Eric Zimmerman Tools
Eric Zimmerman Tools
Eric Zimmerman Tools
ISBN 978-1-959497-02-8
This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing
process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and
many iterations to get reader feedback, pivot until you have the right book and build traction once
you do.
Introduction to EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What are EZ Tools? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Download EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
CLI vs GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
.NET 4 vs .NET 6 EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is this book? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Mastering EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Content by Eric Zimmerman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Content by the DFIR Community about EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . 4
EZ Tools - CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
AmcacheParser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
AmcacheParser Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
AmcacheParser Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
AmcacheParser Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
AmcacheParser Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
AmcacheParser Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
AmcacheParser References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
AppCompatCacheParser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
AppCompatCacheParser Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
AppCompatCacheParser Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
AppCompatCacheParser Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
AppCompatCacheParser Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
AppCompatCacheParser Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
AppCompatCacheParser References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
CONTENTS
bstrings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
bstrings Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
bstrings Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
bstrings Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
bstrings References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
EvtxECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
EvtxECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
EvtxECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
EvtxECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
EvtxECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
EvtxECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
EvtxECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
IISGeoLocate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
IISGeoLocate Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
IISGeoLocate Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IISGeoLocate Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
IISGeoLocate References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
JLECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
JLECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
JLECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
JLECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
JLECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
JLECmd Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
JLECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
JLECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
LECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
LECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
LECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
LECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
LECmd Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
LECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
LECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
LECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
MFTECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
MFTECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
File Types Parsed by MFTECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
MFTECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
MFTECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
MFTECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
CONTENTS
PECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
PECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
PECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
PECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
PECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
PECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
PECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
RBCmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
RBCmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
RBCmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
RBCmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
RBCmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
RBCmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
RBCmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
RecentFileCacheParser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
RecentFileCacheParser Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
RecentFileCacheParser Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
RecentFileCacheParser Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
RecentFileCacheParser Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
RecentFileCacheParser References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
RECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
RECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
RECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
RECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
RECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
RECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
RLA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
RLA Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
RLA Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
RLA Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
RLA References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
SBECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SBECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SBECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
SBECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
SBECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
SBECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
CONTENTS
SQLECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SQLECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SQLECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
SQLECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
SQLECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
SrumECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SrumECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SrumECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
SrumECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
SrumECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
SrumECmd Sample Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
SrumECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
SumECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
SumECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
SumECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
SumECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
SumECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
SumECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
VSCMount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
VSCMount Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
VSCMount Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
VSCMount Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
VSCMount References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
WxTCmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
WxTCmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
WxTCmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
WxTCmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
WxTCmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
WxTCmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
WxTCmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
EZViewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
EZViewer Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
EZViewer Screenshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
EZViewer Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
EZViewer References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
CONTENTS
Hasher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hasher Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hasher Screenshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hasher Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Hasher References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
TimeApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
TimeApp Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
TimeApp Screenshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
TimeApp References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
XWFIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Using XWFIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
XWFIM References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Reporting Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Enabling Update Notifications on
Leanpub
Please, before you go any further in reading this book, enable update notifications for this book (and
any others) so you’re notified when this book is updated! This can be done in your Leanpub library¹.
This book is a live document and will constantly be updated as time goes on. You don’t want to miss
out!
Update Notifications
¹https://leanpub.com/user_dashboard/library
Introduction to EZ Tools
What are EZ Tools?
EZ Tools are free and open-source digital forensics tools written by Eric Zimmerman².
Download EZ Tools
Eric Zimmerman’s Tools can be downloaded here³. Run the Get-ZimmermanTools.ps1 PowerShell
script to download EZ Tools.
²https://www.sans.org/profiles/eric-zimmerman/
³https://ericzimmerman.github.io/#!index.md
Introduction to EZ Tools 3
CLI vs GUI
EZ Tools comprise of CLI (Command Line Interface) and GUI (Graphical User Interface) tools. The
CLI tools will be covered first followed by the GUI tools. Generally speaking, the CLI tools are
updated more often and are the preferable method of parsing the respective artifact the tool is
designed to parse.
Mastering EZ Tools
The best way to master EZ Tools, or any tools for that matter, is to use them. Use tools against
sample images found on CFReDS¹⁰, Digital Corpora¹¹, or AboutDFIR¹². Additionally, the DFIRArti-
factMuseum¹³ will be referenced often throughout this manual as there are multiple samples of the
raw artifacts that each EZ Tool is designed to parse.
