13 18:38:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "8 2019-03-13 18:53:16+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "9 2019-03-13 18:53:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "10 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "11 2019-03-13 19:08:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "12 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "13 2019-03-13 19:23:17+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "15 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "16 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "20 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "21 2019-03-13 19:23:18+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "\n", - " file_reference \\\n", - "1 60725-9 \n", - "2 60725-10 \n", - "3 60725-11 \n", - "4 60725-10 \n", - "5 60725-11 \n", - "6 60725-12 \n", - "7 60725-12 \n", - "8 60725-13 \n", - "9 60725-13 \n", - "10 60725-14 \n", - "11 60725-14 \n", - "12 60725-15 \n", - "13 60725-15 \n", - "15 60725-15 \n", - "16 60725-15 \n", - "20 60725-15 \n", - "21 60725-15 \n", - "\n", - " filename \n", - "1 energy-report-2019-02-19.xml \n", - "2 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new \n", - "3 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new \n", - "4 telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new \n", - "5 telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json.new \n", - "6 utc.app.json.new \n", - "7 utc.app.json.new \n", - "8 telemetry.ASM-WindowsDefault.json.new \n", - "9 telemetry.ASM-WindowsDefault.json.new \n", - "10 TELEMETRY.ASM-WINDOWSSQ.json.new \n", - "11 TELEMETRY.ASM-WINDOWSSQ.json.new \n", - "12 utc.privacy.json.new \n", - "13 utc.privacy.json.new \n", - "15 utc.privacy.json.new \n", - "16 utc.privacy.json \n", - "20 utc.privacy.json.new \n", - "21 utc.privacy.json " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 10 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -1619,11 +491,7 @@ "metadata": { "id": "lPObip1NrOtn", "colab_type": "code", - "outputId": "9eef9344-be16-4dd8-e6bf-549029a4699b", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 78 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -1633,64 +501,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','update_sequence_number','filename']]" ], - "execution_count": 11, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typeupdate_sequence_numberfilename
02019-03-16 20:05:37+00:00Metadata Modification Timefs:ntfs:usn_change546416480TransportSecurity~RF134e6674.TMP
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2019-03-16 20:05:37+00:00 Metadata Modification Time fs:ntfs:usn_change \n", - "\n", - " update_sequence_number filename \n", - "0 546416480 TransportSecurity~RF134e6674.TMP " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 11 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -1716,11 +528,7 @@ "metadata": { "id": "lvxp9ltq0plT", "colab_type": "code", - "outputId": "d8540630-c61c-427f-d6b6-1d20a1187e2d", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 648 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -1730,276 +538,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','inode','message']]" ], - "execution_count": 12, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typeinodemessage
02012-08-23 20:54:54+00:00Creation Timepe:compilation:compilation_time99916PE Type: Executable (EXE) Import hash: 5d1d1d8cdc2296dfc99d791c9f2fdcb1
12016-04-13 22:33:42+00:00Content Modification Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
22018-07-28 08:21:07+00:00Creation Timewindows:volume:creation977\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origin: FTK IMAGER.EXE-C7E9245B.pf
32019-03-20 13:42:25+00:00Metadata Modification Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
42019-03-20 21:26:49+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW...
52019-03-20 21:26:49+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_EXTEN...
62019-03-20 21:26:49+00:00Last Access Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
72019-03-20 21:26:49+00:00Creation Timefs:stat99916TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file
82019-03-20 21:26:49+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW...
92019-03-20 21:26:49+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_FILE_CREATE
102019-03-20 21:26:49+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW...
112019-03-20 21:27:02+00:00Last Time Executedwindows:prefetch:execution977Prefetch [FTK IMAGER.EXE] was executed - run count 1 path: \\USERS\\ADMINISTRATOR\\DESKTOP\\FTK_IMAGER_LITE_3....
122019-03-20 21:27:12+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_...
132019-03-20 21:27:12+00:00Creation Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
142019-03-20 21:27:12+00:00Last Access Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
152019-03-20 21:27:12+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_...
162019-03-20 21:27:12+00:00Metadata Modification Timefs:ntfs:usn_change83366FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_...
172019-03-20 21:27:12+00:00Metadata Modification Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
182019-03-20 21:27:12+00:00Content Modification Timefs:stat977TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file
192019-03-20 21:28:47+00:00Content Modification Timewindows:evtx:record83669[4798 / 0x12be] Source Name: Microsoft-Windows-Security-Auditing Strings: ['Administrator', 'DESKTOP-0QT80...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2012-08-23 20:54:54+00:00 Creation Time \n", - "1 2016-04-13 22:33:42+00:00 Content Modification Time \n", - "2 2018-07-28 08:21:07+00:00 Creation Time \n", - "3 2019-03-20 13:42:25+00:00 Metadata Modification Time \n", - "4 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", - "5 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", - "6 2019-03-20 21:26:49+00:00 Last Access Time \n", - "7 2019-03-20 21:26:49+00:00 Creation Time \n", - "8 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", - "9 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", - "10 2019-03-20 21:26:49+00:00 Metadata Modification Time \n", - "11 2019-03-20 21:27:02+00:00 Last Time Executed \n", - "12 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", - "13 2019-03-20 21:27:12+00:00 Creation Time \n", - "14 2019-03-20 21:27:12+00:00 Last Access Time \n", - "15 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", - "16 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", - "17 2019-03-20 21:27:12+00:00 Metadata Modification Time \n", - "18 2019-03-20 21:27:12+00:00 Content Modification Time \n", - "19 2019-03-20 21:28:47+00:00 Content Modification Time \n", - "\n", - " data_type inode \\\n", - "0 pe:compilation:compilation_time 99916 \n", - "1 fs:stat 99916 \n", - "2 windows:volume:creation 977 \n", - "3 fs:stat 99916 \n", - "4 fs:ntfs:usn_change 83366 \n", - "5 fs:ntfs:usn_change 83366 \n", - "6 fs:stat 99916 \n", - "7 fs:stat 99916 \n", - "8 fs:ntfs:usn_change 83366 \n", - "9 fs:ntfs:usn_change 83366 \n", - "10 fs:ntfs:usn_change 83366 \n", - "11 windows:prefetch:execution 977 \n", - "12 fs:ntfs:usn_change 83366 \n", - "13 fs:stat 977 \n", - "14 fs:stat 977 \n", - "15 fs:ntfs:usn_change 83366 \n", - "16 fs:ntfs:usn_change 83366 \n", - "17 fs:stat 977 \n", - "18 fs:stat 977 \n", - "19 windows:evtx:record 83669 \n", - "\n", - " message \n", - "0 PE Type: Executable (EXE) Import hash: 5d1d1d8cdc2296dfc99d791c9f2fdcb1 \n", - "1 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", - "2 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origin: FTK IMAGER.EXE-C7E9245B.pf \n", - "3 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", - "4 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW... \n", - "5 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_EXTEN... \n", - "6 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", - "7 TSK:/Users/Administrator/Desktop/FTK_Imager_Lite_3.1.1/FTK Imager.exe Type: file \n", - "8 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW... \n", - "9 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_FILE_CREATE \n", - "10 FTK Imager.exe File reference: 99916-4 Parent file reference: 99832-7 Update reason: USN_REASON_DATA_OVERW... \n", - "11 Prefetch [FTK IMAGER.EXE] was executed - run count 1 path: \\USERS\\ADMINISTRATOR\\DESKTOP\\FTK_IMAGER_LITE_3.... \n", - "12 FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_... \n", - "13 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", - "14 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", - "15 FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_... \n", - "16 FTK IMAGER.EXE-C7E9245B.pf File reference: 977-5 Parent file reference: 83667-1 Update reason: USN_REASON_... \n", - "17 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", - "18 TSK:/Windows/Prefetch/FTK IMAGER.EXE-C7E9245B.pf Type: file \n", - "19 [4798 / 0x12be] Source Name: Microsoft-Windows-Security-Auditing Strings: ['Administrator', 'DESKTOP-0QT80... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 12 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -2037,11 +577,7 @@ "metadata": { "id": "1gt8_VMxsQ77", "colab_type": "code", - "outputId": "79526ff9-8c73-46a9-f38d-02400fe75226", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 1907 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -2052,854 +588,8 @@ "pd.options.display.max_colwidth = 70\n", "ts_results[['datetime','timestamp_desc','data_type','device_path','hostname','serial_number','message']]" ], - "execution_count": 13, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typedevice_pathhostnameserial_numbermessage
02018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
12018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
22018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
32018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
42018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
52018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
62018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
72018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
82018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
92018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
102018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
112018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
122018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
132018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
142018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
152018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
162018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
172018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
182018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
192018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
202018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
212018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
222018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
232018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
242018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
252018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
262018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
272018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
282018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
292018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
........................
1802018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1812018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1822018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1832018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1842018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1852018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1862018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1872018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1882018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1892018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1902018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1912018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1922018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1932018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1942018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1952018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1962018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1972018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1982018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
1992018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2002018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2012018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2022018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2032018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2042018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2052018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2062018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2072018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2082018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
2092018-07-28 08:21:07+00:00Creation Timewindows:volume:creation\\VOLUME{01d4264bee777579-ccee841b}DESKTOP-0QT80173438183451\\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi...
\n", - "

210 rows × 7 columns

\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "1 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "2 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "3 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "4 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "5 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "6 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "7 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "8 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "9 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "10 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "11 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "12 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "13 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "14 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "15 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "16 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "17 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "18 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "19 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "20 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "21 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "22 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "23 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "24 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "25 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "26 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "27 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "28 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "29 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - ".. ... ... ... \n", - "180 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "181 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "182 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "183 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "184 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "185 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "186 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "187 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "188 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "189 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "190 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "191 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "192 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "193 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "194 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "195 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "196 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "197 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "198 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "199 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "200 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "201 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "202 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "203 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "204 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "205 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "206 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "207 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "208 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "209 2018-07-28 08:21:07+00:00 Creation Time windows:volume:creation \n", - "\n", - " device_path hostname serial_number \\\n", - "0 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "1 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "2 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "3 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "4 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "5 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "6 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "7 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "8 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "9 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "10 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "11 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "12 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "13 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "14 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "15 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "16 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "17 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "18 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "19 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "20 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "21 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "22 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "23 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "24 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "25 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "26 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "27 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "28 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "29 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - ".. ... ... ... \n", - "180 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "181 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "182 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "183 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "184 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "185 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "186 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "187 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "188 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "189 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "190 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "191 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "192 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "193 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "194 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "195 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "196 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "197 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "198 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "199 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "200 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "201 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "202 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "203 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "204 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "205 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "206 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "207 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "208 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "209 \\VOLUME{01d4264bee777579-ccee841b} DESKTOP-0QT8017 3438183451 \n", - "\n", - " message \n", - "0 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "1 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "2 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "3 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "4 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "5 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "6 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "7 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "8 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "9 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "10 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "11 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "12 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "13 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "14 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "15 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "16 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "17 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "18 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "19 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "20 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "21 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "22 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "23 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "24 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "25 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "26 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "27 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "28 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "29 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - ".. ... \n", - "180 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "181 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "182 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "183 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "184 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "185 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "186 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "187 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "188 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "189 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "190 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "191 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "192 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "193 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "194 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "195 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "196 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "197 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "198 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "199 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "200 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "201 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "202 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "203 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "204 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "205 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "206 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "207 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "208 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "209 \\VOLUME{01d4264bee777579-ccee841b} Serial number: 0xCCEE841B Origi... \n", - "\n", - "[210 rows x 7 columns]" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 13 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -2917,31 +607,14 @@ "metadata": { "id": "CVcrtsTfvF6T", "colab_type": "code", - "outputId": "9fcf423c-f458-4cbc-ac04-99bca2db5dae", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 35 - } + "colab": {} }, "cell_type": "code", "source": [ "'{0:08X}'.format(3438183451)" ], - "execution_count": 14, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/plain": [ - "'CCEE841B'" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 14 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -2978,11 +651,7 @@ "metadata": { "id": "Hs2NyOf0IUS2", "colab_type": "code", - "outputId": "aac1659f-9b7a-4b0b-855c-ec2791c9806c", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 1907 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -2992,668 +661,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], - "execution_count": 15, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typemessage
01970-01-01 00:00:00+00:00Last Time Executedwindows:registry:userassist[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explo...
