Windows Forensic

Useful tool for Windows analysis

Forensic analysis on Windows platform can be done with many tools. Eric Zimmerman provide a wide range of them.

Eric Zimmerman's tools

Each tool

Name	Version (.net 4 \| 6)	Purpose
AmcacheParser	1.5.1.0 \| 1.5.1.0	Amcache.hve parser with lots of extra features. Handles locked files
AppCompatCacheParser	1.5.0.0 \| 1.5.0.0	AppCompatCache aka ShimCache parser. Handles locked files
bstrings	1.5.2.0 \| 1.5.2.0	Find them strings yo. Built in regex patterns. Handles locked files
EvtxECmd	1.5.0.0 \| 1.5.0.0	Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
EZViewer	1.0.0.0 \| 2.0.0.0	Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!)
Hasher	2.0.0.0 \| -	Hash all the things
JLECmd	1.5.0.0 \| 1.5.0.0	Jump List parser
JumpList Explorer	1.4.0.0 \| 2.0.0.0	GUI based Jump List viewer
LECmd	1.5.0.0 \| 1.5.0.0	Parse lnk files
MFTECmd	1.2.2.0 \| 1.2.2.0	$MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files
MFTExplorer	0.5.1.0 \| 2.0.0.0	Graphical $MFT viewer
PECmd	1.5.0.0 \| 1.5.0.0	Prefetch parser
RBCmd	1.5.0.0 \| 1.5.0.0	Recycle Bin artifact (INFO2/$I) parser
RecentFileCacheParser	1.5.0.0 \| 1.5.0.0	RecentFileCache parser
RECmd	1.6.0.0 \| 2.0.0.0	Powerful command line Registry tool searching, multi-hive support, plugins, and more
Registry Explorer	1.6.0.0 \| 2.0.0.0	Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files
RLA	2.0.0.0 \| 2.0.0.0	Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs
SDB Explorer	1.0.0.0 \| 2.0.0.0	Shim database GUI
SBECmd	2.0.0.0 \| 2.0.0.0	ShellBags Explorer, command line edition, for exporting shellbag data
ShellBags Explorer	1.4.0.0 \| 2.0.0.0	GUI for browsing shellbags data. Handles locked files
SQLECmd	1.0.0.0 \| 1.0.0.0	Find and process SQLite files according to your needs with maps!
SrumECmd	0.5.1.0 \| 0.5.1.0	Process SRUDB.dat and (optionally) SOFTWARE hive for network, process, and energy info!
SumECmd	0.5.2.0 \| 0.5.2.0	Process Microsoft User Access Logs found under 'C:\Windows\System32\LogFiles\SUM'
Timeline Explorer	1.3.0.0 \| 2.0.0.0	View CSV and Excel files, filter, group, sort, etc. with ease
VSCMount	1.5.0.0 \| 1.5.0.0	Mount all VSCs on a drive letter to a given mount point
WxTCmd	1.0.0.0 \| 1.0.0.0	Windows 10 Timeline database parser

Name

Version (.net 4 | 6)

Purpose

AmcacheParser

1.5.1.0 | 1.5.1.0

Amcache.hve parser with lots of extra features. Handles locked files

AppCompatCacheParser

1.5.0.0 | 1.5.0.0

AppCompatCache aka ShimCache parser. Handles locked files

bstrings

1.5.2.0 | 1.5.2.0

Find them strings yo. Built in regex patterns. Handles locked files

EvtxECmd

1.5.0.0 | 1.5.0.0

Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!

EZViewer

1.0.0.0 | 2.0.0.0

Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!)

Hasher

2.0.0.0 | -

Hash all the things

JLECmd

1.5.0.0 | 1.5.0.0

Jump List parser

JumpList Explorer

1.4.0.0 | 2.0.0.0

GUI based Jump List viewer

LECmd

1.5.0.0 | 1.5.0.0

Parse lnk files