⁴https://ericzimmerman.github.io/#!benchmarks.md
⁵https://dotnet.microsoft.com/en-us/download/dotnet/6.0
⁶https://ericzimmerman.github.io/KapeDocs/#!index.md
⁷https://github.com/EZToolsManuals/EZToolsManuals
⁸https://github.com/EZToolsManuals/EZToolsManuals/issues
⁹https://github.com/EZToolsManuals/EZToolsManuals/pulls
¹⁰https://cfreds.nist.gov/
¹¹https://digitalcorpora.org/
¹²https://aboutdfir.com/resources/tool-testing/
¹³https://github.com/AndrewRathbun/DFIRArtifactMuseum
Introduction to EZ Tools 4
¹⁴https://youtu.be/GhCZfCzn2l0
¹⁵https://youtu.be/IuiIGzm7k34
¹⁶https://youtu.be/bsWLg1fWelk
¹⁷https://youtu.be/x5mUUYqnh00
¹⁸https://youtu.be/NKzczOFyykc
¹⁹https://youtu.be/Lwu1Deb6-xg
²⁰https://youtu.be/RIDNVRcDuAY
²¹https://youtu.be/ZCj7cbWwUOs
²²https://youtu.be/qbFBmAJIbIU
²³https://youtu.be/bWxbfARqBPY
²⁴https://youtu.be/YF-jDoh8BFM
²⁵https://youtu.be/yEmLuj3oDzs
²⁶https://www.youtube.com/watch?v=iYyWZSNBNcw
²⁷https://www.sans.org/posters/eric-zimmermans-results-in-seconds-at-the-command-line-poster/
²⁸https://www.youtube.com/watch?v=mIb1GQP3ciE
²⁹https://www.youtube.com/watch?v=BIkyWexMF0I
³⁰https://www.youtube.com/watch?v=DoVStoCJrog
EZ Tools - Common Switches
Common Switches
While each of the EZ Tools provide unique functionality based on the artifact they were developed
specifically to parse, most EZ Tools share common switches that will be covered here so they’re not
repeated in each EZ Tools’ respective Switches section.
-f
Examples
.\JLECmd.exe -f D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\573770283dc3d854.automa
ms
.\LECmd.exe -f C:\temp\test.lnk
.\MFTECmd.exe -f 'C:\temp\webinar6152022\tout\C\$MFT'
-d
Use -d to point to a directory for LECmd to parse. Please note, this switch does work recursively.
Examples
.\LECmd.exe -d C:\temp
--csv
This switch will instruct LECmd to output parsed data into a CSV at the specified location.
Examples
--csvf
This switch will instruct LECmd to output parsed data into a CSV at the specified location and name
it using the value specified for this switch.
Examples
--xml
This switch will instruct LECmd to output parsed data into XML at the specified location. Please
note, this will output an XML file for each .LNK file parsed.
Examples
--html
This switch will instruct LECmd to output parsed data into XML at the specified location.
Examples
--json
This switch will instruct LECmd to output parsed data into JSON at the specified location. Please
note, this will output a single JSON file regardless of the number of .LNK files parsed.
Examples
--pretty
This switch will instruct LECmd to output parsed data into pretty printed JSON at the specified
location.
EZ Tools - Common Switches 7
Examples
--dt
This switch will instruct AmcacheParser to display timestamps in a specified format. The options for
timestamp format can be found here: https://docs.microsoft.com/en-us/dotnet/standard/base-types/
custom-date-and-time-format-strings?redirectedfrom=MSDN
--dedupe
This switch informs the tool to deduplicate results parsed from by the tool. That way, your output
won’t include multipe identical rows for the leanest output possible.
--vss
This switch informs the tool to mount Volume Shadow Copies from the drive letter specified using
the -f or -d switch and parse Prefetch files present within.
Examples
recmd
pecmd
-q
This switch hides the processing details when running a command. This means potentially faster
generated output since your computer doesn’t have to worry about generating output to the console
window during processing.
Example: RECmd.exe -d C:\Windows\system32\config --bn BatchExamples\Kroll_Batch.reb --nl
false --csv C:\temp -q
--debug
This switch will provide log messages that are helpful for debugging code. --debug can be added to
any command for more verbose messaging.
--trace
This switch will provide log messages that are helpful for tracing the execution of code. --trace can
be added to any command for more verbose messaging.
EZ Tools - Common Switches 8
--version
This switch will display the current version of the EZ Tool binary.