12007-12-13 09:22:09+00:00Creation Timepe:compilation:compilation_timePE Type: Driver (SYS) Import hash: fcbe966aa9c0053fe3d2d7f07dbdd41d
22016-04-03 20:18:56+00:00Creation Timepe:compilation:compilation_timePE Type: Executable (EXE) Import hash: 4ea4df5d94204fc550be1874e1b...
32016-04-03 20:19:02+00:00Creation Timepe:compilation:compilation_timePE Type: Executable (EXE) Import hash: e2a592076b17ef8bfb48b7e0396...
42017-05-12 08:54:01+00:00Creation Timepe:compilation:compilation_timePE Type: Driver (SYS) Import hash: bd2fee8a544a1c6656edb847a80a08c5
52018-04-11 23:38:22+00:00Creation Timewindows:shell_item:file_entryName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
62018-04-11 23:38:22+00:00Creation Timewindows:shell_item:file_entryName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
72018-06-13 07:24:30+00:00Creation Timepe:compilation:compilation_timePE Type: Dynamic Link Library (DLL) Import hash: 0d898c31e89da04c1...
82018-10-17 12:41:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/License.txt Type: file
92018-10-17 12:41:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/CopyRights.txt Type: file
102018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.cat Type: file
112018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.inf Type: file
122018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
132018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
142018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/teamviewer_xpsdriverfi...
152018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.sy_ Type: file
162018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.inf Type: file
172018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.sy_ Type: file
182018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
192018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi...
202018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.cat Type: file
212018-10-17 12:45:49+00:00Content Modification Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/x64/TeamViewer_XPSDriv...
222019-01-15 20:13:48+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path...
232019-01-15 20:15:41+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path...
242019-01-16 15:40:57+00:00Content Modification Timewindows:lnk:link[Empty description] File size: 47153304 File attribute flags: 0x00...
252019-01-16 15:40:57+00:00Content Modification Timewindows:lnk:link[Empty description] File size: 47153304 File attribute flags: 0x00...
262019-01-16 15:40:57+00:00Content Modification Timewindows:lnk:link[Empty description] File size: 47153304 File attribute flags: 0x00...
272019-01-16 15:40:58+00:00Content Modification Timewindows:shell_item:file_entryName: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...
282019-01-16 15:40:58+00:00Content Modification Timewindows:shell_item:file_entryName: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...
292019-01-16 15:40:58+00:00Content Modification Timewindows:shell_item:file_entryName: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ...
...............
6362019-03-20 21:04:58+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file
6372019-03-20 21:04:59+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file
6382019-03-20 21:04:59+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ...
6392019-03-20 21:04:59+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ...
6402019-03-20 21:04:59+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ...
6412019-03-20 21:05:00+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ...
6422019-03-20 21:05:00+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ...
6432019-03-20 21:05:01+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ...
6442019-03-20 21:05:01+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ...
6452019-03-20 21:05:01+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ...
6462019-03-20 21:05:01+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ...
6472019-03-20 21:05:02+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ...
6482019-03-20 21:05:02+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ...
6492019-03-20 21:05:19+00:00Content Modification Timewindows:registry:key_value[\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300...
6502019-03-20 21:05:20+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/x64 Type: directory
6512019-03-20 21:05:20+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer Type: directory
6522019-03-20 21:05:20+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory
6532019-03-20 21:05:20+00:00Last Access Timefs:statTSK:/Program Files (x86)/TeamViewer/outlook Type: directory
6542019-03-20 21:05:24+00:00Last Time Executedwindows:prefetch:executionPrefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS...
6552019-03-20 21:05:43+00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par...
6562019-03-20 21:05:59+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
6572019-03-20 21:06:00+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
6582019-03-20 21:08:32+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6592019-03-20 21:10:56+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
6602019-03-20 21:15:21+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6612019-03-20 21:15:28+00:00Previous Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6622019-03-20 21:15:36+00:00Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
6632019-03-20 21:15:59+00:00Last Time Executedwindows:prefetch:executionPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
6642019-03-20 21:16:00+00:00Last Time Executedwindows:prefetch:executionPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
6652019-03-20 21:26:28+00:00Last Time Executedwindows:prefetch:executionPrefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\...
\n", - "

666 rows × 4 columns

\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 1970-01-01 00:00:00+00:00 Last Time Executed \n", - "1 2007-12-13 09:22:09+00:00 Creation Time \n", - "2 2016-04-03 20:18:56+00:00 Creation Time \n", - "3 2016-04-03 20:19:02+00:00 Creation Time \n", - "4 2017-05-12 08:54:01+00:00 Creation Time \n", - "5 2018-04-11 23:38:22+00:00 Creation Time \n", - "6 2018-04-11 23:38:22+00:00 Creation Time \n", - "7 2018-06-13 07:24:30+00:00 Creation Time \n", - "8 2018-10-17 12:41:49+00:00 Content Modification Time \n", - "9 2018-10-17 12:41:49+00:00 Content Modification Time \n", - "10 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "11 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "12 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "13 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "14 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "15 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "16 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "17 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "18 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "19 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "20 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "21 2018-10-17 12:45:49+00:00 Content Modification Time \n", - "22 2019-01-15 20:13:48+00:00 Previous Last Time Executed \n", - "23 2019-01-15 20:15:41+00:00 Previous Last Time Executed \n", - "24 2019-01-16 15:40:57+00:00 Content Modification Time \n", - "25 2019-01-16 15:40:57+00:00 Content Modification Time \n", - "26 2019-01-16 15:40:57+00:00 Content Modification Time \n", - "27 2019-01-16 15:40:58+00:00 Content Modification Time \n", - "28 2019-01-16 15:40:58+00:00 Content Modification Time \n", - "29 2019-01-16 15:40:58+00:00 Content Modification Time \n", - ".. ... ... \n", - "636 2019-03-20 21:04:58+00:00 Last Access Time \n", - "637 2019-03-20 21:04:59+00:00 Last Access Time \n", - "638 2019-03-20 21:04:59+00:00 Last Access Time \n", - "639 2019-03-20 21:04:59+00:00 Last Access Time \n", - "640 2019-03-20 21:04:59+00:00 Last Access Time \n", - "641 2019-03-20 21:05:00+00:00 Last Access Time \n", - "642 2019-03-20 21:05:00+00:00 Last Access Time \n", - "643 2019-03-20 21:05:01+00:00 Last Access Time \n", - "644 2019-03-20 21:05:01+00:00 