EZ Tools

EZ Tools
Incident Responders are on the front lines of intrusion investigations. Eric Zimmerman's Tools (EZ Tools) aim to support DFIR analysts in their quest to uncover the truth.

SANS Certified Instructor and Former FBI Agent Eric Zimmerman provides several open source command line tools free to the DFIR Community. These open source digital forensics tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. Over the years, Eric has written and continually improve over a dozen digital forensics tools that investigators all over the world use and rely upon daily.


Resources

Eric Zimmerman's open source tools can be used in a wide variety of investigations including cross-validation of tools, providing insight into technical details not exposed by other tools, and more. Eric's first Cheat Sheet contains usage for tools for lnk files, jump lists, prefetch, and other artifacts related to evidence of execution. Listen to Eric as he walks you through a Cheat Sheet created to help you maximize the capabilities of his tools.

  Download the Cheat Sheet

Forensic tools

Name Version Purpose
AmcacheParser 1.3.3.0 Amcache.hve parser with lots of extra features. Handles locked files
AppCompatCacheParser 1.4.0.0 AppCompatCache aka ShimCache parser. Handles locked files
bstrings 1.5.0.0 Find them strings yo. Built in regex patterns. Handles locked files
EZViewer 0.5.6.0 Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!)
Evtx Explorer/EvtxECmd 0.5.2.0 Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
Hasher 1.9.0.0 Hash all the things
JLECmd 1.3.0.0 Jump List parser
JumpList Explorer 1.3.1.0 GUI based Jump List viewer
LECmd 1.3.2.0 Parse lnk files
MFTECmd 0.4.4.6 $MFT, $Boot, $J, $SDS, and $LogFile (coming soon) parser. Handles locked files
MFTExplorer 0.5.0.1 Graphical $MFT viewer
PECmd 1.3.4.3 Prefetch parser
RBCmd 0.4.1.0 Recycle Bin artifact (INFO2/$I) parser
RecentFileCacheParser 0.7.0.1 RecentFileCache parser
Registry Explorer/RECmd 1.5.0.0 Registy viewer with searching, multi-hive support, plugins, and more. Handles locked files
SDB Explorer 0.6.1.0 Shim database GUI
ShellBags Explorer 1.3.3.0 GUI for browsing shellbags data. Handles locked files
Timeline Explorer 0.9.2.3 View CSV and Excel files, filter, group, sort, etc. with ease
VSCMount 0.5.3.0 Mount all VSCs on a drive letter to a given mount point
WxTCmd 0.3.2.0 Windows 10 Timeline database parser

Other tools

Name Version Purpose
KAPE NA Kroll Artifact Parser/Extractor: Flexible, high speed collection of files as well as processing of files. Many many features
iisGeoLocate 1.5.0.0 Geolocate IP addresses found in IIS logs
TimeApp NA A simple app that shows current time (local and UTC) and optionally, public IP address. Great for testing
XWFIM NA X-Ways Forensics installation manager
Get-ZimmermanTools NA PowerShell script to auto discover and update everything above.

Other files

Name Version Purpose
nlog.config NA Place this in same directory as CLI tools and you can alter the colors used. Good for white background with black font, etc. Do not change anything but the colors.
Change log NA

Requirements and troubleshooting

  • All software requires at least Microsoft .net 4.6 or newer! You will get errors running these without at least 4.6. When in doubt, install it!
  • DO NOT RUN ANYTHING FOUND HERE FROM 'C:\PROGRAM FILES' DIRECTORY (unless you run them as administrator)!
  • DO NOT USE WINDOWS TO EXTRACT THINGS. Use 7-Zip or Winrar as Windows will block the DLLs!
  • All software is digitally signed. Once you verify the signature as coming from me, any anti-virus hits are false positives. When in doubt, download the files directly from here!
  • If you get DPI scaling issues, make a shortcut (or directly against the exe), edit the properties, then click Compatibility. Under Change high DPI settings, check Override high DPI scaling behavior at bottom and choose System, then click OK out of the dialog


When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.

Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.

Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.