Home img Ericzimmerman Tools | Windows Forensics

img Ericzimmerman Tools | Windows Forensics

100 Day's Of Cybersecurity - Day 9

Forensic tools

NameVersion (.net 4 | 6)Purpose
AmcacheParser1.5.1.0 | parser with lots of extra features. Handles locked files
AppCompatCacheParser1.5.0.0 | aka ShimCache parser. Handles locked files
bstrings1.5.2.0 | them strings yo. Built in regex patterns. Handles locked files
EvtxECmd1.5.0.0 | log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
EZViewer1.0.0.0 |, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!)
Hasher2.0.0.0 | -Hash all the things
JLECmd1.5.0.0 | List parser
JumpList Explorer1.4.0.0 | based Jump List viewer
LECmd1.5.0.0 | lnk files
MFTECmd1.2.2.0 |$MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files
MFTExplorer0.5.1.0 | $MFT viewer
PECmd1.5.0.0 | parser
RBCmd1.5.0.0 | Bin artifact (INFO2/$I) parser
RecentFileCacheParser1.5.0.0 | parser
RECmd1.6.0.0 | command line Registry tool searching, multi-hive support, plugins, and more
Registry Explorer1.6.0.0 | viewer with searching, multi-hive support, plugins, and more. Handles locked files
RLA2.0.0.0 | transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs
SDB Explorer1.0.0.0 | database GUI
SBECmd2.0.0.0 | Explorer, command line edition, for exporting shellbag data
ShellBags Explorer1.4.0.0 | for browsing shellbags data. Handles locked files
SQLECmd1.0.0.0 | and process SQLite files according to your needs with maps!
SrumECmd0.5.1.0 | SRUDB.dat and (optionally) SOFTWARE hive for network, process, and energy info!
SumECmd0.5.2.0 | Microsoft User Access Logs found under β€˜C:\Windows\System32\LogFiles\SUM’
Timeline Explorer1.3.0.0 | CSV and Excel files, filter, group, sort, etc. with ease
VSCMount1.5.0.0 | all VSCs on a drive letter to a given mount point
WxTCmd1.0.0.0 | 10 Timeline database parser

Other tools

NameVersion (.net 4 | 6)Purpose
Get-ZimmermanToolsNAPowerShell script to auto discover and update everything above.
iisGeoLocate2.2.0.0 | IP addresses found in IIS logs, extracts unique IPs, records bad data from logs
KAPENAKroll Artifact Parser/Extractor: Flexible, high speed collection of files as well as processing of files. Many many features
TimeAppNA | naA simple app that shows current time (local and UTC) and optionally, public IP address. Great for testing
XWFIMNA | naX-Ways Forensics installation manager

This post is licensed under CC BY 4.0 by the author.

img Security Identifieres | Windows Forensics

img Digital Forensics Tools