Want fast DFIR results? Learn how with the EZ Tools command-line poster

Forensics investigators and incident responders may lean toward graphical user interface (GUI) tools that present interactive and graphical representations of data, especially if they don’t have years of experience under their belts. But don’t rule out command line interface (CLI) tools, just because they seem more complex and require some knowledge of commands.

The EZ Tools Command-Line Poster

SANS certified instructor and former FBI agent Eric Zimmerman provides several open source command line tools free to the DFIR Community. These tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. The command-line versions of EZ Tools enable you to provide scriptable, scalable, and repeatable results with astonishing speed and accuracy. And to help you get started, SANS has just released the new EZ Tools Command-Line Poster!

Get a copy by registering here

Tune in to our “Fast, Scalable Results with EZ Tools and the New Command-line poster” webinar on March 11^th at 3:30 pm ET, where we will do a deep dive into all the tools featured on the poster. Download EZ Tools

Here's a sampling of the CLI tools featured on the EZ Tools Command-Line Poster:

EvtxECmd – Windows Event Log Parser

There can be hundreds of Event Log files on a system, some aimed at systemwide events and many others that record information in a much more targeted fashion. All Event Logs are stored in the same format on a Windows computer, but the actual data elements collected varies, and it is this variation of data elements that makes correlation of Event Logs a challenge. This is where EvtxECmd shines. All event records are normalized across all event types and across all Event Logs file types, giving you a consolidated, big picture of the all the Windows events happening in your environment. The EvtxECmd parser has standardized CSV, XML, and JSON output. It also has a unique Maps feature that allows for the normalized output format. And it helps alleviate the pivot point scenarios that sometimes take you off track by aggregating events so you can see patterns and better understand what is happening.

RECMD – Registry Explorer Command-line Edition

This command-line tool is used to access, search, recover, and export any data found in the Windows registry. It’s an extremely powerful tool that takes a while to get used to. But to understand just how powerful this took is, think about searching and exporting a registry in a consistent output format. No big deal, until you have to search and export a consistent format when working across tens, hundreds, or thousands of machines.

MFTECmd – MFT Explorer

This tool parses a number of different files from Windows NT File System (NTFS) formatted drives. At a high level, MFTECmd parses each of these internal NTFS System files, but it also dives deep into NTFS and helps uncover much data of interest. MFTECmd takes a $MFT, $J, $SDS, $Logfile or $Boot as input that can be in the form of an exported copy of the file(s) or can be referenced from within a mounted image.

PECmd – Prefetch Parser

Prefetch is one source of Evidence of Execution of a particular program. The Prefetch Parser is a simple to use tool that provides two forms of output. First extraction and formatting the contents of the Prefetch file. Second, PECmd takes Prefetch data and puts it into a timeline.

JLECmd – Jumplist Explorer Command-line Edition

JLECmd takes Jumplists – which store critical information about files and folders that have been interacted with using various GUI applications in Windows – to indicate what applications were used to open target files and folders and store metadata specific to those target items. Those metadata contain details such as file name and location, dates and times, etc. Parsing the Jumplist data can be difficult and time-consuming because they are stored in a format known as MS OLE Structured Storage files. JLECmd makes parsing these data simple and quick.

LECmd – LNK File Explorer

The LNK File Explorer is simple to use and takes binary shortcut files AKA .lnk files – typically created when a user opens a non-executable file by double-clicking – and presents them in a human-readable format. These shortcut files are stored under the user profile that opened the file and contain information relating to the opened target file. This includes information such as the target file dates and times (at the time when the file was opened), file name and path, the drive type, volume serial number, volume label and more. The EZ Tools Command-Line Poster details several easier-to-use yet powerful command-line tools and is designed to make your job easier and more successful as you investigate and respond to security and cyber events. Register to get your copy, and be sure to join our webinar on March 11.