## **FUNCTIONS, VARS, INIT**

**First of all, let's create a couple of variables we will use later: home_path (home path of the created environment) and thisnb (name of the current notebook).**

In [1]:
home_path=!pwd
thisnb=home_path[0]+"/szechuan_kape.ipynb"

## **IMPORTS & INIT**

**For making the notebook work, we load all the needed libraries and imports, including ds4n6_lib, that are defined in the imports.ipynb notebook. Besides, we will deactivate the warnings in order to have a clean result. This is the same cell for all the notebooks in the project.**

In [2]:
%run imports.ipynb
warnings.filterwarnings("ignore")

## **READ DATA**

**We download the outputs we got running Kape in the evidence. We do it via gdown (Google Drive) functions, downloading and extracting all kape.csv files. If you have your own kape outputs in csv, you can change the URL ID and download the yours.**

In [3]:
url = 'https://drive.google.com/uc?id=1j6AyNWyrgkwGxEPcttYwbuIf7EzQmhto'
of = 'kape.tgz'
gdown.download(url, of, quiet=False)
gdown.extractall("kape.tgz", to="kape/")

Downloading...
From: https://drive.google.com/uc?id=1j6AyNWyrgkwGxEPcttYwbuIf7EzQmhto
To: /home/jovyan/kape.tgz
100%|██████████| 1.27M/1.27M [00:00<00:00, 118MB/s]


['kape/G__szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/G__szechuan_kape_artifacts_F_Users_Administrator_AppData_Local_Microsoft_Windows_UsrClass.dat.csv',
 'kape/20201116033049_UserAssist_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_TypedURLs_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_TimeZoneInfo_G_szechuan_kape_artifacts_F_Windows_system32_config_SYSTEM.csv',
 'kape/20201116033049_TerminalServerClient_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_Services_G_szechuan_kape_artifacts_F_Windows_system32_config_SYSTEM.csv',
 'kape/20201116033049_RECmd_Batch_RECmd_Batch_MC_Output.csv',
 'kape/20201116033049_RecentDocs_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_OpenSavePidlMRU_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_MountedDevices_G_szechuan_kape_artif

**Once that data has been correctly downloaded, let's read it with the xread() function, which comes from ds4n6_lib and it allows us to read the data from different tools, creating an harmonized pickle with all the information (you will notice kape.ham.pkl is in you home). This .pkl file is the one used to read the data in a very fast way from now. You can learn more about .pkl files __[here](https://towardsdatascience.com/why-turn-into-a-pickle-b45163007dac)__**

In [4]:
%%time

d4.debug = 0

# Read raw data
xread(tool="kape", rootpath=home_path[0]+"/kape", folder_parsing_mode="single_host_with_categories", path_prefix="G__szechuan_kape_artifacts", pluginisdfname=True, notebook_file=thisnb)

- Searching notebook for saved input file / folder (_kaped)
  + Found: /home/jovyan/kape

- Reading file(s):
  + Reading csv file 20201116033049_KnownNetworks_G_szechuan_kape_artifacts_F_Windows_system32_config_SOFTWARE.csv                  into dataframe ->  KnownNetworks-F_Windows_system32_config_SOFTWARE                                                     
  + Reading csv file 20201116033049_TerminalServerClient_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv             into dataframe ->  TerminalServerClient-F_Users_Administrator_ntuser.dat                                                
  + Reading csv file 20201116033046_AutomaticDestinations.csv                                                                       into dataframe ->  AutomaticDestinations                                                                                
  + Reading csv file 20201116033049_CIDSizeMRU_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv                       

**This is an output generated by the framework that is used to let you know the input you are reading.**

In [5]:
kpdfs = d4.out

In [6]:
# Automatically created - DO NOT EDIT OR REMOVE unless you want to change the file to read (in that case, remove this cell)
# 2021-04-06 15:36:22.410739
# _kaped_f2read = "/home/jovyan/kape"

## **ANALYSIS**

### **GENERIC**

**xdisplay is used to configure the settings of the default dataframe that will be displayed in the next cell. The display.max_rows field is not valid for the next cell, as it has its own max_rows option.**

In [7]:
xdisplay()

#### Pandas options

IntText(value=60, description='display.max_rows: ', style=DescriptionStyle(description_width='initial'))

IntText(value=10, description='display.min_rows: ', style=DescriptionStyle(description_width='initial'))

IntText(value=20, description='display.max_columns: ', style=DescriptionStyle(description_width='initial'))

Dropdown(description='display.colheader_justify: ', options=('right', 'left'), style=DescriptionStyle(descript…

Checkbox(value=True, description='display.expand_frame_repr', indent=False, style=DescriptionStyle(description…

**In the xmenu, we will be able to display the data we have already read. These are the settings we can use:**<br><ul>
    <li> Select DataFrame: there will be one dataframe per Kape artifact output. xmenu will display the information of the selected dataframe.</li><br>
    <li> Select grid: this is the way we want the information to be displayed. We have three different options:</li><ul><br>
      <li> default: default dataframe view. In this case, if we select 20 rows to be displayed, the first 10 and the last 10 rows will be showed in the dataframe.</li><br>
      <li> aggrid: it will use the ag-grid plugin to display the dataframe.</li><br>
      <li> qgrid: it will use the qgrid plugin to display the dataframe.</li></ul><br>
    <li> Simple output: if checked, this option will display only the relevant columns for your dataframe.</li><br>
    <li> Select max_rows: rows displayed in the dataframe. With aggrid and qgrid, this will be used for pagination/scroll</li></ul>

In [8]:
xmenu(kpdfs)

**DataFrame visualization menu:**

Box(children=(Dropdown(description='Select DataFrame', layout=Layout(width='550px'), options=('Select DataFram…

HBox(children=(Label(value='Selected dataframe: '),))

HBox(children=(HTML(value="<div style='color: orange; font-weight: bold;'>Data Loading. Please Wait…</div>"),)…

Output(layout=Layout(overflow='auto', width='99%'))

Output(layout=Layout(overflow='auto', width='99%'))

<ds4n6_lib.gui.dfs_explorer at 0x7fcf74463190>