--help
This switch will print the same help information as executing the EZ Tool from the command line
without any switches.
EZ Tools - PowerShell vs CMD
There are some important scenarios to consider when using PowerShell vs Command Prompt.
Common Scenarios
When using MFTECmd, using the -f switch will require you to point to a file that has a dollar sign
($) in the filename, such as $MFT, $J, etc. If you are using PowerShell when running MFTECmd, you
will need to use single backticks instead of quotation marks around your file path.
For those not familiar with PowerShell, variables are assigned using dollar signs. For instance,
‘$variable‘ can be assigned any value which can be used throughout a script without having to
retype a value repeatedly.
Here’s an example of this:
$filePath = C:\User\TestUser\Desktop\Folder\AnotherFolder\LongPath\LongerPath\filename.exe
We are assigning that very long file path to the $filePath variable. Therefore, in a script, we could
simple use $filePath every time we want to inject that file path into our script. Additionally, it
allows for us to declare the file path once in the script and the corrected file path is reflected wherever
that variable is used.
How this relates to MFTECmd’s usage is when pointing to a $MFT file, if you use quotation marks,
PowerShell will be expecting a value to have been assigned to $MFT or $J. When running a one-liner
command with MFTECmd, we are not declaring variables called $MFT or $J, rather, we’re pointing
to files that have those specific names.
Here is an example of a bad command using PowerShell:
.\MFTECmd.exe -f "C:\temp\$someMFT” --csv C:\temp
Only when you run the command with single backticks will you have output generated with
MFTECmd.
EZ Tools - CLI 12
EZ Tools - CLI
AmcacheParser
AmcacheParser Introduction
AmcacheParser is a tool created by Eric Zimmerman used to parse Amcache.hve files, commonly
found at C:\Windows\appcompat\Programs\Amcache.hve.
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing the Amcache.hve artifact which can
help provide insight as to which programs were installed on a computer. Additionally, the artifact
can provide hardware information which may be useful context to have for the purpose of evidence
identifcation.
Private Sector
For those in the Private Sector, this tool is useful for parsing the Amcache.hve artifact which can
help provide evidence of program execution. Unassociated entries will often be where malicious
applications can be found along with the associated SHA1 hash value which can then be leveraged
into a resource like VirusTotal to learn more about the application.
AmcacheParser 14
AmcacheParser Switches
In a PowerShell window, running .\AmcacheParser.exe will provide the following options when
running AmcacheParser:
Description:
AmcacheParser version 1.5.1.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed with two dashes
Usage:
AmcacheParser [options]
Options:
-f <f> (REQUIRED) Amcache.hve file to parse
-i Include file entries for Programs entries [default: False]
-w <w> Path to file containing SHA-1 hashes to *exclude* from the\
results. Blacklisting overrides
whitelisting
-b <b> Path to file containing SHA-1 hashes to *include* from the\
results. Blacklisting overrides
whitelisting
--csv <csv> (REQUIRED) Directory to save CSV formatted results to. Be sure to inc\
lude the full path in double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, \
overrides default name
--dt <dt> The custom date/time format to use when displaying time st\
amps. See https://goo.gl/CNVq0k for
options [default: yyyy-MM-dd HH:mm:ss]
--mp Display higher precision for time stamps [default: False]
--nl When true, ignore transaction log files for dirty hives. D\
efault is FALSE
AmcacheParser 15
[default: False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
Switch Descriptions
-i
-w
This switch will instruct AmcacheParser to read a specified file containing SHA-1 hashes to exclude
from the results. This means that hashes specified in this file will NOT be included in the CSV output.
Example: .\AmcacheParser.exe -f "D:\DFIRArtifactMuseum\Windows\Amcache\Win10\APTSimulatorVM\Amcache.h
--csv D:\Amcache -w D:\Amcache\Hashes.txt
-b
This switch will instruct AmcacheParser to read a specified file containing SHA-1 hashes to include
from the results. This means that hashes specified in this file will be the ONLY results included in
the CSV output.