Last Access Time \n", - "645 2019-03-20 21:05:01+00:00 Last Access Time \n", - "646 2019-03-20 21:05:01+00:00 Last Access Time \n", - "647 2019-03-20 21:05:02+00:00 Last Access Time \n", - "648 2019-03-20 21:05:02+00:00 Last Access Time \n", - "649 2019-03-20 21:05:19+00:00 Content Modification Time \n", - "650 2019-03-20 21:05:20+00:00 Last Access Time \n", - "651 2019-03-20 21:05:20+00:00 Last Access Time \n", - "652 2019-03-20 21:05:20+00:00 Last Access Time \n", - "653 2019-03-20 21:05:20+00:00 Last Access Time \n", - "654 2019-03-20 21:05:24+00:00 Last Time Executed \n", - "655 2019-03-20 21:05:43+00:00 Content Modification Time \n", - "656 2019-03-20 21:05:59+00:00 Previous Last Time Executed \n", - "657 2019-03-20 21:06:00+00:00 Previous Last Time Executed \n", - "658 2019-03-20 21:08:32+00:00 Previous Last Time Executed \n", - "659 2019-03-20 21:10:56+00:00 Previous Last Time Executed \n", - "660 2019-03-20 21:15:21+00:00 Previous Last Time Executed \n", - "661 2019-03-20 21:15:28+00:00 Previous Last Time Executed \n", - "662 2019-03-20 21:15:36+00:00 Last Time Executed \n", - "663 2019-03-20 21:15:59+00:00 Last Time Executed \n", - "664 2019-03-20 21:16:00+00:00 Last Time Executed \n", - "665 2019-03-20 21:26:28+00:00 Last Time Executed \n", - "\n", - " data_type \\\n", - "0 windows:registry:userassist \n", - "1 pe:compilation:compilation_time \n", - "2 pe:compilation:compilation_time \n", - "3 pe:compilation:compilation_time \n", - "4 pe:compilation:compilation_time \n", - "5 windows:shell_item:file_entry \n", - "6 windows:shell_item:file_entry \n", - "7 pe:compilation:compilation_time \n", - "8 fs:stat \n", - "9 fs:stat \n", - "10 fs:stat \n", - "11 fs:stat \n", - "12 fs:stat \n", - "13 fs:stat \n", - "14 fs:stat \n", - "15 fs:stat \n", - "16 fs:stat \n", - "17 fs:stat \n", - "18 fs:stat \n", - "19 fs:stat \n", - "20 fs:stat \n", - "21 fs:stat \n", - "22 windows:prefetch:execution \n", - "23 windows:prefetch:execution \n", - "24 windows:lnk:link \n", - "25 windows:lnk:link \n", - "26 windows:lnk:link \n", - "27 windows:shell_item:file_entry \n", - "28 windows:shell_item:file_entry \n", - "29 windows:shell_item:file_entry \n", - ".. ... \n", - "636 fs:stat \n", - "637 fs:stat \n", - "638 fs:stat \n", - "639 fs:stat \n", - "640 fs:stat \n", - "641 fs:stat \n", - "642 fs:stat \n", - "643 fs:stat \n", - "644 fs:stat \n", - "645 fs:stat \n", - "646 fs:stat \n", - "647 fs:stat \n", - "648 fs:stat \n", - "649 windows:registry:key_value \n", - "650 fs:stat \n", - "651 fs:stat \n", - "652 fs:stat \n", - "653 fs:stat \n", - "654 windows:prefetch:execution \n", - "655 windows:registry:key_value \n", - "656 windows:prefetch:execution \n", - "657 windows:prefetch:execution \n", - "658 windows:prefetch:execution \n", - "659 windows:prefetch:execution \n", - "660 windows:prefetch:execution \n", - "661 windows:prefetch:execution \n", - "662 windows:prefetch:execution \n", - "663 windows:prefetch:execution \n", - "664 windows:prefetch:execution \n", - "665 windows:prefetch:execution \n", - "\n", - " message \n", - "0 [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explo... \n", - "1 PE Type: Driver (SYS) Import hash: fcbe966aa9c0053fe3d2d7f07dbdd41d \n", - "2 PE Type: Executable (EXE) Import hash: 4ea4df5d94204fc550be1874e1b... \n", - "3 PE Type: Executable (EXE) Import hash: e2a592076b17ef8bfb48b7e0396... \n", - "4 PE Type: Driver (SYS) Import hash: bd2fee8a544a1c6656edb847a80a08c5 \n", - "5 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", - "6 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", - "7 PE Type: Dynamic Link Library (DLL) Import hash: 0d898c31e89da04c1... \n", - "8 TSK:/Program Files (x86)/TeamViewer/License.txt Type: file \n", - "9 TSK:/Program Files (x86)/TeamViewer/CopyRights.txt Type: file \n", - "10 TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.cat Type: file \n", - "11 TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.inf Type: file \n", - "12 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", - "13 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", - "14 TSK:/Program Files (x86)/TeamViewer/Printer/teamviewer_xpsdriverfi... \n", - "15 TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.sy_ Type: file \n", - "16 TSK:/Program Files (x86)/TeamViewer/x64/TeamViewerVPN.inf Type: file \n", - "17 TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.sy_ Type: file \n", - "18 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", - "19 TSK:/Program Files (x86)/TeamViewer/Printer/TeamViewer_XPSDriverFi... \n", - "20 TSK:/Program Files (x86)/TeamViewer/x64/TVMonitor.cat Type: file \n", - "21 TSK:/Program Files (x86)/TeamViewer/Printer/x64/TeamViewer_XPSDriv... \n", - "22 Prefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path... \n", - "23 Prefetch [BITLOCKERWIZARDELEV.EXE] was executed - run count 6 path... \n", - "24 [Empty description] File size: 47153304 File attribute flags: 0x00... \n", - "25 [Empty description] File size: 47153304 File attribute flags: 0x00... \n", - "26 [Empty description] File size: 47153304 File attribute flags: 0x00... \n", - "27 Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ... \n", - "28 Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ... \n", - "29 Name: TEAMVI~1.EXE Long name: TeamViewer.exe NTFS file reference: ... \n", - ".. ... \n", - "636 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file \n", - "637 TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file \n", - "638 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ... \n", - "639 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ... \n", - "640 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ... \n", - "641 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ... \n", - "642 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ... \n", - "643 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ... \n", - "644 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ... \n", - "645 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ... \n", - "646 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ... \n", - "647 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ... \n", - "648 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ... \n", - "649 [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300... \n", - "650 TSK:/Program Files (x86)/TeamViewer/x64 Type: directory \n", - "651 TSK:/Program Files (x86)/TeamViewer/Printer Type: directory \n", - "652 TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory \n", - "653 TSK:/Program Files (x86)/TeamViewer/outlook Type: directory \n", - "654 Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS... \n", - "655 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par... \n", - "656 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "657 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", - "658 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "659 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "660 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "661 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "662 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "663 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "664 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", - "665 Prefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\... \n", - "\n", - "[666 rows x 4 columns]" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 15 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -3683,52 +692,15 @@ "metadata": { "id": "fxJN_YxSScJu", "colab_type": "code", - "outputId": "a165a854-993f-47f9-ac7d-9d41d1caa63d", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 346 - } + "colab": {} }, "cell_type": "code", "source": [ "ts_results = ts_results.set_index('datetime')\n", "ts_results['2018':].message.resample('D').count().plot()" ], - "execution_count": 16, - "outputs": [ - { - "output_type": "stream", - "text": [ - "/usr/local/lib/python2.7/dist-packages/pandas/core/arrays/datetimes.py:1172: UserWarning: Converting to PeriodArray/Index representation will drop timezone information.