CHParser is a tool written in PowerShell that automatically correlates timestamps from the $UsnJrnl to the consolehost_history.txt file, and outputs this information into an easily read csv file.
The consolehost file on a Windows system contains the last 4096 commands that were ran on that local system in chronological order, which is a great resource during forensics and incident response. However, this file does not contain timestamps. In order to get accurate timestamps for each specific commands, another resource needs to be used; the $UsnJrnl. The $UsnJrnl contains timestamps for when files on an NTFS system are modified / updated. By matching the most recent timestamps from the $UsnJrnl to the order of commands within the consolehost file, you can derive accurate timestamps for each attempted command run.
# Arguments
-usn (optional) Path to a text file that already contains saved USN Journal output
-vol Path to the $UsnJrnl to correlate timestamps (if -f is not supplied, it will default to C:)
-file (optional) The path to the consolehost_history.txt file to retrieve commands, if no path is given then it will default to C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
-out Path to csv output
Cmdline usage examples:
.\chparser.ps1 -file <path to consolehost_history.txt> -usn <path to $UsnJrnl> -out <output.csv>
# Example 1 (specifying all args, $UsnJrnl mount on D:)
.\chparser.ps1 -f \evidence\powershell\ConsoleHost_history.txt -usn D -out results/chresults.csv
# Example 2 (only specifying output, script run on an infected machine directly)
.\chparser.ps1 -o results\chresults.csv