OneDriveExplorer
What is OneDriveExplorer?
OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file. It can load multiple settings, logs, and $Recycle.bin files at once. Search across all settings files, view OneDrive logs and much more.
Capabilities
- Reconstruct OneDrive folder structure from <UserCid>.dat and <UserCid>.dat.previous file
- File hash
- File size
- eTag
- Read .odl, .odlgz, .odlsent and .aold log files
- Find deleted files
- Corollate file/folder with log activity
___________________________________________________________________________________________________________________________
- Reconstruct OneDrive folder structure from <UserCid>.dat and <UserCid>.dat.previous file
- File hash
- File size
- eTag
- Read .odl, .odlgz, .odlsent and .aold log files
- Find deleted files
- Corollate file/folder with log activity
___________________________________________________________________________________________________________________________
SEPparser
What is SEPparser?
SEPparser is a command line tool examine artifacts from Symantec Endpoint Protection (SEP). SEPparser can be ran against a single file, directory, dead box system (write-blocked hard drive of mounted collection), or for live response.
Capabilities
- Parse settings for log files
- Parse the following log files:
- Security log
- System log
- Firewall Traffic log
- Firewall Packet log
- Application and Device Control log
- AV Management plugin log
- Daily AV logs
- Extract packets from Firewall Packet log
- Parse ccSubSDK database into csv reports
- Extract potential binary blobs from ccSubSDK
- Parse VBN files into csv reports
- Extract quarantine data to file or hex dump
- Preform hex dump of VBN for research