\n", - " \"will drop timezone information.\", UserWarning)\n" - ], - "name": "stderr" - }, - { - "output_type": "execute_result", - "data": { - "text/plain": [ - "" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 16 - }, - { - "output_type": "display_data", - "data": { - "image/png": "iVBORw0KGgoAAAANSUhEUgAAAXoAAAEVCAYAAADuAi4fAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz\nAAALEgAACxIB0t1+/AAAADl0RVh0U29mdHdhcmUAbWF0cGxvdGxpYiB2ZXJzaW9uIDIuMi40LCBo\ndHRwOi8vbWF0cGxvdGxpYi5vcmcv7US4rQAAIABJREFUeJzt3XuYZFV57/Hvr3qG6wzXaQhyyQAO\nGDQ6ygSTHFFAY4TjiZh4kHl8ElEieiJGTUyO0RhNjuZiQE/UoIGAYCK3iERUBAlykaMiPVyGQYY7\nA4MD0zPg3C/dXe/5Y+9dtbu6qrvr1r2r5vd5nn6qau1de63qrn5r1bvXXksRgZmZ9a/SbDfAzMy6\ny4HezKzPOdCbmfU5B3ozsz7nQG9m1ucc6M3M+pwDvZlZn3OgNzPrcw70ZmZ9bs5sNwBgwYIFsXDh\nwtluhplZT1m2bNm6iBicar9CBPqFCxcyNDQ0280wM+spklZNZ78pUzeSLpG0VtKKXNlVku5Nf56U\ndG9avlDStty2r7T+EszMrBOm06O/FPgS8LWsICLent2XdD6wIbf/YxGxuFMNNDOz9kwZ6CPidkkL\n622TJOAM4JTONsvMzDql3VE3JwLPRcQjubIjJd0j6TZJJzZ6oqRzJA1JGhoeHm6zGWZm1ki7gX4p\ncEXu8RrgiIh4JfAnwOWS9qn3xIi4MCKWRMSSwcEpTxqbmVmLWg70kuYAvwtclZVFxI6IWJ/eXwY8\nBhzTbiPNzKx17fTo3wCsjIjVWYGkQUkD6f2jgEXA4+010cys/5TLM7e633SGV14B/Bg4VtJqSWen\nm85kfNoG4LXA8nS45TeA90XE851ssJlZr3v6+a0c+4nv8dCzm2akvumMulnaoPysOmXXANe03ywz\ns/61dtN2RsaCn2/YxrG/NL/r9XmuGzOzGRZZ1maGsjcO9GZmM6wa52cm0jvQm5nNsOxEbLk8M/U5\n0JuZzbAZztw40JuZzbQsRx/h1I2ZWV/KAvxMDaV3oDczm2FR5143OdCbmc2waupmZupzoDczm2HZ\nsEqfjDUz61NZbr7sk7FmZv0pOxnr1I2ZWZ/yOHozs37ncfRmZv2t7NSNmVl/qwyv9Dh6M7P+VMnR\nu0dvZtafPOrGzKzPeRy9mVnf85WxZmZ9rXBLCUq6RNJaSStyZZ+S9Iyke9Of03Lb/kLSo5IekvTb\n3Wq4mVmvKmLq5lLgTXXKPx8Ri9Of6wEkHQecCbw0fc4FkgY61Vgzs35QuEnNIuJ24PlpHu8twJUR\nsSMingAeBU5oo31mZn2nl6YpPlfS8jS1s39adijwdG6f1WnZBJLOkTQkaWh4eLiNZpiZ9ZZqir44\nqZt6vgwcDSwG1gDnN3uAiLgwIpZExJLBwcEWm2Fm1nt6YinBiHguIsYiogxcRDU98wxweG7Xw9Iy\nMzNLxQxfGttSoJd0SO7hW4FsRM51wJmSdpd0JLAI+Gl7TTQz613rN+9grKbrXriTsZKuAH4MHCtp\ntaSzgc9Kul/ScuBk4MMAEfEAcDXwM+AG4P0RMda11puZFdgLW3Zy/Kf/i8/esHJc+UyfjJ0z1Q4R\nsbRO8cWT7P8Z4DPtNMrMrB9s3D4CwPdWPMtfnPYrlfIijqM3M7MWDJQEwOhYeVy5JzUzM+sTc0pJ\niB2dkKMff9ttDvRmZl2ipEM/IdB7KUEzsz6RxfHa1I2XEjQz6xNZQJ84vDK7dY/ezKynZWF8Qo6+\nh+a6MTOzSZTTAD/xZGzBLpgyM7P21KZuPI7ezKxPNAzkPhlrZtYfGsb5mW2GA72ZWbc0CuhZ7r48\nQ/MUO9CbmXVJo9SNr4w1M+sTU6TonaM3M+t1jaY48AVTZmZ9olEY74mlBM3MbGoNc/S9sJSgmZlN\nrfHwSl8Za2bWF6bq0ftkrJlZj2sUyD0FgplZn+iZ1I2kSyStlbQiV/aPklZKWi7pWkn7peULJW2T\ndG/685VuNt7MrMgaDZ8sYurmUuBNNWU3AS+LiJcDDwN/kdv2WEQsTn/e15lmmpn1nqmGTxZmHH1E\n3A48X1P2/YgYTR/+BDisC20zM+tpjS6Yyua4KVKPfirvBr6Xe3ykpHsk3SbpxEZPknSOpCFJQ8PD\nwx1ohplZseR79PmgH3XKuqmtQC/p48Ao8PW0aA1wRES8EvgT4HJJ+9R7bkRcGBFLImLJ4OBgO80w\nMyuoaiDPLz5SxBx9XZLOAt4MvCPSj6WI2BER69P7y4DHgGM60E4zs56T79GPjOV79D0wBYKkNwF/\nDvxORGzNlQ9KGkjvHwUsAh7vREPNzHpNvse+c6xcuZ8F+Jk6GTtnqh0kXQGcBCyQtBr4JMkom92B\nmyQB/CQdYfNa4G8kjQBl4H0R8XzdA5uZ9bn8BVEjuUA/00sJThnoI2JpneKLG+x7DXBNu40yM+sH\nMS51Uw30XkrQzKxP5EfVjIxW75cr0xT3wKgbMzNrLB/GR8q5Hn2vjLoxM7PJNcrRe4UpM7M+MS5H\nP9qD4+jNzGxy+R59fnillxI0M+sT43L0dUfdOHVjZtbTolGOfobH0TvQm5l1ST6Qj445R29m1nem\nmgLB4+jNzHpc4+GVBVtK0MzMWtPwZKxTN2Zm/aHRFAiV7R51Y2bW2xrn6D3qxsysL4xbSjBXXk3d\nuEdvZtbT8qmZ8WvG+mSsmVlfyPfoy7kH1eGVM9MOB3ozsy7J9+LHpXGcujEz6w/5OD7+4iinbszM\n+sL4HD0T7zt1Y2bW23KLSo3r0RdyKUFJl0haK2lFruwASTdJeiS93T8tl6QvSHpU0nJJr+pW483M\niiwfxsdiYu++aOPoLwXeVFP2UeDmiFgE3Jw+BjgVWJT+nAN8uf1mmpn1nnKd4A4FXUowIm4Hnq8p\nfgtwWXr/MuD0XPnXIvETYD9Jh3SisWZmPaXB8Mqi9ujrOTgi1qT3nwUOTu8fCjyd2291WjaOpHMk\nDUkaGh4ebqMZZmbFVG44vLIHlxKMpNVNNTkiLoyIJRGxZHBwsBPNMDMrlHxQHJfGqbtH97QT6J/L\nUjLp7dq0/Bng8Nx+h6VlZma7lPE5+on3eyF1cx3wzvT+O4Fv5cr/IB198+vAhlyKx8xslzH+gqlc\nec1tt82Zzk6SrgBOAhZIWg18Evh74GpJZwOrgDPS3a8HTgMeBbYC7+pwm83MekLUGTuf3J9Y1k3T\nCvQRsbTBptfX2TeA97fTKDOzfjA+R58r76HUjZmZTWL8kMqJp2A9142ZWY9rNOom2+DZK83Mely5\nwclYLyVoZtYnGp2MrVwZ2wPj6M3MbBJZQB8oqWauG/fozcz6QhbQB0pirO5Sgu7Rm5n1tCygzymp\nfurGPXozs95WSd1INROYeSlBM7O+UEndDKhmrpvKDjPCgd7MrEvG9+gLvpSgmZk1L+vFD5Q0q5Oa\nOdCbmXVJOTe8sv7JWPfozcx6WuNx9ONvu82B3sysS8rjUjcTJzjrqaUEzcxsoiyO1w6vrI66cerG\nzKynRQQSSLVrxnocvZlZX4iAkkRJ9cfR+8pYM7MeV45ApDn68vjy/G23OdCbmXVJkPToJc91Y2bW\nl8oRIChNyNGPv+22aS0OXo+kY4GrckVHAX8F7Ae8BxhOyz8WEde33EIzs14VSZAvTRh1E+Nuu63l\nQB8RDwGLASQNAM8A1wLvAj4fEed1pIVmZj0qydFrYo++R1M3rwcei4hVHTqemVnPi7RHr9oefeW2\nt07GnglckXt8rqTlki6RtH+9J0g6R9KQpKHh4eF6u5iZ9bRyJEG+JGqGV/bYUoKSdgN+B/iPtOjL\nwNEkaZ01wPn1nhcRF0bEkohYMjg42G4zzMwKJ0gumCpNmKY4u20+0t/84HN85rs/a+o5nejRnwrc\nHRHPAUTEcxExFhFl4CLghA7UYWbWc9JBN0mgz42jb2fUzQ9WruXqodVNPacTgX4pubSNpENy294K\nrOhAHWZmPSciKJU0YQqE6tnY5o9ZjqDc5GxoLY+6AZC0N/BbwHtzxZ+VtJjkJTxZs83MbJdRzvXo\nx8qdGUc/Vg7Gmkz5tBXoI2ILcGBN2e+3c0wzs34RRDLXTQlGxjqzlOBYmXEfGtPhK2PNzLokGXUz\n8WRsO+PoyxGUI9g+Mjbt5zjQm5l1SRLIVefK2PS2heTNWDkYKwcfu/b+aT/Hgd7MrEsiIp0CoWYc\nfWV788ccKwfloKkTsg70ZmZdEuNSN/ny1i+YyvLzIw70ZmazrxxRmaZ43KibSo6+hdRN+pyR0fIU\ne1Y50JuZdUmQDa/s3FKCWcpmZMyB3sxs1kVlrhtR73qploZXZj36MaduzMxmXbY4eKlEzVw37efo\nd7pHb2Y2+xouJVhz24xyOHVjZlYY5ajOXjmu997GBVNjztGbmRVHsvDIxBWmqqmb1i6YAhgZdY7e\nzGzWJUsJ1hlHX3PbDPfozcwKJEgumKqdpri9cfTJrU/GmpkVQDLqRgzUDq/swDj6nb5gysxs9mWL\ng09YSrCc3baRo3eP3sxs9iU5ek0YR59pb3ilT8aamc26bFIzNZjUrJVI7wumzMwKpFyZAqHBNMUt\nHHPMOXozsyKJSo4+P3tlW0sJtvCcttaMBZD0JLAJGANGI2KJpAOAq4CFJAuEnxERL7Rbl5lZLxm/\nlGC1vJ2lBJtdLxY616M/OSIWR8SS9PFHgZsjYhFwc/rYzGyXEpX56GunKc5umw/arYzU6Vbq5i3A\nZen9y4DTu1SPmVlhlYPKlbH1piluqUffwpM6EegD+L6kZZLOScsOjog16f1ngYM7UI+ZWU9Jroyd\nONdNe0sJNv+ctnP0wGsi4hlJBwE3SVqZ3xgRIWnCy0k/FM4BOOKIIzrQDDOzYqnMR99wmuIWUjez\n0aOPiGfS27XAtcAJwHOSDgFIb9fWed6FEbEkIpYMDg622wwzs8LJZq9sNI6+J07GStpb0vzsPvBG\nYAVwHfDOdLd3At9qpx4zs15Unb1y/Dj6LFa3NLyyhUDfburmYOBaSdmxLo+IGyTdBVwt6WxgFXBG\nm/WYmfWcrEc/UGrQo2/hmDMe6CPiceAVdcrXA69v59hmZr2uHMmwm4ZLCfbQqBszM6sjIJe6qT/H\nTbNz0hdpHL2Z2S4vu2CqlKS3Kz34eouQTJd79GZmBZLNXllK4nx1rdj8Pk0dL1pK9zjQm5l1Sbky\nBYLSx0l5tJi6aeVELDjQm5l1TbZmbKkS6LMe/cQTs9Mx6kBvZlYskZuPHvLTE1f3aWYsfSvj7sGB\n3sysa6JywdT41M34UTfTP55TN2ZmBRMkJ2I14WRsVMqaUW5hQjNwoDcz65pyRJq6SYdXpoE6AgZq\nhlxORytDK8GB3sysa5IpECYOryxHUCqNP0E7HU7dmJkVTBKXk7luksfVcfRZ8G8mdPtkrJlZwSRX\nxlJ3HH31aln36M3Melb1ythqUM8C+0DtSJxpcKA3MyuYIJvrJnlcjurJ11ILuRsHejOzginHxCtj\ns1BdjfNNpG6cozczK5ZIh1fmx9FnqZvaGS2no5UpisGB3sysa9J1R8YF9XJN6qap4ZXu0ZuZFUsy\njFKU0kg7Vo5KqqZywVQTx3OO3sysYJIrY2ty9FmPPsvRN5W6aa0dDvRmZl2SjZevHUcP1dRNoU/G\nSjpc0i2SfibpAUkfTMs/JekZSfemP6e1WoeZWS8rV2avTB5HRCUnn10t29zsla116ee09KzEKPCn\nEXG3pPnAMkk3pds+HxHntXFsM7OeV52Pvtqjr6ZuWgn0rbWj5UAfEWuANen9TZIeBA5t9XhmZv0m\nKjn65HF+HL1aGUc/mydjJS0EXgncmRadK2m5pEsk7d/gOedIGpI0NDw83IlmmJkVSjZ52fiTsTWj\nbpo5GTtbwyslzQOuAT4UERuBLwNHA4tJevzn13teRFwYEUsiYsng4GC7zTAzK5wkR6+64+hrZ7Sc\njlnp0UuaSxLkvx4R3wSIiOciYiwiysBFwAnt1GFm1qsioFSiMo6+HFEZOK9eWHhESSsvBh6MiM/l\nyg/J7fZWYEWrdZiZ9bJsPvr88MosJ5/l7Zs6Xos9+nZG3fw34PeB+yXdm5Z9DFgqaTHJ59aTwHvb\nqMPMrIc1vmCqleGVozMd6CPiDpJpHGpd3+oxzcz6SblmKcH8OPp88J/28TwFgplZsUTNydhyNUU/\n7aUEN2wbYdmqFwBPamZmVjhZj74yTXE56lwwNXnw/uCV9/B7X/4Rm3eMelIzM7Oiyeajz4L6WFRn\nr6xOUzz5MVau2QTAU+u3Tpg+Yboc6M3MumTimrHVk6/ZBVNTJW/233s3AFat31KZAmHugAO9mVkh\nBKQ5+uTxuGmK0+g7Vdp9/73mAvDk+q2Vk7FzS82Fbgd6M7MuiYg0R19vHP30Fh7JhlSuWr+lcjJ2\n7hwHerNCuXroaVY+u3G2m2GzoLo4ePY4mp4CYeO2EQCeXL+lEvSdujErmL/8zxVcfudTs90MmwVB\nUJJyF0c1vzj4hjTQr8qnbgbcozcrjO0jY+wcLVd6ZbZrKSdJ+uo4+nJ+PvrkdqpAn7131mzYzo7R\nMQB2c+rGrDg2bR8dd2u7mMpSgsnDfJqmmqNvHOlHxsps2TnGwfvsDsD6zTsB2M09erPi2LR9JL11\noN8VVZcSrJ6MbWYpwex9c+SCvQFYu2kH4NSNWaFsTP9RN2536qZbNm0f4ZTzbmXoyednuykTJAuP\naNxVsM0sJZjl549cMA+AtZu2Az4Za1Yo7tF33xPrtvD4ui3c+/QvZrspE5QnLCVIU0sJZoH+qKxH\nv9E9erPC2bgt7dH7ZGzXPLsh6eWuS/PXRZItDq5x0xRPP3WzsdKjH5+68clYswLJevSbd462PMWs\nTe65jUmgf37LjlluyXhZQE9y9EnZuHH005imOOvRH3HgXswpqfJ4jue6MSuOLDcfAZt2OH3TDc+m\ngX59wXr0+Vz8+Hx8+gEwjStjs/fPfnvOrcx5M1CSJzUzK5J8bn6TT8h2xbMbkp78ui3FCvRZTz0/\nqdnYuGmKk9vJUjerX9jGQEnsu9dcDswCffrB0Uywd6A366J8bj7L11tnFTZ1k96WBHPSUTI7RsuV\n8vzVso388JFhjv/l/dl9zgAHzksCfanUfK/egd6si9yj776ipm6qPXpx8D57sPucEo8Pb64uJViq\npm7ufuoFfvWTN7L6ha2V5w9v2sGKZzbyumMGAThg7+Siqd0GSpRKyk1zPDUHerMu2rh9tDKMzkMs\nu+O5DduRYOvOMbbtHJvt5lRkHXUp6YG/+KB5PLx2c93Uza0PDbNpxyg/eTy5FuCHjwxz6j/dDlAJ\n9FnP/w9PPIqBoqRuJL1J0kOSHpX00cn2fWx4MztHy91qitms2bh9hIPn71G5b521eccom3aMcuSB\nyfDD9QVK31QCPUlAPubg+Tzy3KYJC4988Mp7uO2htQB8+76f8+ffuI/zbnwISXz4Dcfw0hftA8AH\nTlnEJ958HB845cUMlKpz3E9HVwK9pAHgn4FTgeOApZKOa7T/1p1j3PDAs91oSiFFBP/+k1XcV8AL\nPKyzNm0f5dD996zct866YUUSN05+yUFAsdI31Xnnk8eLDp7Hmg3bK0Mks9TNmg3buW/1BgBue3iY\nq4dWc9/qDbznxCP54BsWVUbnHPtL8zn7NUdWliZspkc/p1MvqsYJwKMR8TiApCuBtwA/q7fzbgMl\nLrjlUdZtKs6ncTc9vm4z//6Tp5i/xxz++JRFTQ+Vst7x7IZtnLhokGWrXuC2h4dbXtzZ6rvip0/x\n4oPmcdqvHsLFdzzB1UNPs2zVC7PdLAB2puv+Zam7Yw6aD8DlP02mrN5Rk8VYMG931m3ewSuP2I+5\nAyXOWHJ4w2MPlJpbN7Zbgf5Q4Onc49XAq/M7SDoHOAdgwWFHsvLZTfzNd+p+DvSl337pwSxfvYHP\nXP/gbDfFuuwlh8xn+eq9+MHKtfxg5drZbk7f+ezvvZyFB+7FnnMH+HoB5/1/0X7JN7qXH7Yve8wt\n8e37fs5ASbz6yAO4/M6neO/rjuJrP1rFR954DJ/+7oN87ozFlSthGzlywTyOHtzKsmm2QZMN7WmV\npLcBb4qIP0wf/z7w6og4t97+S5YsiVvu+DHlXSVNL9h3z7mMjJXZuqM4J4+sC9K/9c7RcqFOFPaL\nUgnm75Gsqbp9ZIwdI8UKIvn2QbWNc+eIvXabQ7kclEqacDtdkpZFxJKp9utWj/4ZIP+947C0rKH8\nL2NXMXegxL57eeDTrmC3OaWm5yex5uwxd4A95g7MdjMmVdvGLKjX3nZat955dwGLJB0paTfgTOC6\nLtVlZmaT6EqPPiJGJZ0L3AgMAJdExAPdqMvMzCbXrdQNEXE9cH23jm9mZtPjpKGZWZ9zoDcz63MO\n9GZmfc6B3sysz3XlgqmmGyFtAh6qKd4X2NDgKVNtmwusa+F59bY185wFuXrbaX8z2xYAIzNUV+22\n/Oud6nmdfs3rOnzMqZ5T77W2U9d0t9XWO5Pvq1Z/x0X5322mjTP9vzud+qZzvGMjYn6DfaoiXax2\nNn+AoTplF06y/6Tb6h2v1WM285x8ve20v5ltwNBM1VW7rZm/W6dfczde2xTPqfuemunf8Uy+r7r0\ne5yx/91m2jjT/7vTqa/V/8F6P0VO3Xy7INuK0o7JthWlHZNtK0o7Jts22XMmU5Q2FmVbUdox2bai\ntGOyba0eb4KipG6GYhrzNczW8Ypc72y91tmse1f6Pbve/qy3U/VN9zhF6dFfWPDjFbne2Xqts1n3\nrvR7dr39WW+n6pvWcQrRozczs+4pSo/ezMy6xIHezKzP9VyglxSS/j33eI6kYUnfmcE2bJ6pupqt\nW9KtkjpyUknS6env+yWdOF4T9X5c0gOSlku6V9Krp35WR+o9TNK3JD0i6TFJ/5ROs91o/w9J2qvN\nOkPS+bnHH5H0qXaOOY06x9Lf6wOS7pP0p5JmNBbM9P9Q7jVnPwsn2fekduJJEWJUrZ4L9MAW4GWS\n9kwf/xZTLGpiLVsK3JHezghJvwG8GXhVRLwceAPjl6XsVr0Cvgn8Z0QsAo4B5gGfmeRpHwLaCvTA\nDuB3JS1o8zjN2BYRiyPipST/P6cCn5zB+mdD9pqznye7WFfbMUpSR2cW7sVAD8n0x/89vb8UuCLb\nIOkEST+WdI+kH0k6Ni2/XdLi3H53SHpFqw2o/dSX9CVJZ6X3n5T015LulnR/p3vEk9XdwTrmAa8B\nziZZOGaq13yapJWSlkn6Qhu9l0OAdRGxAyAi1kXEzyUdL+m29Pg3SjokrffWtOd9r6QVkk5osd5T\ngO0R8dW03jHgw8C7Je0t6bz0+MslfUDSHwMvAm6RdEuLdQKMkoyc+HDtBkkLJf0grfNmSUdI2lfS\nqqwHnrbtaUktLdEWEWtJ1m4+V4kBSf8o6a603vfm2vO/0/fzfZL+vrWXO+71zUtfV/Z/8pbc635Q\n0kXpt47v54Jmx0z2WoF9JH1X0kOSvtLCN55WYtRZkq6T9APg5nZeW61eDfRXAmdK2gN4OXBnbttK\n4MSIeCXwV8DfpuUXA2cBSDoG2CMi7utiG9dFxKuALwMf6WI93fIW4IaIeBhYL+n4Rjumf4d/AU6N\niOOBwTbq/T5wuKSHJV0g6XVpEPsi8Lb0+Jcwvqe9V0QsBv4o3daKl8L4tZYjYiPwFPCHwEJgcfot\n4+sR8QXg58DJEXFyi3Vm/hl4h6R9a8q/CFyW1Ql8ISI2APcCr0v3eTNwY0SMtFp5RDxOskDQQSQf\n7Bsi4teAXwPeo2SluFNJ3hOvjohXAJ9ttb6c7cBb0/+Tk4Hz029WAIuAf06/dfwC+L0269pT1bTN\ntWlZ3deabjsB+ABwHHA08LtN1tdKjAJ4Fcn7/HV0UNcWHummiFiuJMe2lImLm+wLXCZpERAkc2cA\n/AfwCUl/BrwbuLTLzfxmeruM5t8kRbAU+Kf0/pXp40a99JcAj0fEE+njK0h6iU2LiM3ph8qJJP/8\nVwGfBl4G3JTGgQFgTe5pV6TPvV3SPpL2i4hftFJ/AycBF0TEaFrP8x08NhGxUdLXgD8GtuU2/QbV\n986/UQ2uVwFvB24h+bZ1QQeb80bg5ZLelj7elyTovgH4akRsTdvcid+BgL+V9FqgDBwKHJxueyIi\n7k3vLyP5oG3HtrQzkNfote4Efpp+ACLpCpJvt9+YbmUtxiiAmzr9/oIeDfSp64DzSP4JD8yV/x/g\nloh4a/qLvhUgIrZKuomkV3IG0LCHOk2jjP9GtEfN9h3p7Rid/z1PVXdbJB1Aksr4VUlBElgD+FY3\n682kaZNbgVsl3Q+8H3ggIn6j0VOmeDwdPwPeli+QtA9wBPBkC8dr1v8F7ga+Oo19ryMJkAeQvI9/\n0E7Fko4ieZ+uJQm+H4iIG2v2+e126mjgHSTf/o6PiBFJT1J9T+3I7TcGdDx1Q+PXehKdeU81FaNS\nW1qoZ0q9mrqB5Cv6X0fE/TXl+1I98XFWzbZ/Bb4A3BURL7RZ/yrgOEm7S9oPeH2bxytS3W8D/i0i\nfjkiFkbE4cATJO+XevU+BByl6kiGt7dasaRj055OZjHwIDCo5EQtkuZKemlun7en5a8h+SreaMa/\nydwM7CXpD9JjDQDnk3zzuxF4r9ITZGmABdgETD1z4DSkvbirSdIJmR+Rnh8hCYo/TPfdDNxF8o3r\nO+kHY0skDQJfAb4UydWTNwL/K8v5SzpG0t7ATcC7lI4yyv0O2rEvsDYN8icDv9yBYzaj0WsFOCFN\nWZVI3l93tHD8VmJUV/Rsjz4iVpME7VqfJfla9JfAd2ues0zSRqbXa6or/WffERFPS7oaWEESBO9p\n9ZgFrHsp8A81ZdeQBJ0J9UbENkl/BNwgaQtJEGrVPOCL6QfJKPAoSRroQuALaR57DkkPOFtwfruk\ne0i+Ar+7lUojIiS9FbhA0idIPtSuBz5G0qM8BlguaQS4CPhS2qYbJP28A3l6SD5Yzs09/gDw1TTd\nOAy8K7ftKpJ05Ekt1LOnpHtJfl+jJGmhz6Xb/pUkTXJ3mi8fBk6PiBuUDGYYkrST6u+madn7mOS8\nw7fTb21DJLnrmVT3tabb7iL5G7+YJEV2bb0DTKaVGNUtu9QUCJJeRPI16SURUW7xGK8ALoqIVkd3\ntGw2656KpHlpfl0kJxcfiYjoqR4PAAAEE0lEQVTPz0C9twIfiYihbtdlnVHk93G/6uXUTVPSr+R3\nAh9vI8i/j+TE3192sm1Fr3ua3pP2Eh8g+Wr6L7PcHiugHngf96VdqkdvZrYr2mV69GZmuyoHejPr\nGkmHS7pF0s+UXOX6wbT8AEk3KZlX6CZJ+6flL1Fy1egOSR+pOdYHlVyd/ICkD83G6+lVDvRm1k2j\nwJ9GxHHArwPvl3Qc8FHg5nReoZvTxwDPk1w4dl7+IJJeBryH5IrVVwBvlvTimXkJvc+B3sy6JiLW\nRMTd6f1NJNdEHEpy4eJl6W6XkQ5rjIi1EXEXUDulw68Ad0bE1vQK5dvozSvOZ4UDvZnNiPSCuleS\njH47OCKyaSyepTr1QSMrgBMlHZhetHUacHiXmtp3evaCKTPrHUpmQ70G+FA6t09lW3qx2qTD/yLi\nQUn/QDLp3RaSid1aviJ4V+MevZl1VTrFwDUks35mk/09p+pU04eQzLMzqYi4OCKOj4jXAi8AD3er\nzf3Ggd7Muia9Uvpi4MGI+Fxu03XAO9P77ySZMG+qYx2U3h5Bkp+/vLOt7V++YMrMuiadaO6HwP0k\nUxFDMkfOnSTzJh1BMknfGRHxvKRfIpn3Zp90/83AcWm654cks0COAH8SER1dnKOfOdCbmfU5p27M\nzPqcA72ZWZ9zoDcz63MO9GZmfc6B3syszznQW9+S9KnaGRBrtp+eTrA11XHG7SfpbyS9oVPtNOs2\nB3rblZ0OTBnoa/eLiL+KiP/qWqvMOsyB3vqKpI9LeljSHcCxadl7JN0l6T5J10jaS9JvAr8D/KOk\neyUdnf7cIGmZpB+mc6PX2+9SSW9Lj/2kpL9Ltw1JepWkGyU9li6bl7Xrz9I2LJf017Pwq7FdmCc1\ns74h6XjgTGAxyXv7bmAZ8M2IuCjd59PA2RHxRUnXAd+JiG+k224G3hcRj0h6NXBBRJxSZ7/aqp+K\niMWSPg9cCvw3YA+SGRe/IumNwCKSudQFXCfptRFxe9d+GWY5DvTWT04Ero2IrQBpgAZ4WRrg9wPm\nATfWPjGdXfE3gf/IBfLdp1lvVs/9wLx03vVN6SpJ+wFvTH/uSfebRxL4HehtRjjQ267gUuD0iLhP\n0lnASXX2KQG/iIjFLRx/R3pbzt3PHs8h6cX/XUT8SwvHNmubc/TWT24HTpe0p6T5wP9Iy+cDa9Lp\nct+R239Tuo2I2Ag8Iel/QjLroqRX1O7XohuBd6ffGpB0aDYTo9lMcKC3vpEuWXcVcB/wPeCudNMn\nSGZL/H/AytxTrgT+TNI9ko4m+RA4W9J9wAMky93V26/Zdn2fZErdH0u6H/gG7X1wmDXFs1eamfU5\n9+jNzPqcA72ZWZ9zoDcz63MO9GZmfc6B3syszznQm5n1OQd6M7M+9/8BNyPuxB3IAqUAAAAASUVO\nRK5CYII=\n", - "text/plain": [ - "
" - ] - }, - "metadata": { - "tags": [] - } - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -3744,11 +716,7 @@ "metadata": { "id": "y-hGtMtYyrt6", "colab_type": "code", - "outputId": "c349f903-6fc4-44ae-f722-0ef6865de6f4", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 2974 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -3759,742 +727,8 @@ "ts_results = ts_results.set_index('datetime')\n", "ts_results['2019-02-20':][['timestamp_desc','data_type','filename','message']]" ], - "execution_count": 17, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
timestamp_descdata_typefilenamemessage
datetime
2019-02-25 18:28:14+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/PICKERHOST.EXE-93018817.pfPrefetch [PICKERHOST.EXE] was executed - run count 4 path: \\WINDOW...
2019-02-25 20:39:27+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/CHROME.EXE-5FE9909D.pfPrefetch [CHROME.EXE] was executed - run count 3 path: \\PROGRAM FI...
2019-02-25 20:39:41+00:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://www.google.com/search?q=teamviewer&oq=teamv&...
2019-02-25 20:39:41+00:00Last Visited Timechrome:history:page_visited/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...https://www.google.com/search?q=teamviewer&oq=teamv&aqs=chrome.1.6...
2019-02-25 20:39:46+00:00Last Visited Timechrome:history:page_visited/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...https://www.teamviewer.com/en-us/ (Home - TeamViewer) [count: 0] T...
2019-02-25 20:39:46+00:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://static.teamviewer.com/resources/2018/10/logo...
2019-02-25 20:39:54+00:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://www.teamviewer.com/en-us/teamviewer-automati...
2019-02-25 20:39:55+00:00Last Visited Timechrome:history:page_visited/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...https://www.teamviewer.com/en-us/teamviewer-automatic-download/ (T...
2019-02-25 20:39:59+00:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://tracking.g2crowd.com/attribution_tracking/co...
2019-02-25 20:40:00+00:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://bat.bing.com/action/0?ti=5712416&Ver=2&mid=4...
2019-02-25 20:40:00+00:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://bat.bing.com/action/0?ti=26037780&Ver=2&mid=...
2019-02-25 20:40:10+00:00Last Visited Timechrome:cache:entry/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default...Original URL: https://static.teamviewer.com/resources/2018/10/team...
2019-02-25 20:40:47+00:00Content Modification Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.iniTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...
2019-02-25 20:40:47+00:00Metadata Modification Timefs:stat/Program Files (x86)/TeamViewer/tvinfo.iniTSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file
2019-02-25 20:40:47+00:00Creation Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewerTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer Type: direc...
