Forensically Unpacking EventTranscript.db: An Investigative Series

Observed in certain Windows 10 instances as early as January 2021, EventTranscript.db was found by Kroll to record, track and maintain a wealth of artifacts and data elements. Of particular interest to Kroll is the forensic value of a number of those artifacts, including unique evidence of execution artifacts, evidence of copying to the Windows clipboard, run time tracking and much more.

Kroll has been conducting extensive research on the depth and breadth of the contents of EventTranscript.db, and we’re pleased to share our initial findings. More exciting is what we are discovering as we continue our deep dive into the meaning and forensic value of the data being captured within this database. Look for regular updates as we share new findings, each focused on a specific aspect of our investigative research and control testing. While Microsoft has released documentation regarding the purpose of EventTranscript.db and third-party research on telemetry files exists, Kroll is hopeful that our DFIR-focused and related perspectives on EventTranscript.db will be meaningful for researchers and actionable for investigators during their DFIR pursuits.

EventTranscript.db At a Glance

• EventTranscript.db is an SQLite database located at: C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db
• Contains 7 tables within the SQLite database:

• categories
• event_categories
• event_tags
• events_persisted
• producers
• provider_groups
• tag_descriptions

• Records six (6) different types of events with the following labels:

• Browsing history: Records of the web browsing history when using the capabilities of the application or cloud service, stored in either the service or the application
• Device connectivity and configuration: Data that describes the connections and configuration of the devices connected to the service and the network, including device identifiers (e.g., IP addresses) configuration, setting and performance
• Inking typing and speech utterance: Record of the input data provided by the end user through an interaction method or action such as inking, typing, speech utterance or gesture
• Product and service performance: Data collected about the measurement, performance and operation of the capabilities of the product or service. This data represents information about the capability and its use, with a focus on providing the capabilities of the product or service.
• Product and service usage: Data provided or captured about the end user’s interaction with the service or products by the cloud service provider. Captured data includes the records of the end user’s preferences and settings for capabilities, the capabilities used and commands provided to the capabilities.
• Software setup and inventory: Data that describes the installation, setup and update of software.

• As of this writing, the database records over 2,200 unique events, each of which contains unique JSON payloads that provide the data DFIR examiners can use to leverage in their investigations.
• Various levels of logging can be toggled by the user, but data sampling for Optional Data is triggered only by Microsoft. Research is still ongoing to better understand the logic behind why Microsoft chooses to enable data sampling on any given Windows 10 instance. Optional Data provides a significantly more granular insight into user and system activity.
• Data stored within EventTranscript.db is separate from the traditional event log system and is not erased when event logs are cleared.

EventTranscript.DB History

• EventTranscript.db appears to have been introduced by Microsoft to the Windows 10 operating system on or about the release of version 1709.
• Previously, Windows tracked and recorded similar event data to .rbs files that were hardcoded in filenames such as events00.rbs, events01.rbs, events10.rbs and events11.rbs.
• These files were effectively compressed JSON through version 1703 until version 1709 migrated the data and changed the recording action to store data within the EventTranscript.db file.
• Kroll identified that Microsoft employed the DiagTrack.dll to record telemetry data to the respective *.db or *.rbs files depending on the operating system version. Kroll observed that this reflected an evolutionary process often employed by Microsoft to record event log data, such as when they transitioned from the .evt to .evtx format with Windows Vista. Accordingly, Kroll assessed that the transition from .rbs to EventTranscript.db represented a similar evolution.

Preview of Upcoming Articles

• Enabling EventTranscript.db (GUI)
• Enabling EventTranscript.db (Registry)
• EventTranscript.db and Security Events
• Location and Settings of Services Related to EventTranscript.db
• Forensicating EventTranscript.db Using Diagnostic Data Viewer
• Diagnostic Data Viewer Overview
• More Forensic Quick Wins

This article was written by Andrew Rathbun and Josh Mitchell from Kroll's cyber risk practice.

The entire series will be published here, so bookmark this page and visit often.