EventTranscriptDB
Windowsv1.2
Author: Andrew Rathbun and Josh Mitchell
description
EventTranscript.db (and other files related to Telemetry and Diagnostic Data)
paths
3 paths
SystemEventsEventTranscript.db
C:\ProgramData\Microsoft\Diagnosis\EventTranscriptEventTranscript.db*SystemEventsEventTranscript.db
C:\Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscriptEventTranscript.db*SystemEventsMicrosoft Office Diagnostic Logs
C:\Users\%User%\AppData\Local\Temp\Diagnostics› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: EventTranscriptDB
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. EventTranscript.db
Collect-Artifact -SourcePath "C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*" -FolderName "EventTranscript_db"
# 2. EventTranscript.db
Collect-Artifact -SourcePath "C:\Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*" -FolderName "EventTranscript_db"
# 3. Microsoft Office Diagnostic Logs
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Local\Temp\Diagnostics\*" -FolderName "Microsoft_Office_Diagnostic_Logs"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1