Skip to content

jwr0218/CuckooSandbox_EVTX_Extract

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 
analyzer.py
analyzer.py
 
 
total_pipeline.py
total_pipeline.py
 
 

Repository files navigation

Extract_evtx_pcap

Previous method to extract EVTX have limitation that it only can restore evtx, not extraction. It means that there are some missing data on restored EVTX files.

In This Repository, I can happily address you about how to extract EVTX files from Cuckoo Sandbox's Guest Server.

Logic is that analyzer which will be activated on window Guest server, extract EVTX and send them to Host Sever when analyzing is over.

This repo is first thing to extract intact EVTX files on Cuckoo Sandbox.

Install Cuckoo Sandbox

Install Tools

sudo apt-get update
sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
sudo apt-get install virtualbox virtualbox-guest-additions-iso virtualbox-dkms
sudo apt-get install libjpeg-dev zlib1g-dev swig

Install MongoDB

sudo apt-get update
sudo apt-get install -y mongodb-org

Cuckoo Sandbox

sudo pip install -U pip setuptools
sudo pip install -U cuckoo

Activate Cuckoo

cuckoo

After Install Cuckoo Sandbox

Replace Analyzer


├──cuckoo/
│  ├── Analyzer
│  │   ├── windows
│  │   │   ├──analyzer.py << (Replace it to this repo's analyzer.py)

you can find EVTX files on 'extracted' folder


├──cuckoo/
....
│  ├── storage
│  │   ├── analyses
│  │   │   ├──{analyzed number}
│  │   │   │  ├──extracted

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages