EZ Tools

EZ Tools
Incident Responders are on the front lines of intrusion investigations. Eric Zimmerman's Tools (EZ Tools) aim to support DFIR analysts in their quest to uncover the truth.

SANS Certified Instructor and Former FBI Agent Eric Zimmerman provides several open source command line tools free to the DFIR Community. These open source digital forensics tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. Over the years, Eric has written and continually improve over a dozen digital forensics tools that investigators all over the world use and rely upon daily.

Learn how to use EZ Tools & the New Command Line Poster by watching this video.

The NEW EZ Tools Command-Line Poster has been released! Download your copy here.

Forensics the EZ Way! With the wealth of data stored on Windows computers it is often difficult to know where to start. If you encounter a sizable hard drive, it could be hours or even days before you’re ready to even start your investigation, much less report the results. EZ Tools enables you to provide scriptable, scalable, and repeatable results with astonishing speed and accuracy. Go from one investigation a week to several per day. This type of performance is common with the command-line versions of EZ Tools, and this poster will show you how to use them.


Eric Zimmerman's open source tools can be used in a wide variety of investigations including cross-validation of tools, providing insight into technical details not exposed by other tools, and more. Eric's first Cheat Sheet contains usage for tools for lnk files, jump lists, prefetch, and other artifacts related to evidence of execution. Listen to Eric as he walks you through a Cheat Sheet created to help you maximize the capabilities of his tools.

  Download the Cheat Sheet

Forensic Tools

Name Version Purpose
AmcacheParser Amcache.hve parser with lots of extra features. Handles locked files
AppCompatCacheParser AppCompatCache aka ShimCache parser. Handles locked files
bstrings Find them strings yo. Built in regex patterns. Handles locked files
EZViewer Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!)
Evtx Explorer/EvtxECmd Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
Hasher Hash all the things
JLECmd Jump List parser
JumpList Explorer GUI based Jump List viewer
LECmd Parse lnk files
MFTECmd $MFT, $Boot, $J, $SDS, and $LogFile (coming soon) parser. Handles locked files
MFTExplorer Graphical $MFT viewer
PECmd Prefetch parser
RBCmd Recycle Bin artifact (INFO2/$I) parser
RecentFileCacheParser RecentFileCache parser
Registry Explorer/RECmd Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files
SDB Explorer Shim database GUI
ShellBags Explorer GUI for browsing shellbags data. Handles locked files
SQLECmd Find and process SQLite files according to your needs with maps!
SumECmd Process Microsoft User Access Logs found under 'C:\Windows\System32\LogFiles\SUM'
SrumECmd Process SRUDB.dat and (optionally) SOFTWARE hive for network, process, and energy info!
Timeline Explorer View CSV and Excel files, filter, group, sort, etc. with ease
VSCMount Mount all VSCs on a drive letter to a given mount point
WxTCmd Windows 10 Timeline database parser

Other tools

Name Version Purpose
KAPE NA Kroll Artifact Parser/Extractor: Flexible, high speed collection of files as well as processing of files. Many many features
iisGeoLocate Geolocate IP addresses found in IIS logs
TimeApp NA A simple app that shows current time (local and UTC) and optionally, public IP address. Great for testing
XWFIM NA X-Ways Forensics installation manager
Get-ZimmermanTools NA PowerShell script to auto discover and update everything above.

Other files

Name Version Purpose
nlog.config NA Place this in same directory as CLI tools and you can alter the colors used. Good for white background with black font, etc. Do not change anything but the colors.
Change log NA

Requirements and troubleshooting

  • All software requires at least Microsoft .net 4.6.2 or newer! You will get errors running these without at least 4.6.2. When in doubt, install it!
  • DO NOT RUN ANYTHING FOUND HERE FROM 'C:\PROGRAM FILES' DIRECTORY (unless you run them as administrator)!
  • DO NOT USE WINDOWS TO EXTRACT THINGS. Use 7-Zip or Winrar as Windows will block the DLLs!
  • All software is digitally signed. Once you verify the signature as coming from me, any anti-virus hits are false positives. When in doubt, download the files directly from here!
  • If you get DPI scaling issues, make a shortcut (or directly against the exe), edit the properties, then click Compatibility. Under Change high DPI settings, check Override high DPI scaling behavior at bottom and choose System, then click OK out of the dialog

When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.

Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.

Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.