Back to notes list

Eric Zimmerman Tools

#forensics
#dfir
#tools
#blue

Setup

Download all tools

Eric Zimmerman's tools

Do NOT extract with built-in Windows zip — use 7-Zip or WinRAR (Windows blocks DLLs otherwise).
.NET 9 runtime required for newer tools, .NET 4.6.2 for legacy.



Registry

Registry Explorer

# GUI registry viewer with bookmarks, plugins, search
RegistryExplorer.exe

RECmd

# Command-line registry parser
RECmd.exe -f <hive> --csv <output_dir>
RECmd.exe -f <hive> --kn "Software\Microsoft\Windows\CurrentVersion\Run"

# Batch mode with all maps
RECmd.exe -f <hive> --csv <output_dir> --bn RECmd\BatchExamples\AllRegExecutablesQuery.reb

ShellBags Explorer

# GUI ShellBags viewer (from registry hives)
ShellBagsExplorer.exe

# CLI version
SBECmd.exe -d <dir_with_hives> --csv <output_dir>

RLA (Registry Log Analyzer)

# Compare registry hives or hives against transaction logs
RLA.exe


File System

MFTECmd

# Parse $MFT
MFTECmd.exe -f <$MFT_file> --csv <output_dir>

# Parse $Boot
MFTECmd.exe -f <$Boot_file> --csv <output_dir>

# Parse $SDS
MFTECmd.exe -f <$SDS_file> --csv <output_dir>

MFTExplorer

# GUI for $MFT / $Boot / $SDS with search and export
MFTExplorer.exe


Execution Artifacts

PECmd (Prefetch)

# Parse single prefetch file
PECmd.exe -f <prefetch_file> --csv <output_dir>

# Parse entire Prefetch directory
PECmd.exe -d C:\Windows\Prefetch --csv <output_dir>

AmcacheParser

AmcacheParser.exe -f <Amcache.hve> --csv <output_dir>

AppCompatCacheParser (ShimCache)

AppCompatCacheParser.exe -f <SYSTEM_hive> --csv <output_dir>

RecentFileCacheParser

RecentFileCacheParser.exe -f <RecentFileCache.bcf> --csv <output_dir>


Event Logs

EvtxECmd

# Parse single evtx
EvtxECmd.exe -f <file.evtx> --csv <output_dir>

# Parse entire directory
EvtxECmd.exe -d <evtx_dir> --csv <output_dir>

# JSON output
EvtxECmd.exe -f <file.evtx> --json <output_dir>


Shortcuts & User Activity

LECmd (LNK parser)

# Parse single lnk file
LECmd.exe -f <file.lnk> --csv <output_dir>

# Parse directory
LECmd.exe -d <dir> --csv <output_dir>

WxTCmd (Windows Timeline)

WxTCmd.exe -f <ActivitiesCache.db> --csv <output_dir>

RBCmd (Recycle Bin)

# Parse single $I file
RBCmd.exe -f <$I_file> --csv <output_dir>

# Parse entire $Recycle.Bin
RBCmd.exe -d <$Recycle.Bin_dir> --csv <output_dir>


SQLite & SRUM

SQLECmd

# Parse SQLite DB with maps
SQLECmd.exe -f <database.db> --csv <output_dir>

# Parse directory of DBs
SQLECmd.exe -d <dir> --csv <output_dir>

SrumECmd

# Parse SRUDB.dat (network, process, energy usage)
SrumECmd.exe -f <SRUDB.dat> -r <SOFTWARE_hive> --csv <output_dir>


Misc

bstrings

# Advanced string search with regex
bstrings.exe -f <file> -o <output.txt>
bstrings.exe -f <file> --ls regex_pattern

Timeline Explorer

# High-performance CSV/Excel viewer with filtering & grouping
# Use it to browse ALL CSV outputs from other EZ tools (MFTECmd, PECmd, EvtxECmd, etc.)
TimelineExplorer.exe

EZViewer

# Standalone doc viewer (.doc, .xls, .pdf, etc.)
EZViewer.exe

VSCMount

# Mount all Volume Shadow Copies
VSCMount.exe --dl <drive_letter> --mp <mount_point>

KAPE

# Artifact collection and processing
kape.exe --tsource <source> --tdest <dest> --target <target_name>
kape.exe --msource <source> --mdest <dest> --module <module_name>

iisGeoLocate

# Geolocate IPs in IIS logs
iisGeoLocate.exe -f <iis_log> --csv <output_dir>