2019-02-25 20:40:47+00:00Creation Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.iniTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...
2019-02-25 20:40:47+00:00Metadata Modification Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.iniTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ...
2019-02-25 20:40:47+00:00Metadata Modification Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_.exeTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_...
2019-02-25 20:40:47+00:00Content Modification Timefs:stat/Program Files (x86)/TeamViewer/tvinfo.iniTSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file
2019-02-25 20:40:49+00:00Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TEAMVIEWER_.EXE-70DEDD02.pfPrefetch [TEAMVIEWER_.EXE] was executed - run count 1 path: \\USERS...
2019-02-25 20:41:04+00:00Creation Timefs:stat/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install.logTSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install...
2019-02-25 20:41:06+00:00Creation Timefs:stat/Program Files (x86)/TeamViewerTSK:/Program Files (x86)/TeamViewer Type: directory
2019-02-25 20:41:06+00:00Content Modification Timewindows:shell_item:file_entry/Users/Public/Desktop/TeamViewer 14.lnkName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
2019-02-25 20:41:06+00:00Content Modification Timewindows:shell_item:file_entry/ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnkName: PROGRA~2 Long name: Program Files (x86) Localized name: @she...
2019-02-25 20:41:06+00:00Creation Timewindows:shell_item:file_entry/Users/Administrator/AppData/Roaming/Microsoft/Windows/SendTo/Team...Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06+00:00Creation Timewindows:shell_item:file_entry/ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnkName: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06+00:00Creation Timewindows:shell_item:file_entry/Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/TeamViewer...Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06+00:00Creation Timewindows:shell_item:file_entry/Users/SelmaBouvier/AppData/Roaming/Microsoft/Windows/SendTo/TeamV...Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:06+00:00Creation Timewindows:shell_item:file_entry/Users/Public/Desktop/TeamViewer 14.lnkName: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ...
2019-02-25 20:41:11+00:00Creation Timefs:stat/Program Files (x86)/TeamViewer/License.txtTSK:/Program Files (x86)/TeamViewer/License.txt Type: file
...............
2019-03-20 21:04:58+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Note.exeTSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file
2019-03-20 21:04:59+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/uninstall.exeTSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file
2019-03-20 21:04:59+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ...
2019-03-20 21:04:59+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ...
2019-03-20 21:04:59+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ...
2019-03-20 21:05:00+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ...
2019-03-20 21:05:00+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ...
2019-03-20 21:05:01+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ...
2019-03-20 21:05:01+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ...
2019-03-20 21:05:01+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ...
2019-03-20 21:05:01+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ...
2019-03-20 21:05:02+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ...
2019-03-20 21:05:02+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dllTSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ...
2019-03-20 21:05:19+00:00Content Modification Timewindows:registry:key_value/Windows/appcompat/Programs/Amcache.hve[\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300...
2019-03-20 21:05:20+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/x64TSK:/Program Files (x86)/TeamViewer/x64 Type: directory
2019-03-20 21:05:20+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/PrinterTSK:/Program Files (x86)/TeamViewer/Printer Type: directory
2019-03-20 21:05:20+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/Printer/x64TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory
2019-03-20 21:05:20+00:00Last Access Timefs:stat/Program Files (x86)/TeamViewer/outlookTSK:/Program Files (x86)/TeamViewer/outlook Type: directory
2019-03-20 21:05:24+00:00Last Time Executedwindows:prefetch:execution/Windows/Prefetch/RUNDLL32.EXE-F52D40E6.pfPrefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS...
2019-03-20 21:05:43+00:00Content Modification Timewindows:registry:key_value/Windows/System32/config/SYSTEM[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par...
2019-03-20 21:05:59+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pfPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
2019-03-20 21:06:00+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-79BA10F2.pfPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
2019-03-20 21:08:32+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:10:56+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pfPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
2019-03-20 21:15:21+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:15:28+00:00Previous Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:15:36+00:00Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-95989D99.pfPrefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S...
2019-03-20 21:15:59+00:00Last Time Executedwindows:prefetch:execution/Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pfPrefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO...
2019-03-20 21:16:00+00:00Last Time Executedwindows:prefetch:execution/Windows/Prefetch/DLLHOST.EXE-79BA10F2.pfPrefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\...
2019-03-20 21:26:28+00:00Last Time Executedwindows:prefetch:execution/Windows/Prefetch/RUNDLL32.EXE-A7B4E4F7.pfPrefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\...
\n", - "

632 rows × 4 columns

\n", - "
" - ], - "text/plain": [ - " timestamp_desc \\\n", - "datetime \n", - "2019-02-25 18:28:14+00:00 Previous Last Time Executed \n", - "2019-02-25 20:39:27+00:00 Previous Last Time Executed \n", - "2019-02-25 20:39:41+00:00 Last Visited Time \n", - "2019-02-25 20:39:41+00:00 Last Visited Time \n", - "2019-02-25 20:39:46+00:00 Last Visited Time \n", - "2019-02-25 20:39:46+00:00 Last Visited Time \n", - "2019-02-25 20:39:54+00:00 Last Visited Time \n", - "2019-02-25 20:39:55+00:00 Last Visited Time \n", - "2019-02-25 20:39:59+00:00 Last Visited Time \n", - "2019-02-25 20:40:00+00:00 Last Visited Time \n", - "2019-02-25 20:40:00+00:00 Last Visited Time \n", - "2019-02-25 20:40:10+00:00 Last Visited Time \n", - "2019-02-25 20:40:47+00:00 Content Modification Time \n", - "2019-02-25 20:40:47+00:00 Metadata Modification Time \n", - "2019-02-25 20:40:47+00:00 Creation Time \n", - "2019-02-25 20:40:47+00:00 Creation Time \n", - "2019-02-25 20:40:47+00:00 Metadata Modification Time \n", - "2019-02-25 20:40:47+00:00 Metadata Modification Time \n", - "2019-02-25 20:40:47+00:00 Content Modification Time \n", - "2019-02-25 20:40:49+00:00 Last Time Executed \n", - "2019-02-25 20:41:04+00:00 Creation Time \n", - "2019-02-25 20:41:06+00:00 Creation Time \n", - "2019-02-25 20:41:06+00:00 Content Modification Time \n", - "2019-02-25 20:41:06+00:00 Content Modification Time \n", - "2019-02-25 20:41:06+00:00 Creation Time \n", - "2019-02-25 20:41:06+00:00 Creation Time \n", - "2019-02-25 20:41:06+00:00 Creation Time \n", - "2019-02-25 20:41:06+00:00 Creation Time \n", - "2019-02-25 20:41:06+00:00 Creation Time \n", - "2019-02-25 20:41:11+00:00 Creation Time \n", - "... ... \n", - "2019-03-20 21:04:58+00:00 Last Access Time \n", - "2019-03-20 21:04:59+00:00 Last Access Time \n", - "2019-03-20 21:04:59+00:00 Last Access Time \n", - "2019-03-20 21:04:59+00:00 Last Access Time \n", - "2019-03-20 21:04:59+00:00 Last Access Time \n", - "2019-03-20 21:05:00+00:00 Last Access Time \n", - "2019-03-20 21:05:00+00:00 Last Access Time \n", - "2019-03-20 21:05:01+00:00 Last Access Time \n", - "2019-03-20 21:05:01+00:00 Last Access Time \n", - "2019-03-20 21:05:01+00:00 Last Access Time \n", - "2019-03-20 21:05:01+00:00 Last Access Time \n", - "2019-03-20 21:05:02+00:00 Last Access Time \n", - "2019-03-20 21:05:02+00:00 Last Access Time \n", - "2019-03-20 21:05:19+00:00 Content Modification Time \n", - "2019-03-20 21:05:20+00:00 Last Access Time \n", - "2019-03-20 21:05:20+00:00 Last Access Time \n", - "2019-03-20 21:05:20+00:00 Last Access Time \n", - "2019-03-20 21:05:20+00:00 Last Access Time \n", - "2019-03-20 21:05:24+00:00 Last Time Executed \n", - "2019-03-20 21:05:43+00:00 Content Modification Time \n", - "2019-03-20 21:05:59+00:00 Previous Last Time Executed \n", - "2019-03-20 21:06:00+00:00 Previous Last Time Executed \n", - "2019-03-20 21:08:32+00:00 Previous Last Time Executed \n", - "2019-03-20 21:10:56+00:00 Previous Last Time Executed \n", - "2019-03-20 21:15:21+00:00 Previous Last Time Executed \n", - "2019-03-20 21:15:28+00:00 Previous Last Time Executed \n", - "2019-03-20 21:15:36+00:00 Last Time Executed \n", - "2019-03-20 21:15:59+00:00 Last Time Executed \n", - "2019-03-20 21:16:00+00:00 Last Time Executed \n", - "2019-03-20 21:26:28+00:00 Last Time Executed \n", - "\n", - " data_type \\\n", - "datetime \n", - "2019-02-25 18:28:14+00:00 windows:prefetch:execution \n", - "2019-02-25 20:39:27+00:00 windows:prefetch:execution \n", - "2019-02-25 20:39:41+00:00 chrome:cache:entry \n", - "2019-02-25 20:39:41+00:00 chrome:history:page_visited \n", - "2019-02-25 20:39:46+00:00 chrome:history:page_visited \n", - "2019-02-25 20:39:46+00:00 chrome:cache:entry \n", - "2019-02-25 20:39:54+00:00 chrome:cache:entry \n", - "2019-02-25 20:39:55+00:00 chrome:history:page_visited \n", - "2019-02-25 20:39:59+00:00 chrome:cache:entry \n", - "2019-02-25 20:40:00+00:00 chrome:cache:entry \n", - "2019-02-25 20:40:00+00:00 chrome:cache:entry \n", - "2019-02-25 20:40:10+00:00 chrome:cache:entry \n", - "2019-02-25 20:40:47+00:00 fs:stat \n", - "2019-02-25 20:40:47+00:00 fs:stat \n", - "2019-02-25 20:40:47+00:00 fs:stat \n", - "2019-02-25 20:40:47+00:00 fs:stat \n", - "2019-02-25 20:40:47+00:00 fs:stat \n", - "2019-02-25 20:40:47+00:00 fs:stat \n", - "2019-02-25 20:40:47+00:00 fs:stat \n", - "2019-02-25 20:40:49+00:00 windows:prefetch:execution \n", - "2019-02-25 20:41:04+00:00 fs:stat \n", - "2019-02-25 20:41:06+00:00 fs:stat \n", - "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", - "2019-02-25 20:41:06+00:00 windows:shell_item:file_entry \n", - "2019-02-25 20:41:11+00:00 fs:stat \n", - "... ... \n", - "2019-03-20 21:04:58+00:00 fs:stat \n", - "2019-03-20 21:04:59+00:00 fs:stat \n", - "2019-03-20 21:04:59+00:00 fs:stat \n", - "2019-03-20 21:04:59+00:00 fs:stat \n", - "2019-03-20 21:04:59+00:00 fs:stat \n", - "2019-03-20 21:05:00+00:00 fs:stat \n", - "2019-03-20 21:05:00+00:00 fs:stat \n", - "2019-03-20 21:05:01+00:00 fs:stat \n", - "2019-03-20 21:05:01+00:00 fs:stat \n", - "2019-03-20 21:05:01+00:00 fs:stat \n", - "2019-03-20 21:05:01+00:00 fs:stat \n", - "2019-03-20 21:05:02+00:00 fs:stat \n", - "2019-03-20 21:05:02+00:00 fs:stat \n", - "2019-03-20 21:05:19+00:00 