Example: .\AmcacheParser.exe -f "D:\DFIRArtifactMuseum\Windows\Amcache\Win10\APTSimulatorVM\Amcache.h
--csv D:\Amcache -b D:\Amcache\Hashes.txt
--mp
This switch will instruct AmcacheParser to provide more verbose timestamps. For instance, running
.\AmcacheParser.exe -f "D:\Amcache\Amcache.hve" --csv D:\Amcache resulted in the following:
--nl
This switch will instruct AmcacheParser to ignore transaction logs (*.LOG files)
Example: .\AmcacheParser.exe -f "D:\DFIRArtifactMuseum\Windows\Amcache\Win10\APTSimulatorVM\Amcache.h
--csv D:\Amcache --nl
AmcacheParser 17
Parse an Amcache.hve file and Output to CSV While Only Including Results
That Match Specified Hashes
AmcacheParser Output
AmcacheParser References
Blog Posts
Download AmcacheParser
AmcacheParser can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for providing evidence of file knowledge. Artifacts
seen in the AppCompatCache, depending on the version of Windows, may provide indicators of an
executable existing on the file system at a given point in time.
Private Sector
For those in the Private Sector, this tool is useful for providing evidence of file knowledge. Artifacts
seen in the AppCompatCache, depending on the version of Windows, may provide indicators of
an executable existing on the file system at a given point in time. Additionally, previous versions
of Windows had indicators of program execution but more reliably that same information can be
found in Prefetch, UserAssist, etc.
AppCompatCacheParser 21
AppCompatCacheParser Switches
In a PowerShell window, running .\AppCompatCacheParser.exe will provide the following options
when running AppCompatCacheParser:
Description:
AppCompatCache Parser version 1.5.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are
prefixed with two dashes
Usage:
AppCompatCacheParser [options]
Options:
-f <f> Full path to SYSTEM hive to process. If this option is not
specified, the live Registry will be used
--csv <csv> (REQUIRED) Directory to save CSV formatted results to. Be sure to inc\
lude the
full path in double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, \
overrides
default name
--c <c> The ControlSet to parse. Default is to extract all control\
sets
[default: -1]
-t Sorts last modified timestamps in descending order [defaul\
t: False]
--dt <dt> The custom date/time format to use when displaying time st\
amps. See
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:\
mm:ss]
--nl When true, ignore transaction log files for dirty hives [d\
efault:
AppCompatCacheParser 22
False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
Switch Descriptions
-c
This switch informs the tool to parse a specific ControlSet. The default is to parse all ControlSets
specified within the Registry.
Example: .\AppCompatCacheParser.exe -f "C:\temp\System" --csv C:\temp\appcompatcachetest
--c 1
The above command will display the following message in the console window:
-t
This switch will inform the tool to sort the last modified timestamps in descending order.
Example: .\AppCompatCacheParser.exe -f "D:\temp\SYSTEM" --nl false --csv "D:\temp" -t
-nl
This switch will inform the tool whether to replay transaction logs or not.
Below is an exmaple of replaying transaction logs:
Example: .\AppCompatCacheParser.exe -f "D:\temp\SYSTEM" --nl false --csv "D:\temp"
When processing transaction logs, you will see a message similar to this:
AppCompatCacheParser 23
1 Registry hive is dirty and transaction logs were found in the same directory, but --\
2 nl was provided. Data may be missing! Continuing anyways...
3 Sequence numbers do not match! Hive is dirty and the transaction logs should be revi\
4 ewed for relevant data!
5 Found 1,024 cache entries for Windows10Creators in ControlSet001
AppCompatCacheParser 24
Parse the AppCompatCache from the SYSTEM Registry hive and output to a
specified location while outputting a CSV named results.csv
AppCompatCacheParser Output
According to AppCompatCacheParser’s code³⁶, the following versions can replace the XXXXXX:
WindowsXP,
WindowsVistaWin2k3Win2k8,
Windows7x86,
Windows7x64_Windows2008R2,
Windows80_Windows2012,
Windows81_Windows2012R2,
Windows10,
Windows10Creators,
Unknown
³⁶https://github.com/EricZimmerman/AppCompatCacheParser/blob/95d4e1e084fdf8289175fdb47a15747753ec8e77/AppCompatCache/
AppCompatCache.cs#L56
AppCompatCacheParser 25
AppCompatCacheParser References
Blog Posts
• Introducing AppCompatCacheParser³⁷
• AppCompatCacheParser v0.0.5.1 released³⁸
• AppCompatCacheParser v0.0.5.2 released³⁹
• AppCompatCacheParser v0.9.0.0 released and some AppCompatCache/shimcache parser test-
ing⁴⁰
• Windows 10 Creators update vs shimcache parsers: Fight!!⁴¹
• Updates to the left of me, updates to the right of me, version 1 releases are here (for the most
part)⁴²
• Everything gets an update, Sept 2018 edition⁴³
• Locked file support added to AmcacheParser, AppCompatCacheParser, MFTECmd, ShellBags
Explorer (and SBECmd), and Registry Explorer (and RECmd)⁴⁴
Community Resources
Download AppCompatCacheParser
AppCompatCacheParser can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for searching through files for keywords or regular
expressions of interest, including but not limited to: credit cards, Social Security numbers, phone
numbers, email addresses, cryptocurrency wallets, and many more.
