# EventTranscript DB ## Overview **Evidence:** EventTranscript DB\ **Description:** Collect EventTranscript DB\ **Category:** System\ **Platform:** windows\ **Short Name:** evnttrscdb\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** Yes ## Background EventTranscript.db is a SQLite database maintained by Windows for diagnostic data and telemetry. It contains detailed information about application inventory, browser history, WiFi connections, device installations, and other system events. This database provides unique forensic artifacts not available in other Windows logs, including granular application usage data, WiFi access point history, and detailed system inventory information. ## Data Collected This collector gathers structured data about eventtranscript db. ### EventTranscript DB Data | Field | Description | Example | | --------------------------- | -------------------------- | --------------------------------------------------------- | | `SID` | User security identifier | S-1-5-21-... | | `Username` | Username | DOMAIN\user | | `AccessTime` | URL access timestamp | 2023-10-15T14:30:00 | | `URL` | Visited URL | | | `SID` | User security identifier | S-1-5-21-... | | `Username` | Username | DOMAIN\user | | `ProgramName` | Application name | Google Chrome | | `InstallPath` | Installation path | C:\Program Files\Google\Chrome | | `OSVersion` | OS version at install time | 10.0.19041 | | `InstallDate` | Installation timestamp | 2023-10-01T10:00:00 | | `Version` | Application version | 118.0.5993.89 | | `SID` | User security identifier | S-1-5-21-... | | `Username` | Username | DOMAIN\user | | `AccessTime` | Scan timestamp | 2023-10-15T14:30:00 | | `SSID` | WiFi network name | Corporate-WiFi | | `MACAddress` | Access point MAC address | 00:11:22:33:44:55 | | `SID` | User security identifier | S-1-5-21-... | | `Username` | Username | DOMAIN\user | | `DeviceMake` | Device manufacturer | Dell Inc. | | `DeviceModel` | Device model | Latitude 7490 | | `TimeZone` | User time zone | America/New\_York | | `DefaultBrowser` | Default browser ProgID | ChromeHTML | | `DefaultApp` | Default app for file types | | | `DeviceId` | Device identifier | \\.\PHYSICALDRIVE0 | | `SerialNumber` | Disk serial number | S4BXNX0N123456 | | `Size` | Disk size in bytes | 512110190592 | | `NumPartitions` | Number of partitions | 4 | | `BytesPerSector` | Bytes per sector | 512 | | `MediaType` | Media type | SSD | | `SID` | User security identifier | S-1-5-21-... | | `Username` | Username | DOMAIN\user | | `InterfaceGuid` | Network interface GUID | {12345678-1234-1234-1234-123456789ABC} | | `InterfaceType` | Interface type | 71 | | `InterfaceDescription` | Interface description | Intel(R) Wireless-AC 9560 | | `SSID` | Connected WiFi network | Corporate-WiFi | | `AuthAlg` | Authentication algorithm | WPA2PSK | | `BSSID` | Access point MAC address | 00:11:22:33:44:55 | | `Manufacturer` | AP manufacturer | Cisco | | `ModelName` | AP model name | AIR-AP2802I | | `ModelNumber` | AP model number | AP2802I | | `SID` | User security identifier | S-1-5-21-... | | `Username` | Username | DOMAIN\user | | `ObjectID` | Device object identifier | PCI\VEN\_8086\&DEV\_9D60 | | `Service` | Associated service | nvme | | `FirstInstallDate` | First installation | 2023-01-15T10:00:00 | | `InstallDate` | Last installation | 2023-10-01T14:00:00 | | `Model` | Device model | Samsung SSD 970 EVO | | `Manufacturer` | Device manufacturer | Samsung | | `SID` | User security identifier | S-1-5-21-... | | `UserName` | Username | DOMAIN\user | | `TimeStamp` | Event timestamp | 2023-10-15T14:30:00.123Z | | `ProducerId` | Producer ID | 123 | | `Producer` | Producer name | Microsoft-Windows-Kernel-General | | `ProviderGroupId` | Provider group ID | 45 | | `ProviderGroupGUID` | Provider group GUID | {A68CA8B7-004F-D7B6...} | | `LocaleName` | Locale name | en-US | | `TagName` | Event tag name | BrowserHistory | | `TagId` | Event tag ID | 1 | | `FullEventName` | Complete event name | Microsoft.Windows.Shell.SystemSettings.AppDefaultsUpdated | | `LoggingBinaryName` | Logging binary | SystemSettings.exe | | `FriendlyLoggingBinaryName` | Friendly binary name | System Settings | | `FullEventNameHash` | Event name hash | 12345678901234567890 | | `Keywords` | Event keywords | 0x8000000000000000 | | `IsCore` | Is core event | true | | `CompressedSize` | Compressed payload size | 1024 | | `Payload` | JSON payload data | {"AppId":"MSEdge","Url":"https\://..."} | ## Collection Method This collector: * Collects the EventTranscript database from `ProgramData\Microsoft\Diagnosis\EventTranscript` * Opens the SQLite database * Queries specific event types using SQL * Parses JSON payloads from event records * Extracts and structures data into separate tables * Also exports raw event data organized by tags to CSV files ## Forensic Value EventTranscript provides unique telemetry data not available in traditional Windows logs. Investigators use this for historical browser activity tracking, application installation timelines, WiFi network history and geolocation, device installation tracking, user behavior patterns, and system configuration analysis.