Category: EZTools

bstrings

Posted on by randrada

Incident Response with EZTools - Strings Search

Download Tool for .NET 4
Download Tool for .NET 6
Introduction to bstrings
Click here to view bstrings use cases

bstrings is bundled with EZTools. This tool can be used to search for strings from a single file or a directory and is built using regex patterns for quick and reliable search.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected. 

During an incident, an executable may be launched, which made causes system to behave in an odd way. Getting an evidence of this execution on the system can help the responders pivot the investigation.

Related Tools

JLECmd

Posted on by randrada

Incident Response with EZTools - Document Creation and Opening file Evidence Acquisition

Download Tool for .NET 4
Download Tool for .NET 6
Jump list in Depth
Click here to view JLECmd use cases

JLECmd is bundled with EZTools. This tool is used to parse jump list.

Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. Jump Lists don’t just show shortcuts to files. Sometimes they also provide quick access to commands for things like composing new email messages or playing music. You can use a Jump List to open items, and you can also pin favorites to a Jump List, so you can quickly get to the items that you use every day.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, a file in the form of a text file or a document might be opened, and to acquire these artifacts, responders must have the right set of knowledge and tools to gather these artifacts as evidence. 

Related Tools

LNK Files and Jump Lists

Jumplist-Part 1

Jumplist-Part 2

LECmd

Posted on by randrada

Incident Response with EZTools - Document Creation and Opening file Evidence Acquisition

Download Tool for .NET 4
Download Tool for .NET 6
Click here to view LECmd use cases

LECmd is bundled with EZTools. This tool is used to parse .lnk files.

LNK Files are typically files that are created by the Windows OS automatically whenever a user opens their files. These files are used by the operating system to secure quick access to a certain file.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, a file in the form of a text file or a document might be opened, and to acquire these artifacts, responders must have the right set of knowledge and tools to gather these artifacts as evidence.

Related Tools

LNK Files and Jump Lists

.LNK Files - Part 1

.LNK Files - Part 2

PECmd

Posted on by randrada

Incident Response with EZTools - Evidence of Execution

Download Tool for .NET 4
Download Tool for .NET 6
Click here to view PECmd use cases

PECmd is bundled with EZTools. This tool is a Prefetch Parser.

Prefetch since Windows XP: Windows creates a prefetch file every time you run the file for the first time. It is a component of a memory manager that can speed up the Windows boot process and shorten the amount of time it takes to start up programs. This file contains data that the OS needs to speed up the app’s load time whenever you run it.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, an executable may be launched which causes our system to behave in an odd ways. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Related Tools

Windows Application Compatibility Forensics

Prefetch Files - Part 1

Prefetch Files - Part 2

AppCompatCacheParser

Posted on by randrada

Incident Response with EZTools - Evidence of Execution

Download Tool for .NET 4
Download Tool for .NET 6
Click here to view tool use cases

AppCompatCacheParser aka ShimParser, is bundled with EZTools. This tool can be used to parse the ShimCache.

ShimCache is a component of the Application Compatibility Database, which is used by the Windows operating system to identify application compatibility issues. The cache contains data related to this Windows feature, and it is used for quick lookups to determine if modules require shimming for compatibility. (source: https://www.fireeye.com/content/dam/fireeye www/services/freeware/shimcache-whitepaper.pdf)

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, an executable may be launched, which causes our system to behave in an odd way. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Related Tools

Windows Application Compatibility Forensics

AmcacheParser

Posted on by randrada

Incident Response with EZTools - Evidence of Execution

Download Tool for .NET 4
Download Tool for .NET 6
Click here to view AmCacheParser use cases

AmCacheParser is bundled with EZTools, this tool can be used to parse the Amcache.hve and provide us with a vast amount of information about what files have been executed on the system.

Amcache can provide a timeline of which program was executed and when it was first run and last modified. This also provides additional detail, giving us the File Path, Version, Hash, and etc.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, an executable may be launched, which causes our system to behave in an odd way. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Related Tools

Windows Application Compatibility Forensics