Private Sector
For those in the Private Sector, this tool is useful for searching through files for keywords or regular
expressions of interest, including but not limited to: IPv4 addresses, IPv6 addresses, SID numbers,
cryptocurrency wallets, and many more.
bstrings 29
bstrings Switches
In a PowerShell window, running .\bstrings.exe will provide the following options when running
JLECmd:
Description:
bstrings version 1.5.2.0
Usage:
bstrings [options]
Options:
-f <f> File to search. Either this or -d is required
-d <d> Directory to recursively process. Either this or -f is required
-o <o> File to save results to
-a If set, look for ASCII strings. Use -a false to disable [default: \
True]
-u If set, look for Unicode strings. Use -u false to disable [default\
: True]
-m <m> Minimum string length [default: 3]
-b <b> Chunk size in MB. Valid range is 1 to 1024. Default is 512 [defaul\
t: 512]
-q Quiet mode (Do not show header or total number of hits) [default: \
False]
-s Really Quiet mode (Do not display hits to console. Speeds up proce\
ssing when
bstrings 30
Switch Descriptions
-o
This switch informs the tool to save the results of a search to a specified location.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt"
Please note that if you run multiple searches with the -o switch, which outputs to a file with a
specified filename, subsequent searches after the initial search will append the results to that output
file with each search if the output filename is the same for each search.
-a
This switch informs the tool to look for ASCII⁴⁸ strings. Default is true, so if you want to disable it,
use -a false.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt" -a false
“-u
This switch informs the tool to look for Unicode⁴⁹ strings. Default is true, so if you want to disable
it, use -u false.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt" -u false
-m
This switch informs the tool to look for strings that are a minimum length of the specified value.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt" -m 12
-b
This switch informs the tool to search a specified chunk size. The default is 512 but the valid range
is 1 to 1024.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows\Pagefile\" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt" -b 10
Running the above command will result in console messages similar to the below:
⁴⁸https://en.wikipedia.org/wiki/ASCII
⁴⁹https://en.wikipedia.org/wiki/Unicode
bstrings 33
30 Chunk 14 of 23 finished. Total strings so far: 423,846 Elapsed time: 0.510 seconds. \
31 Average strings/sec: 831,394
32 Chunk 15 of 23 finished. Total strings so far: 450,770 Elapsed time: 0.536 seconds. \
33 Average strings/sec: 840,528
34 Chunk 16 of 23 finished. Total strings so far: 477,418 Elapsed time: 0.560 seconds. \
35 Average strings/sec: 851,896
36 Chunk 17 of 23 finished. Total strings so far: 503,561 Elapsed time: 0.623 seconds. \
37 Average strings/sec: 808,210
38 Chunk 18 of 23 finished. Total strings so far: 529,823 Elapsed time: 0.664 seconds. \
39 Average strings/sec: 798,020
40 Chunk 19 of 23 finished. Total strings so far: 555,164 Elapsed time: 0.691 seconds. \
41 Average strings/sec: 803,042
42 Chunk 20 of 23 finished. Total strings so far: 580,462 Elapsed time: 0.714 seconds. \
43 Average strings/sec: 812,530
44 Chunk 21 of 23 finished. Total strings so far: 605,518 Elapsed time: 0.776 seconds. \
45 Average strings/sec: 780,189
46 Chunk 22 of 23 finished. Total strings so far: 624,488 Elapsed time: 0.821 seconds. \
47 Average strings/sec: 760,773
48 Chunk 23 of 23 finished. Total strings so far: 624,488 Elapsed time: 0.824 seconds. \
49 Average strings/sec: 757,961
50 Primary search complete. Looking for strings across chunk boundaries...
51 Search complete.
-q
This switch informs the tool to run in quiet mode, where the header and footer won’t display as
results are being displayed in the console window.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt" -a false -q
-x
This switch informs the tool to search for strings with a maximum length of a specified value.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt" -x 15
-p
This switch informs the tool to display the list of regular expressions built in to the tool.
