Basis Technology Autopsy Export CSV, XLSX – The Problem
Basis Technology Autopsy export CSV, XLSX data sheets is available from the analyzed sources. Autopsy is comprehensive tool when it comes to large data sources analysis. The problem appears when you need to export large datasets of more than 60000 rows (like 500000). Good example of such data set would be Windows Events logs that easily could include 500000 events. In this case exporting a report or CSV could take time and eventually crash Autopsy. There are several things you can do in order to make export faster and less painful for datasets that are larger than 10000 rows / events. At the end of this article we also provide the easiest way to sort a table by time in Microsoft Excel.
Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.
Change Paging Options for Table Viewer and Save
By default, each page in the table viewer shows 10000 rows / events. If you click on [Save Table as CSV] it will export only this page of 10000 rows to your default case location (by default: C:\Cases\YourCaseName\Exports\YourCSV.csv). You can disable Paging Options at all to show all the results in one page and then save the table:
1. To disable Paging settings, go to
[Tools] => [Options]
"Options"
[View]
"Global Settings"
Maximum number of Results to show in table: 0
[OK]2. Navigate to the entry data set that you want to export (For example: “Results \ Extracted Content \ Windows Event Logs”).
3. Wait until the table fully loads. It can take time if it has ~500000 results.
4. Around the Right Top corner of the Tree Viewer [Save Table as CSV].
* Return the Paging Options back to 10000 per page the same way.
Exporting Report as Excel File
If you do not want to save each Data set separately, you can save them at once as Excel File. It will take much more time and Autopsy can crash during the export. So, you can wait for several hours and receive an error, which is a time consuming if you are managing an Incident. Though each data set will be on a different Sheet in Excel file.
1. Hit [Generate Report] on top menu panel.
2. Follow these steps:
"Select and Configure Report Modules"
Report Modules: (*) Excel Report
[Next]
"Select which data source(s) to include"
[V] <Select all the Data sources you want>
[Next]
"Configure Report"
(*) All Results
[Finish]The file will be available in Report folder of your Case (by default, “C:\Cases\<YourCaseName>\Reports\<YourCaseName> Excel Report <DATE>\Excel.xlsx”).
If it takes too long and Autopsy crashes, there is last thing you can do to export your results to CSV / Excel.
Export HTML Report and convert to CSV
Yet again we will take “Windows Event Logs” as example.
1. Hit [Generate Report] on top menu panel.
2. Follow these steps:
"Select and Configure Report Modules"
Report Modules: (*) HTML Report
[Next]
"Select which data source(s) to include"
[V] <Select all the Data sources you want>
[Next]
"Configure Report"
(*) All Results
[Finish]The file will be available in Report folder of your Case (by default, “C:\Cases\<YourCaseName>\Reports\<YourCaseName> HTML Report <DATE>\report.html”).
The folder will contain the “report.html” file and the “content” folder.
3. For this step you need to open the “Windows_Event_Logs.html” inside “content” folder with any browser (Which can take time if you have ~500000 rows / events, since the browser wants visually to render the page as it would any other page) or basic HTML Viewer that can show only text without any visuals (much faster). For this I’m using “Lister” application from “Total Commander”:
3.a. Download “Total Commander”.
3.b. Install it and Execute it.
3.c. Navigate to the html file:
C:\Cases\<YourCaseName>\Reports\<YourCaseName> HTML Report <DATE>\contents\Windows_Event_Logs.html
Or any other HTML file for data set that you need.
3.d. Select this file.
3.e. Press [F3 View]. By default, it opens “Lister” application to view the HTML file and show you only the content and not the HTML code.
3.f. [Ctrl]+[A] => [Ctrl]+[C].
4. For the next step you can use any application to “Replace” strings I prefer “Notepad++” (You can Download Notepad++ from their respective site).
Open “Notepad++” and Paste the content [Ctrl]+[V].
5. Remove the first row, it should be the name of the Data set: Windows Event Logs. We don’t need this in the table.
6. Select the first space between the header names (For example: between “Computer Name” and “Event Detail”), the selection should contain something like 3 spaces (” “).
7. [Ctrl]+[F] will open “Find menu”
8. Goto [Replace] tab. “Find what” should be already configured with the 3 spaces and “Replace with” should be a “comma”. No quotes are required for the below example.
Find what: " " Replace with: ,
9. Click [Replace All]. At this point all the “3 spaces” will be replaced with commas, so we can save it as CSV.
10. When the replacement will finish, go to:
[File] => [Save As...]
<Choose your location>
File name: "WindowsEventLogs.csv"
Save as type: [Normal text file]The quotes in the file name also change the extension.
11. Opening this file in Excel should work as expected for CSV now.
Arrange and sort Excel table by Time
While checking logs it is important to understand the timeline of the events. One of the useful things we can do in Excel file is to sort the table by time:
1. Open the CSV / XLSX file with Microsoft Excel.
2. Navigate to “Event Time” column.
3. Above the “Event Time” cell you will see a character, like “G”. Move the mouse over “G” until the arrow pointing down will appear and click left mouse button. This will select the entire column. Follow these steps:
Right Click the column => [Format Cells...]
"Format Cells"
[Number]
[Custom]
Type: yyyy/mm/dd hh:mm:ss.000
[OK]Example of the format above:
yyyy/mm/dd hh:mm:ss.000 2021/06/10 14:25:58.367
“.000” are the milliseconds. Unfortunately, looks like Excel cannot go lower than that on Time formatted cells.
4. Select all the cells from the Top left cell to the bottom right cell of your pasted content (which will include the top row of the headers).
5. Follow the steps:
Go to upper menu => [Insert] => [Table]
"Create Table"
[V] My table has headers
[OK]6. Once the table is ready you can click on the arrow inside “Event Time” cell => [Sort Newest to Oldest] => [OK]. This will sort all the rows by time from the latest events to the oldest. In the same menu you can also remove the dates (full year of events) if you want.
7. Save this file as XLSX file:
[File] => Type: [Excel Workbook (*.xlsx)]