EZ Tools

EZ Tools
Incident Responders are on the front lines of intrusion investigations. Eric Zimmerman's Tools (EZ Tools) aim to support DFIR analysts in their quest to uncover the truth.

SANS Certified Instructor and Former FBI Agent Eric Zimmerman provides several open source command line tools free to the DFIR Community. These open source digital forensics tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. Over the years, Eric has written and continually improve over a dozen digital forensics tools that investigators all over the world use and rely upon daily.


Resources

Eric Zimmerman's open source tools can be used in a wide variety of investigations including cross-validation of tools, providing insight into technical details not exposed by other tools, and more. Eric's first Cheat Sheet contains usage for tools for lnk files, jump lists, prefetch, and other artifacts related to evidence of execution. Listen to Eric as he walks you through a Cheat Sheet created to help you maximize the capabilities of his tools.

  Download the Cheat Sheet

Primary Toolkits Add-on Tools & Other Helpful Files
AmcacheParser
Version 1.3.3.0

Amcache.hve parser with lots of extra features. Handles locked files

AppCompatCacheParser
Version 1.4.0.0

AppCompatCache aka ShimCache parser. Handles locked files

bstrings
Version 1.5.0.0

Find them strings yo. Built in regex patterns. Handles locked files

EZViewer
Version 0.5.5.0

Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!)

Evtx Explorer/EvtxECmd
Version 0.5.0.0

Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!

Hasher
Version 1.9.0.0

Hash all the things

JLECmd
Version 1.3.0.0

Jump List parser

JumpList Explorer
Version 1.3.1.0

GUI based Jump List viewer

LECmd
Version 1.3.2.0

Parse lnk files

MFTECmd
Version 0.4.4.4

$MFT, $Boot, $J, $SDS, and $LogFile (coming soon) parser. Handles locked files

PECmd
Version 1.3.4.2

Prefetch parser

RBCmd
Version 0.4.1.0

Recycle Bin artifact (INFO2/$I) parser

RecentFileCacheParser
Version 0.7.0.1

RecentFileCache parser

Registry Explorer/RECmd
Version 1.4.3.0

Registy viewer with searching, multi-hive support, plugins, and more. Handles locked files

SDB Explorer
Version 0.6.1.0

Shim database GUI

ShellBags Explorer
Version 1.3.3.0

GUI for browsing shellbags data. Handles locked files

Timeline Explorer
Version 0.9.2.3

View CSV and Excel files, filter, group, sort, etc. with ease

VSCMount
Version 0.5.3.0

Mount all VSCs on a drive letter to a given mount point

WxTCmd
Version 0.3.2.0

Windows 10 Timeline database parser

KAPE
Version NA

Kroll Artifact Parser/Extractor: Flexible, high speed collection of files as well as processing of files. Many many features

iisGeoLocate
Version 1.5.0.0

Geolocate IP addresses found in IIS logs

TimeApp
Version NA

A simple app that shows current time (local and UTC) and optionally, public IP address. Great for testing

XWFIM
Version NA

X-Ways Forensics installation manager

Get-ZimmermanTools
Version NA

PowerShell script to auto discover and update everything above.

nlog.config
Version NA

Place this in same directory as CLI tools and you can alter the colors used. Good for white background with black font, etc. Do not change anything but the colors.

Change log
Version NA


Requirements and troubleshooting



When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.

Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.

Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.