# **CASE VARIABLES** 

## **IMPORTS & INIT**

In [1]:
# Data Science Imports
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
from IPython.display import display, Markdown

# Visualization
import matplotlib.pyplot as plt
import seaborn as sns
import pandas_bokeh
from bokeh.io import output_notebook, show
from bokeh.plotting import figure, output_file, show

# DFIR Imports
from timesketch_api_client import client
from timesketch_api_client import config
import timesketch_api_client

# DS4N6
from ds4n6_lib.common import analysis
from ds4n6_lib.common import anl
from ds4n6_lib.common import whatis
from ds4n6_lib.unx    import xgrep
from ds4n6_lib.gui    import read_data_gui
from ds4n6_lib.gui    import xmenu
from ds4n6_lib.gui    import xdisplay

import ds4n6_lib.d4          as d4
import ds4n6_lib.common      as d4com
import ds4n6_lib.autoruns    as d4atrs
import ds4n6_lib.fstl        as d4fstl
import ds4n6_lib.plaso       as d4pl
import ds4n6_lib.kansa       as d4ksa
import ds4n6_lib.kape        as d4kp
import ds4n6_lib.evtx        as d4evtx
import ds4n6_lib.unx         as d4unx
import ds4n6_lib.utils       as d4utl
import ds4n6_lib.volatility  as d4vol
import ds4n6_lib.gui         as d4gui

# Standard python imports
from time import sleep
import datetime
import time
import re
import os.path
import nbformat as nbf
import calendar
import glob
import xmltodict
import untangle
import importlib
import logging

# Data Save/Restore
import dill
import pickle
import gdown

import warnings
warnings.filterwarnings("ignore",category=DeprecationWarning)
warnings.filterwarnings("ignore",category=UserWarning)

## **VARIABLES**

In [2]:
home_path=!pwd
thisnb=home_path[0]+"/szechuan_kape.ipynb"

## **FUNCTIONS**

In [3]:
def now():
    print(datetime.datetime.now())

## **READ DATA**

In [4]:
url = 'https://drive.google.com/uc?id=1j6AyNWyrgkwGxEPcttYwbuIf7EzQmhto'
of = 'kape.tgz'
gdown.download(url, of, quiet=False)
gdown.extractall("kape.tgz", to="kape/")

Downloading...
From: https://drive.google.com/uc?id=1j6AyNWyrgkwGxEPcttYwbuIf7EzQmhto
To: /home/jovyan/kape.tgz
100%|██████████| 1.27M/1.27M [00:00<00:00, 112MB/s]


['kape/G__szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/G__szechuan_kape_artifacts_F_Users_Administrator_AppData_Local_Microsoft_Windows_UsrClass.dat.csv',
 'kape/20201116033049_UserAssist_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_TypedURLs_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_TimeZoneInfo_G_szechuan_kape_artifacts_F_Windows_system32_config_SYSTEM.csv',
 'kape/20201116033049_TerminalServerClient_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_Services_G_szechuan_kape_artifacts_F_Windows_system32_config_SYSTEM.csv',
 'kape/20201116033049_RECmd_Batch_RECmd_Batch_MC_Output.csv',
 'kape/20201116033049_RecentDocs_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_OpenSavePidlMRU_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv',
 'kape/20201116033049_MountedDevices_G_szechuan_kape_artif

In [5]:
%%time

d4.debug = 0

# Read raw data
read_data_gui(tool="kape", rootpath=home_path[0]+"/kape", folder_parsing_mode="single_host_with_categories", path_prefix="G__szechuan_kape_artifacts", pluginisdfname=True, notebook_file=thisnb)

- Searching notebook for saved input file / folder (_kaped)
  + Found: /home/jovyan/kape

- Reading file(s):
  + Reading csv file 20201116033008_Windows81_Windows2012R2_SYSTEM_AppCompatCache.csv                                               into dataframe ->  Windows81_Windows2012R2_SYSTEM_AppCompatCache                                                        
  + Reading csv file 20201116033049_CIDSizeMRU_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv                       into dataframe ->  CIDSizeMRU-F_Users_Administrator_ntuser.dat                                                          
  + Reading csv file 20201116033049_OpenSavePidlMRU_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv                  into dataframe ->  OpenSavePidlMRU-F_Users_Administrator_ntuser.dat                                                     
  + Reading csv file G__szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv                                                

  read_selected_file(dummy, compname=compname, f2read=f2read, nbsave_prefix=nbsave_prefix, **kwargs)


  + Reading csv file 20201116033049_LastVisitedPidlMRU_G_szechuan_kape_artifacts_F_Users_Administrator_ntuser.dat.csv               into dataframe ->  LastVisitedPidlMRU-F_Users_Administrator_ntuser.dat                                                  
  + Reading csv file 20201116033046_CustomDestinations.csv                                                                          into dataframe ->  CustomDestinations                                                                                   
  + Reading csv file 20201116033049_Services_G_szechuan_kape_artifacts_F_Windows_system32_config_SYSTEM.csv                         into dataframe ->  Services-F_Windows_system32_config_SYSTEM                                                            
  + Reading csv file 20201116033005_Amcache_UnassociatedFileEntries.csv                                                             into dataframe ->  Amcache_UnassociatedFileEntries                                                           

In [6]:
kpdfs = d4.out

In [7]:
# Automatically created - DO NOT EDIT OR REMOVE unless you want to change the file to read (in that case, remove this cell)
# 2021-04-06 15:36:22.410739
# _kaped_f2read = "/home/jovyan/kape"

## **ANALYSIS**

### **GENERIC**

In [8]:
xdisplay()

#### Pandas options

IntText(value=60, description='display.max_rows: ', style=DescriptionStyle(description_width='initial'))

IntText(value=10, description='display.min_rows: ', style=DescriptionStyle(description_width='initial'))

IntText(value=20, description='display.max_columns: ', style=DescriptionStyle(description_width='initial'))

Dropdown(description='display.colheader_justify: ', options=('right', 'left'), style=DescriptionStyle(descript…

Checkbox(value=True, description='display.expand_frame_repr', indent=False, style=DescriptionStyle(description…

In [9]:
xmenu(kpdfs)

**DataFrame visualization menu:**

Box(children=(Dropdown(description='Select DataFrame', layout=Layout(width='550px'), options=('Select DataFram…

HBox(children=(Label(value='Selected dataframe: '),))

HBox(children=(HTML(value="<div style='color: orange; font-weight: bold;'>Data Loading. Please Wait…</div>"),)…

Output(layout=Layout(overflow='auto', width='99%'))

Output(layout=Layout(overflow='auto', width='99%'))

<ds4n6_lib.gui.dfs_explorer at 0x7fa8796bf990>