windows:registry:key_value \n", - "2019-03-20 21:05:20+00:00 fs:stat \n", - "2019-03-20 21:05:20+00:00 fs:stat \n", - "2019-03-20 21:05:20+00:00 fs:stat \n", - "2019-03-20 21:05:20+00:00 fs:stat \n", - "2019-03-20 21:05:24+00:00 windows:prefetch:execution \n", - "2019-03-20 21:05:43+00:00 windows:registry:key_value \n", - "2019-03-20 21:05:59+00:00 windows:prefetch:execution \n", - "2019-03-20 21:06:00+00:00 windows:prefetch:execution \n", - "2019-03-20 21:08:32+00:00 windows:prefetch:execution \n", - "2019-03-20 21:10:56+00:00 windows:prefetch:execution \n", - "2019-03-20 21:15:21+00:00 windows:prefetch:execution \n", - "2019-03-20 21:15:28+00:00 windows:prefetch:execution \n", - "2019-03-20 21:15:36+00:00 windows:prefetch:execution \n", - "2019-03-20 21:15:59+00:00 windows:prefetch:execution \n", - "2019-03-20 21:16:00+00:00 windows:prefetch:execution \n", - "2019-03-20 21:26:28+00:00 windows:prefetch:execution \n", - "\n", - " filename \\\n", - "datetime \n", - "2019-02-25 18:28:14+00:00 /Windows/Prefetch/PICKERHOST.EXE-93018817.pf \n", - "2019-02-25 20:39:27+00:00 /Windows/Prefetch/CHROME.EXE-5FE9909D.pf \n", - "2019-02-25 20:39:41+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:41+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:46+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:46+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:54+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:55+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:39:59+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:00+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:00+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:10+00:00 /Users/Administrator/AppData/Local/Google/Chrome/User Data/Default... \n", - "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47+00:00 /Program Files (x86)/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer \n", - "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:47+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_.exe \n", - "2019-02-25 20:40:47+00:00 /Program Files (x86)/TeamViewer/tvinfo.ini \n", - "2019-02-25 20:40:49+00:00 /Windows/Prefetch/TEAMVIEWER_.EXE-70DEDD02.pf \n", - "2019-02-25 20:41:04+00:00 /Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install.log \n", - "2019-02-25 20:41:06+00:00 /Program Files (x86)/TeamViewer \n", - "2019-02-25 20:41:06+00:00 /Users/Public/Desktop/TeamViewer 14.lnk \n", - "2019-02-25 20:41:06+00:00 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", - "2019-02-25 20:41:06+00:00 /Users/Administrator/AppData/Roaming/Microsoft/Windows/SendTo/Team... \n", - "2019-02-25 20:41:06+00:00 /ProgramData/Microsoft/Windows/Start Menu/Programs/TeamViewer 14.lnk \n", - "2019-02-25 20:41:06+00:00 /Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/TeamViewer... \n", - "2019-02-25 20:41:06+00:00 /Users/SelmaBouvier/AppData/Roaming/Microsoft/Windows/SendTo/TeamV... \n", - "2019-02-25 20:41:06+00:00 /Users/Public/Desktop/TeamViewer 14.lnk \n", - "2019-02-25 20:41:11+00:00 /Program Files (x86)/TeamViewer/License.txt \n", - "... ... \n", - "2019-03-20 21:04:58+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Note.exe \n", - "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/uninstall.exe \n", - "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll \n", - "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll \n", - "2019-03-20 21:04:59+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll \n", - "2019-03-20 21:05:00+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll \n", - "2019-03-20 21:05:00+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll \n", - "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll \n", - "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll \n", - "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll \n", - "2019-03-20 21:05:01+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll \n", - "2019-03-20 21:05:02+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll \n", - "2019-03-20 21:05:02+00:00 /Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll \n", - "2019-03-20 21:05:19+00:00 /Windows/appcompat/Programs/Amcache.hve \n", - "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/x64 \n", - "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/Printer \n", - "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/Printer/x64 \n", - "2019-03-20 21:05:20+00:00 /Program Files (x86)/TeamViewer/outlook \n", - "2019-03-20 21:05:24+00:00 /Windows/Prefetch/RUNDLL32.EXE-F52D40E6.pf \n", - "2019-03-20 21:05:43+00:00 /Windows/System32/config/SYSTEM \n", - "2019-03-20 21:05:59+00:00 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", - "2019-03-20 21:06:00+00:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", - "2019-03-20 21:08:32+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:10:56+00:00 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", - "2019-03-20 21:15:21+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:15:28+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:15:36+00:00 /Windows/Prefetch/DLLHOST.EXE-95989D99.pf \n", - "2019-03-20 21:15:59+00:00 /Windows/Prefetch/TASKHOSTW.EXE-4DB99E1B.pf \n", - "2019-03-20 21:16:00+00:00 /Windows/Prefetch/DLLHOST.EXE-79BA10F2.pf \n", - "2019-03-20 21:26:28+00:00 /Windows/Prefetch/RUNDLL32.EXE-A7B4E4F7.pf \n", - "\n", - " message \n", - "datetime \n", - "2019-02-25 18:28:14+00:00 Prefetch [PICKERHOST.EXE] was executed - run count 4 path: \\WINDOW... \n", - "2019-02-25 20:39:27+00:00 Prefetch [CHROME.EXE] was executed - run count 3 path: \\PROGRAM FI... \n", - "2019-02-25 20:39:41+00:00 Original URL: https://www.google.com/search?q=teamviewer&oq=teamv&... \n", - "2019-02-25 20:39:41+00:00 https://www.google.com/search?q=teamviewer&oq=teamv&aqs=chrome.1.6... \n", - "2019-02-25 20:39:46+00:00 https://www.teamviewer.com/en-us/ (Home - TeamViewer) [count: 0] T... \n", - "2019-02-25 20:39:46+00:00 Original URL: https://static.teamviewer.com/resources/2018/10/logo... \n", - "2019-02-25 20:39:54+00:00 Original URL: https://www.teamviewer.com/en-us/teamviewer-automati... \n", - "2019-02-25 20:39:55+00:00 https://www.teamviewer.com/en-us/teamviewer-automatic-download/ (T... \n", - "2019-02-25 20:39:59+00:00 Original URL: https://tracking.g2crowd.com/attribution_tracking/co... \n", - "2019-02-25 20:40:00+00:00 Original URL: https://bat.bing.com/action/0?ti=5712416&Ver=2&mid=4... \n", - "2019-02-25 20:40:00+00:00 Original URL: https://bat.bing.com/action/0?ti=26037780&Ver=2&mid=... \n", - "2019-02-25 20:40:10+00:00 Original URL: https://static.teamviewer.com/resources/2018/10/team... \n", - "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", - "2019-02-25 20:40:47+00:00 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", - "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer Type: direc... \n", - "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", - "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/tvinfo.ini ... \n", - "2019-02-25 20:40:47+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TeamViewer_... \n", - "2019-02-25 20:40:47+00:00 TSK:/Program Files (x86)/TeamViewer/tvinfo.ini Type: file \n", - "2019-02-25 20:40:49+00:00 Prefetch [TEAMVIEWER_.EXE] was executed - run count 1 path: \\USERS... \n", - "2019-02-25 20:41:04+00:00 TSK:/Users/Administrator/AppData/Local/Temp/TeamViewer/TV14Install... \n", - "2019-02-25 20:41:06+00:00 TSK:/Program Files (x86)/TeamViewer Type: directory \n", - "2019-02-25 20:41:06+00:00 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", - "2019-02-25 20:41:06+00:00 Name: PROGRA~2 Long name: Program Files (x86) Localized name: @she... \n", - "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:06+00:00 Name: TEAMVI~1 Long name: TeamViewer NTFS file reference: 96164-5 ... \n", - "2019-02-25 20:41:11+00:00 TSK:/Program Files (x86)/TeamViewer/License.txt Type: file \n", - "... ... \n", - "2019-03-20 21:04:58+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Note.exe Type: file \n", - "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/uninstall.exe Type: file \n", - "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_cs.dll Typ... \n", - "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_ar.dll Typ... \n", - "2019-03-20 21:04:59+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_bg.dll Typ... \n", - "2019-03-20 21:05:00+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_el.dll Typ... \n", - "2019-03-20 21:05:00+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_da.dll Typ... \n", - "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fi.dll Typ... \n", - "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_fr.dll Typ... \n", - "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_he.dll Typ... \n", - "2019-03-20 21:05:01+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_es.dll Typ... \n", - "2019-03-20 21:05:02+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hr.dll Typ... \n", - "2019-03-20 21:05:02+00:00 TSK:/Program Files (x86)/TeamViewer/TeamViewer_Resource_hu.dll Typ... \n", - "2019-03-20 21:05:19+00:00 [\\Root\\InventoryApplication\\0000981a481f34fc4fa5d251dda6e3fe712300... \n", - "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/x64 Type: directory \n", - "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/Printer Type: directory \n", - "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/Printer/x64 Type: directory \n", - "2019-03-20 21:05:20+00:00 TSK:/Program Files (x86)/TeamViewer/outlook Type: directory \n", - "2019-03-20 21:05:24+00:00 Prefetch [RUNDLL32.EXE] was executed - run count 36 path: \\WINDOWS... \n", - "2019-03-20 21:05:43+00:00 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\SharedAccess\\Par... \n", - "2019-03-20 21:05:59+00:00 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "2019-03-20 21:06:00+00:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", - "2019-03-20 21:08:32+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:10:56+00:00 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "2019-03-20 21:15:21+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:15:28+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:15:36+00:00 Prefetch [DLLHOST.EXE] was executed - run count 5 path: \\WINDOWS\\S... \n", - "2019-03-20 21:15:59+00:00 Prefetch [TASKHOSTW.EXE] was executed - run count 937 path: \\WINDO... \n", - "2019-03-20 21:16:00+00:00 Prefetch [DLLHOST.EXE] was executed - run count 25 path: \\WINDOWS\\... \n", - "2019-03-20 21:26:28+00:00 Prefetch [RUNDLL32.EXE] was executed - run count 3 path: \\WINDOWS\\... \n", - "\n", - "[632 rows x 4 columns]" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 17 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -4537,11 +771,7 @@ "metadata": { "id": "v2ZjHcsv_Voj", "colab_type": "code", - "outputId": "af260df5-3132-48fe-f0e7-469dc0535105", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 138 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -4551,93 +781,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','executable','run_count','message']]" ], - "execution_count": 18, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typeexecutablerun_countmessage
02019-03-18 17:59:21+00:00Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:...
12019-03-18 18:34:19+00:00Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:...
