AKA Output Explained - davepo/AKA GitHub Wiki
AKA will create a folder in the designated output path or the case exports folder when using EnCase.
AKA_Exports-{YYMMDDHHMM}
That folder will contain a set of folders and two text files.
01-Script_logs - Contains the logs from all of AKA's scripts.
02-AV_scans_results - Contains the results of the AV scans against the mounted source.
03-Filter_results - Contains the results of AKA's artifact filters.
04-Autoruns_results - Contains the results of Autoruns against the mounted source.
evidencePaths.txt - Contains a list of all of the evidence sources targeted.
exportsPaths.txt - Contains a list of all exported artifacts and their location in the folder.
Note: the exportsPaths.txt file will contain "AKA_Export" in the paths, as the timestamp gets appended to the folder last.
In addition, there will be a folder named for each individual evidence source. In the case of a volume source, this will just be a folder named "mounted_volumes".
- Each of those folders will contain a sub-folder for each volume, labeled with whatever letter it mounted as locally.
- Each of those folders will contain sub-folders breaking out the extracted artifacts into their respective categories.
- If applicable, the artifacts will be broken into folder's names after the username folder they were extracted from.
- Each of those folders will contain sub-folders breaking out the extracted artifacts into their respective categories.
Note: There may be folders listed in the exportsPaths.txt file that don't exist. This occurs if the target artifact either did not exist or could not be extracted. The empty folders are removed, but remain in the log.
These are the folder names that could appear under the evidence source folder.
AV_Logs
Event_Logs
MFT
Prefetch
Registry_Files
Thumbcache_Files
USB
User_Jumplist_Files
User_LNK_Files
UsnJournal
WBEM_Repository
Event logs, MFT's, UsnJrnls's, prefetch files, jumplist files, and lnk files will all be parsed into CSV's which will be located in the same folders as the artifacts.
Registry files will be ripped by RegRipper and output to the same folders as the artifacts.
AKA will run ClamAV with the latest definitions (as of the time of AKA setup) against each evidence target. AKA's ClamAV is currently configured with the following settings:
- Exclude the Windows, Program Files, and Program Files (x86) directories.
- File size limit of 5 megabytes.
- Recursive limit of 7 directories.
It is configured in this manner to speed up the scan and hit high-value assets. I can reconfigure it once I get more feedback.