Category: EZTools

Registry Explorer

Posted on by randrada

Incident Response with EZTools - Registry Forensics

Download Tool for .NET 4
Download Tool for .NET 6
Intro to Registry Explorer

Registry Explorer is bundled with EZTools, this tool is a Registry viewer with searching, multi-hive support, plugins and more.

Windows Registry can provide us with a wide array of information about executables, systems, users, applications, etc., inside Windows systems.

Registry Hive is a logical group of keys, subkeys, and values inside the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

During an incident, the Windows Registry can give us a lot of evidence and breadcrumbs that can be used during the investigation, able to acquire this evidence with the help of skills and the right tools can aid the responder to quickly resolve the incident.

Related Tools

 

Exploring Registry Explorer

Introduction to Windows Forensics

Registry Explorer - Part 1

Registry Explorer - Part 2

RECmd

Posted on by randrada

Incident Response with EZTools - Registry Forensics

Download Tool for .NET 4
Download Tool for .NET 6
Finding Registry Malware using RECmd
Click here to view RECmd use cases

RECmd is bundled with EZTools. This tool is a Registry searching tool that support multi-hive, plugins and more.

Windows Registry can provide us with a wide array of information about executables, systems, users, applications, etc., inside Windows systems.

Registry Hive is a logical group of keys, subkeys, and values inside the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

During an incident, the Windows Registry can give us a lot of evidence and breadcrumbs that can be used during the investigation, able to acquire this evidence with the help of skills and the right tools can aid the responder to quickly resolve the incident.

Related Tools

RecentFileCache Parser

Posted on by randrada

Incident Response with EZTools - Evidence of Execution Acquisition

Download Tool for .NET 4
Download Tool for .NET 6
RecentFileCache.bcf in Depth Investigation
Click here to view RecentFileCache Parser use cases

RecentFileCacheParser is bundled with EZTools. This tool use to parse recent files inside .bcf format.

Amcache can provide a timeline of which program was executed and when it was first run and last modified. This also provides additional detail, giving us the File Path, Version, Hash, and etc.

RecentFileCache.bcf contains recently executed programs on Windows 7 systems.

During an incident, an executable may be launched, which causes our system to behave in an odd behavior. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Related Tools

Windows Application Compatibility Forensics

RBCmd

Posted on by randrada

Incident Response with EZTools - Recycle Bin Artifact Parser

Download Tool for .NET 4
Download Tool for .NET 6
More about Recycle Bin Artifact Aquisition

RBCmd is bundled with EZTools, this tool a recycle bin artifact INFO2/$I parser.

INFO2 contains an index of all the files that have been deleted, along with some metadata about the recycled files. The INFO2 file will contain the original path, file size, and when it was deleted.

$I this file contains the metadata for that specific file (unlike the INFO2 file, which contains the metadata for every file in the recycle bin). The $I file contains the original filename, path, file size, and when the file was deleted.

During an incident, a file might have been deleted from the disk, and being able to get the artifact and parse it can help the responder during the investigation.

Related Tools

Recycle Bin Forensics

MFTExplorer

Posted on by randrada

Incident Response with EZTools - $MFT Parser

Download Tool for .NET 4
Download Tool for .NET 6
More of MFTECmd
NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

MFTExplorer is bundled with EZTools, This tool is a graphical $MFT Viewer.

$MFT All information about a file, including its size, time and date values, permissions and data content, is stored either in $MFT entries, or in space outside the $MFT that is described by $MFT entries. $MFT can be considered one of the most important files in the NTFS file system.

$Boot known as the Volume Boot Record, or Volume Boot Sector, or Partition Boot Sector. This stores information about the size of the partition, the location of the $MFT for the partition and the location of the $MFT mirror for the partition. $Boot is the first file in a volume.

$I30 The NTFS file system maintains an index of all files and directories called the $I30 attribute. Every directory in the file system contains an $I30 attribute that must be maintained whenever there are changes to the directory’s content. When the files or folders are removed from the directory, the $I30 index records are re-arranged accordingly. $I30 can be used in forensic analysis for identifying files that may have existed on the drive and also gives evidence of deleted and overwritten files.

Related Tools

 

Introduction to MFTECmd: NTFS MFT AND JOURNAL FORENSICS

MFTECmd

Posted on by randrada

Incident Response with EZTools - $MFT Parser

Download Tool for .NET 4
Download Tool for .NET 6
More of MFTECmd
NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

MFTECmd is bundled with EZTools. This tool is use to parse $MFT, $Boot, $J, $SDS,$I30.

$MFT All information about a file, including its size, time and date values, permissions, and data content, is stored either in $MFT entries, or in space outside the $MFT that is described by $MFT entries. $MFT can be considered one of the most important files in the NTFS file system.

$Boot known as the Volume Boot Record, or Volume Boot Sector, or Partition Boot Sector. This stores information about the size of the partition, the location of the $MFT for the partition, and the location of the $MFT mirror for the partition. $Boot is the first file in a volume.

$I30 The NTFS file system maintains an index of all files and directories called the $I30 attribute. Every directory in the file system contains an $I30 attribute that must be maintained whenever there are changes to the directory’s content. When the files or folders are removed from the directory, the $I30 index records are re-arranged accordingly. $I30 can be used in forensic analysis for identifying files that may have existed on the drive and also gives evidence of deleted and overwritten files.

Related Tools

 

Introduction to MFTECmd: NTFS MFT AND JOURNAL FORENSICS

Jumplist Explorer

Posted on by randrada

Incident Response with EZTools - Document Creation and Opening file Evidence Acquisition

Download Tool for .NET 4
Download Tool for .NET 6
Jump list in Depth

JumpList Explorer is bundled with EZTools. This tool is a GUI-based jump list viewer.

Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. Jump Lists don’t just show shortcuts to files. Sometimes they also provide quick access to commands for things like composing new email messages or playing music. You can use a Jump List to open items, and you can also pin favorites to a Jump List, so you can quickly get to the items that you use every day.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, a file in the form of a text file or a document might be opened, and to acquire these artifacts, responders must have the right set of knowledge and tools to gather these artifacts as evidence. 

Related Tools

 

LNK Files and Jump Lists

Jumplist-Part 1

Jumplist-Part 2

Hasher

Posted on by randrada

Incident Response with EZTools - Hash All Things

Download Tool

Hasher is bundled with EZTools, This tool has the ability to hash all things from a single file to a directory.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, breadcrumbs of actions being performed by the attacked may be left. These actions may be the reason why our system behaves in an odd behavior. Being able to inspect the hashes of these breadcrumbs can give the responder a quick look and analysis that can help during an investigation.

Related Tools

To see this tool in action and its capabilities, drag the file or select a folder inside the hasher and it will automatically generate MD5 and SHA1 hashes of these files.

 

EZViewer

Posted on by randrada

Incident Response with EZTools - Document Dependency Viewer

Download Tool for .NET 4
Download Tool for .NET 6

EZViewer is bundled with EZTools. This tool is a standalone, zero-dependency viewer for .doc,.docx,.xls,.xlsx,.text,.log,.rtf,.otd,.htm,.html,.mht,.csv, and .pdf.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, a document may be used, which causes our system to behave in an odd way. Being able to inspect the data inside this evidence on the system can help the responders to pivot the investigation.

Related Tools

 

Comparing EZViewer to Other Free File Viewers

EvtxECmd

Posted on by randrada

Incident Response with EZTools - Event Logs Parsing

Download Tool for .NET 4
Download Tool for .NET 6
More about EvtxECmd
Click here to view EvtxCMD use cases

EvtxECmd is bundled with EZTools. A short word for Event Log Parser.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected. 

During an incident, an action may be performed which causes our system to behave in an odd way. Getting an evidence of these actions on the system through event logs can aid the responders to follow the breadcrumbs that can be used to timeline an event.

Related Tools

Introduction to EvtxECmd