22019-03-18 18:36:49+00:00Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2019-03-18 17:59:21+00:00 Previous Last Time Executed \n", - "1 2019-03-18 18:34:19+00:00 Previous Last Time Executed \n", - "2 2019-03-18 18:36:49+00:00 Last Time Executed \n", - "\n", - " data_type executable run_count \\\n", - "0 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", - "1 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", - "2 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", - "\n", - " message \n", - "0 Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:... \n", - "1 Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:... \n", - "2 Prefetch [TEAMVIEWER_DESKTOP.EXE] was executed - run count 3 path:... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 18 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -4665,11 +810,7 @@ "metadata": { "id": "Y1jC_-hMBLUG", "colab_type": "code", - "outputId": "73b93cf8-4e5e-4fbd-d5ba-5e81c213eca5", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 138 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -4679,93 +820,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','executable','run_count','path']]" ], - "execution_count": 19, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typeexecutablerun_countpath
02019-03-18 17:59:21+00:00Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3\\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE
12019-03-18 18:34:19+00:00Previous Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3\\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE
22019-03-18 18:36:49+00:00Last Time Executedwindows:prefetch:executionTEAMVIEWER_DESKTOP.EXE3\\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2019-03-18 17:59:21+00:00 Previous Last Time Executed \n", - "1 2019-03-18 18:34:19+00:00 Previous Last Time Executed \n", - "2 2019-03-18 18:36:49+00:00 Last Time Executed \n", - "\n", - " data_type executable run_count \\\n", - "0 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", - "1 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", - "2 windows:prefetch:execution TEAMVIEWER_DESKTOP.EXE 3 \n", - "\n", - " path \n", - "0 \\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE \n", - "1 \\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE \n", - "2 \\PROGRAM FILES (X86)\\TEAMVIEWER\\TEAMVIEWER_DESKTOP.EXE " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 19 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -4792,11 +848,7 @@ "metadata": { "id": "qbT0cf4dB_aJ", "colab_type": "code", - "outputId": "665acf8d-0728-4b5d-ec63-9aee1c4d0a77", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 78 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -4807,65 +859,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], - "execution_count": 20, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typemessage
02018-04-11 23:38:44+00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\Select] Current: [REG_DWORD_LE] 1 Defau...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2018-04-11 23:38:44+00:00 Content Modification Time \n", - "\n", - " data_type \\\n", - "0 windows:registry:key_value \n", - "\n", - " message \n", - "0 [HKEY_LOCAL_MACHINE\\System\\Select] Current: [REG_DWORD_LE] 1 Defau... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 20 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -4901,11 +896,7 @@ "metadata": { "id": "f8CE4NYEFzWu", "colab_type": "code", - "outputId": "73033525-4826-48e4-9acc-2694ccd54522", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 78 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -4915,65 +906,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], - "execution_count": 21, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typemessage
02019-03-10 10:00:00+00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\TimeZoneInformati...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2019-03-10 10:00:00+00:00 Content Modification Time \n", - "\n", - " data_type \\\n", - "0 windows:registry:key_value \n", - "\n", - " message \n", - "0 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\TimeZoneInformati... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 21 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -4989,31 +923,14 @@ "metadata": { "id": "s8UMrq0tb3u6", "colab_type": "code", - "outputId": "31e99d39-5d7a-4b76-b7aa-28b428fac200", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 55 - } + "colab": {} }, "cell_type": "code", "source": [ "set(ts_results.message)" ], - "execution_count": 22, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/plain": [ - "{u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Control\\\\TimeZoneInformation] ActiveTimeBias: 420 Bias: 480 DaylightBias: -60 DaylightName: @tzres.dll,-211 DynamicDaylightTimeDisabled: 0 StandardBias: 0 StandardName: @tzres.dll,-212 TimeZoneKeyName: Pacific Standard Time'}" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 22 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -5029,32 +946,15 @@ "metadata": { "id": "5R57xnzQGzEB", "colab_type": "code", - "outputId": "5cf3049b-7856-46d3-de99-29a0a0cc9d37", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 35 - } + "colab": {} }, "cell_type": "code", "source": [ "# The ActiveTimeBias is in minutes, so divide by -60 (I don't know why it's stored negative): \n", "420 / -60" ], - "execution_count": 23, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/plain": [ - "-7" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 23 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -5080,11 +980,7 @@ "metadata": { "id": "_DTNDAiAMSgz", "colab_type": "code", - "outputId": "fc505133-a8a6-4944-d7ab-4fbba126be77", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 108 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -5094,71 +990,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], - "execution_count": 24, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typemessage
01970-01-01 00:00:00+00:00Installation Timewindows:registry:installationWindows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\...
12018-07-28 07:27:53+00:00Installation Timewindows:registry:installationWindows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc data_type \\\n", - "0 1970-01-01 00:00:00+00:00 Installation Time windows:registry:installation \n", - "1 2018-07-28 07:27:53+00:00 Installation Time windows:registry:installation \n", - "\n", - " message \n", - "0 Windows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\... \n", - "1 Windows 10 Enterprise 6.3 Owner: owner Origin: HKEY_LOCAL_MACHINE\\... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 24 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -5184,11 +1017,7 @@ "metadata": { "id": "angYvM_3RfA1", "colab_type": "code", - "outputId": "4c908f3a-3133-4c39-a237-f76bc594f5da", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 168 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -5198,95 +1027,8 @@ " as_pandas=True)\n", "ts_results[['datetime','timestamp_desc','data_type','message']]" ], - "execution_count": 25, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
datetimetimestamp_descdata_typemessage
02018-07-28 07:24:53+00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
12018-07-28 07:25:03+00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
22018-07-28 07:36:43+00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
32019-03-20 20:55:53+00:00Content Modification Timewindows:registry:key_value[HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters...
\n", - "
" - ], - "text/plain": [ - " datetime timestamp_desc \\\n", - "0 2018-07-28 07:24:53+00:00 Content Modification Time \n", - "1 2018-07-28 07:25:03+00:00 Content Modification Time \n", - "2 2018-07-28 07:36:43+00:00 Content Modification Time \n", - "3 2019-03-20 20:55:53+00:00 Content Modification Time \n", - "\n", - " data_type \\\n", - "0 windows:registry:key_value \n", - "1 windows:registry:key_value \n", - "2 windows:registry:key_value \n", - "3 windows:registry:key_value \n", - "\n", - " message \n", - "0 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... \n", - "1 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... \n", - "2 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... \n", - "3 [HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services\\Tcpip\\Parameters... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 25 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -5302,34 +1044,14 @@ "metadata": { "id": "55kVv0nOcVKf", "colab_type": "code", - "outputId": "963f38c6-87c3-466a-ae5b-b42bf3ebabf1", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 106 - } + "colab": {} }, "cell_type": "code", "source": [ "set(ts_results.message)" ], - "execution_count": 26, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/plain": [ - "{u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces\\\\{237df97c-14eb-4ba8-af9e-a99d8dd8b936}] AddressType: [REG_DWORD_LE] 0 DhcpConnForceBroadcastFlag: [REG_DWORD_LE] 0 DhcpDefaultGateway: [REG_MULTI_SZ] 64.44.141.1 DhcpGatewayHardware: [REG_BINARY] DhcpGatewayHardwareCount: [REG_DWORD_LE] 1 DhcpIPAddress: [REG_SZ] 64.44.141.76 DhcpInterfaceOptions: [REG_BINARY] DhcpNameServer: [REG_SZ] 8.8.8.8 8.8.4.4 DhcpServer: [REG_SZ] 167.88.4.2 DhcpSubnetMask: [REG_SZ] 255.255.255.0 DhcpSubnetMaskOpt: [REG_MULTI_SZ] 255.255.255.0 Domain: [REG_SZ] EnableDHCP: [REG_DWORD_LE] 1 IsServerNapAware: [REG_DWORD_LE] 0 Lease: [REG_DWORD_LE] 21600000 LeaseObtainedTime: [REG_DWORD_LE] 28 LeaseTerminatesTime: [REG_DWORD_LE] 21600028 NameServer: [REG_SZ] T1: [REG_DWORD_LE] 10800028 T2: [REG_DWORD_LE] 18900028',\n", - " u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces\\\\{33b71fd7-9aaa-4528-a0e5-006a2123864a}] Domain: [REG_SZ] EnableDHCP: [REG_DWORD_LE] 1 NameServer: [REG_SZ] ',\n", - " u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces\\\\{ac3af346-923f-11e8-87fa-806e6f6e6963}] Value: No values stored in key.',\n", - " u'[HKEY_LOCAL_MACHINE\\\\System\\\\ControlSet001\\\\Services\\\\Tcpip\\\\Parameters\\\\Interfaces] Value: No values stored in key.'}" - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 26 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { @@ -5355,11 +1077,7 @@ "metadata": { "id": "6dq7IoM_U7Qo", "colab_type": "code", - "outputId": "fb428b62-f3e0-4a92-841f-0f7c63486326", - "colab": { - "base_uri": "https://localhost:8080/", - "height": 138 - } + "colab": {} }, "cell_type": "code", "source": [ @@ -5370,85 +1088,8 @@ "ts_results = ts_results.set_index('datetime')\n", "ts_results['2019-02-25':'2019-02-26'][['timestamp_desc','data_type','username','message']]" ], - "execution_count": 27, - "outputs": [ - { - "output_type": "execute_result", - "data": { - "text/html": [ - "
\n", - "\n", - "\n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - " \n", - "
timestamp_descdata_typeusernamemessage
datetime
2019-02-25 20:04:42+00:00Content Modification Timewindows:evtx:recordAdministrator[1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32...
2019-02-25 20:13:53+00:00Content Modification Timewindows:evtx:recordAdministrator[1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32...
\n", - "
" - ], - "text/plain": [ - " timestamp_desc data_type \\\n", - "datetime \n", - "2019-02-25 20:04:42+00:00 Content Modification Time windows:evtx:record \n", - "2019-02-25 20:13:53+00:00 Content Modification Time windows:evtx:record \n", - "\n", - " username \\\n", - "datetime \n", - "2019-02-25 20:04:42+00:00 Administrator \n", - "2019-02-25 20:13:53+00:00 Administrator \n", - "\n", - " message \n", - "datetime \n", - "2019-02-25 20:04:42+00:00 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... \n", - "2019-02-25 20:13:53+00:00 [1074 / 0x0432] Source Name: User32 Strings: ['C:\\Windows\\System32... " - ] - }, - "metadata": { - "tags": [] - }, - "execution_count": 27 - } - ] + "execution_count": 0, + "outputs": [] }, { "metadata": { From 4fa5e16670da31cc4dde3639aa0da4483bb0620b Mon Sep 17 00:00:00 2001 From: Ryan Benson Date: Wed, 24 Apr 2019 09:04:19 -0700 Subject: [PATCH 4/6] Update MUS2019_CTF.ipynb --- notebooks/MUS2019_CTF.ipynb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notebooks/MUS2019_CTF.ipynb b/notebooks/MUS2019_CTF.ipynb index d747a39169..61dd18a89e 100644 --- a/notebooks/MUS2019_CTF.ipynb +++ b/notebooks/MUS2019_CTF.ipynb @@ -69,7 +69,7 @@ "\n", "\n", "```\n", - "ryan:~$ log2timeline.py MUS2019-CTF.plaso MUS-CTF-19-DESKTOP-001.E01\n", + "log2timeline.py MUS2019-CTF.plaso MUS-CTF-19-DESKTOP-001.E01\n", "```\n", "\n", "Once that finished, I went to [Timesketch](https://github.com/google/timesketch), made a new sketch, and uploaded the MUS2019-CTF.plaso file I just made. The *.plaso* file is a database containing the results of my log2timeline run; Timesketch can read it and provide a nice, collaborative interface for reviewing and exploring that data.\n", @@ -1117,4 +1117,4 @@ ] } ] -} \ No newline at end of file +} From 297d53ee9357726e244713f97f179c9a9ad7a566 Mon Sep 17 00:00:00 2001 From: Ryan Benson Date: Wed, 24 Apr 2019 09:09:02 -0700 Subject: [PATCH 5/6] Update MUS2019_CTF.ipynb --- notebooks/MUS2019_CTF.ipynb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/notebooks/MUS2019_CTF.ipynb b/notebooks/MUS2019_CTF.ipynb index 61dd18a89e..29f6e230c2 100644 --- a/notebooks/MUS2019_CTF.ipynb +++ b/notebooks/MUS2019_CTF.ipynb @@ -189,7 +189,7 @@ }, "cell_type": "markdown", "source": [ - "Then we'll select the MUS2019-CTF sketch:" + "Then we'll select the MUS2019-CTF sketch (shown as sketch 0 above; you can change the number below to select a different sketch):" ] }, { From a9ced369b39a652fce80fc6175db5ec76b7ca7df Mon Sep 17 00:00:00 2001 From: Ryan Benson Date: Wed, 24 Apr 2019 09:18:16 -0700 Subject: [PATCH 6/6] Update MUS2019_CTF.ipynb --- notebooks/MUS2019_CTF.ipynb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/notebooks/MUS2019_CTF.ipynb b/notebooks/MUS2019_CTF.ipynb index 29f6e230c2..f2f9145124 100644 --- a/notebooks/MUS2019_CTF.ipynb +++ b/notebooks/MUS2019_CTF.ipynb @@ -21,7 +21,7 @@ "colab_type": "text" }, "source": [ - "\"Open" + "\"Open" ] }, {