Example: .\bstrings.exe -p
This command will display the following information:
bstrings 35
1 Name Description
2 aeon Finds Aeon wallet addresses
3 b64 Finds valid formatted base 64 strings
4 bitcoin Finds BitCoin wallet addresses
5 bitlocker Finds Bitlocker recovery keys
6 bytecoin Finds ByteCoin wallet addresses
7 cc Finds credit card numbers
8 dashcoin Finds DashCoin wallet addresses (D*)
9 dashcoin2 Finds DashCoin wallet addresses (7|X)*
10 email Finds embedded email addresses
11 fantomcoin Finds Fantomcoin wallet addresses
12 guid Finds GUIDs
13 ipv4 Finds IP version 4 addresses
14 ipv6 Finds IP version 6 addresses
15 mac Finds MAC addresses
16 monero Finds Monero wallet addresses
17 reg_path Finds paths related to Registry hives
18 sid Finds Microsoft Security Identifiers (SID)
19 ssn Finds US Social Security Numbers
20 sumokoin Finds SumoKoin wallet addresses
21 unc Finds UNC paths
22 url3986 Finds URLs according to RFC 3986
23 urlUser Finds usernames in URLs
24 usPhone Finds US phone numbers
25 var_set Finds environment variables being set (OS=Windows_NT)
26 win_path Finds Windows style paths (C:\folder1\folder2\file.txt)
27 xml Finds XML/HTML tags
28 zip Finds zip codes
29
30 To use a built in pattern, supply the Name to the --lr switch
--ls
--lr
This switch informs the tool to search for a specified built-in regular expression.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4
bstrings 36
--fs
This switch informs the tool to use a specified list of search terms within a specified file.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --fs C:\temp\searchterms.txt
--ar
This switch informs the tool to search using a specified range to search for in “code page” strings.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 --fr
C:\temp\results.txt --ar [\x20-\x37] -q
--ur
This switch informs the tool to search using a specified range to search for in Unicode strings.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 --fr
C:\temp\results.txt --ur [\u0020-\u007E] -q
--cp
This switch informs the tool to use a specified code page. The default is 1252. Check out this link⁵⁰
for information on other code pages available.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 --fr
C:\temp\results.txt --ur [\u0020-\u007E] -q --cp 1256
--mask
This switch informs the tool to search a specified file mask. For instance, to search through all .exe
files, one would specify --mask *.exe.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 --fr
C:\temp\results.txt --mask *.txt
The above command would search through all .txt files using the IPv4 regular expression as a search
term.
--ms
This switch informs the tool of the maximum size file (in bytes) to process when using the -d switch.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 --fr
C:\temp\results.txt --mask *.txt --ms 10
--ro
This switch informs the tool to list the string matched as the search is running.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 -o
C:\temp\results.txt --ro -q
Try the above command with and without the --ro and see the difference. --ro will list each IPv4
address hit and running the command without --ro will list the files where hits are being located.
--off
This switch informs the tool to show the offset of the hit and code page for each hit.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 -o
C:\temp\results.txt --off -q
--sa
“–sl
Search a specified file using a file with specified search strings and a file with
specified regular expressions
Search a specified directory for all files with the .dll file extension
Search a specified file for credit cards using regular expressions and sort the
results alphabetically
Search a specified file using the credit card regular expression, sorting the
results alphabetically, with a minimum string length of 15, and a maximum
string length of 22
bstrings 39
Search a specified file for the string mui and sort the results by length
bstrings References
Blog Posts
Community Resources
Download bstrings
bstrings can be downloaded from https://ericzimmerman.github.io/#!index.md
⁵¹https://binaryforay.blogspot.com/2015/07/introducing-bstrings-better-strings.html
⁵²https://binaryforay.blogspot.com/2015/07/bstrings-0900-released.html
⁵³https://binaryforay.blogspot.com/2015/07/bstrings-0950-released.html
⁵⁴https://binaryforay.blogspot.com/2015/08/a-few-updates.html
⁵⁵https://binaryforay.blogspot.com/2015/11/bstrings-0970-released.html
⁵⁶https://binaryforay.blogspot.com/2015/12/bstrings-0980-released.html
⁵⁷https://binaryforay.blogspot.com/2016/02/bstrings-0990-released.html
⁵⁸https://binaryforay.blogspot.com/2016/02/bstrings-10-released.html
⁵⁹https://binaryforay.blogspot.com/2016/04/bstrings-v11-released.html
⁶⁰https://leahycenterblog.champlain.edu/2020/05/01/data-recovery-blog-2-2/
EvtxECmd
EvtxECmd Introduction
EvtxECmd is a tool created by Eric Zimmerman used to parse event logs from Windows. