how to added Hostname to the results

[paltheon123]

Hi,
thanks for the tools!!
I tried to export artifact to csv , how can I export the hostname to csv from kape?

[AndrewRathbun]

If the hostname is recorded in an artifact it'll be there in the output, such as EvtxECmd output where the hostname is tracked in each event. The hostname is not recorded in every artifact.

The registry output (DFIRBatch) contains the hostname as well under the Computer name ValueName in the System Info category.

Remember, forensic artifacts serve a primary purpose to run Windows and their forensic usefulness was determined through research by the community. These artifacts were not put in place for examiners, but to make the end user experience better and us as examiners take what we can get from each artifact to prove user activity.

Does this answer your question? Generally speaking, it's a bad idea to assume a hostname if it's not being recorded by an artifact, so for a tool developer to make assumptions on data that isn't already being recorded would be irresponsible.

[paltheon123]

thanks alot for your answer

[EricZimmerman]

Or make a power shell based module to pull it.

[paltheon123]

Are you mean to append with PowerShell to csv file to new column?

[AndrewRathbun]

Are you mean to append with PowerShell to csv file to new column?

https://github.com/EricZimmerman/KapeFiles/blob/master/Modules%2FWindows%2FWindows_SystemInfo.mkape

You could use this Module to grab the hostname from a live system, unless you're looking for a different solution. If you craft something that adds a column to a CSV that isn't already there, you'll not be able to leverage TLE plugins for that tool's output as the column headers will be different than what the plugin is looking for.

[paltheon123]

thank you for the help!