Home img Ericzimmerman Tools | Windows Forensics
Post
Cancel

img Ericzimmerman Tools | Windows Forensics

Forensic tools

NameVersion (.net 4 | 6)Purpose
AmcacheParser1.5.1.0 | 1.5.1.0Amcache.hve parser with lots of extra features. Handles locked files
AppCompatCacheParser1.5.0.0 | 1.5.0.0AppCompatCache aka ShimCache parser. Handles locked files
bstrings1.5.2.0 | 1.5.2.0Find them strings yo. Built in regex patterns. Handles locked files
EvtxECmd1.5.0.0 | 1.5.0.0Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
EZViewer1.0.0.0 | 2.0.0.0Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!)
Hasher2.0.0.0 | -Hash all the things
JLECmd1.5.0.0 | 1.5.0.0Jump List parser
JumpList Explorer1.4.0.0 | 2.0.0.0GUI based Jump List viewer
LECmd1.5.0.0 | 1.5.0.0Parse lnk files
MFTECmd1.2.2.0 | 1.2.2.0$MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files
MFTExplorer0.5.1.0 | 2.0.0.0Graphical $MFT viewer
PECmd1.5.0.0 | 1.5.0.0Prefetch parser
RBCmd1.5.0.0 | 1.5.0.0Recycle Bin artifact (INFO2/$I) parser
RecentFileCacheParser1.5.0.0 | 1.5.0.0RecentFileCache parser
RECmd1.6.0.0 | 2.0.0.0Powerful command line Registry tool searching, multi-hive support, plugins, and more
Registry Explorer1.6.0.0 | 2.0.0.0Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files
RLA2.0.0.0 | 2.0.0.0Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs
SDB Explorer1.0.0.0 | 2.0.0.0Shim database GUI
SBECmd2.0.0.0 | 2.0.0.0ShellBags Explorer, command line edition, for exporting shellbag data
ShellBags Explorer1.4.0.0 | 2.0.0.0GUI for browsing shellbags data. Handles locked files
SQLECmd1.0.0.0 | 1.0.0.0Find and process SQLite files according to your needs with maps!
SrumECmd0.5.1.0 | 0.5.1.0Process SRUDB.dat and (optionally) SOFTWARE hive for network, process, and energy info!
SumECmd0.5.2.0 | 0.5.2.0Process Microsoft User Access Logs found under β€˜C:\Windows\System32\LogFiles\SUM’
Timeline Explorer1.3.0.0 | 2.0.0.0View CSV and Excel files, filter, group, sort, etc. with ease
VSCMount1.5.0.0 | 1.5.0.0Mount all VSCs on a drive letter to a given mount point
WxTCmd1.0.0.0 | 1.0.0.0Windows 10 Timeline database parser

Other tools

NameVersion (.net 4 | 6)Purpose
Get-ZimmermanToolsNAPowerShell script to auto discover and update everything above.
iisGeoLocate2.2.0.0 | 2.2.0.0Geolocate IP addresses found in IIS logs, extracts unique IPs, records bad data from logs
KAPENAKroll Artifact Parser/Extractor: Flexible, high speed collection of files as well as processing of files. Many many features
TimeAppNA | naA simple app that shows current time (local and UTC) and optionally, public IP address. Great for testing
XWFIMNA | naX-Ways Forensics installation manager

This post is licensed under CC BY 4.0 by the author.

img Security Identifieres | Windows Forensics

img Digital Forensics Tools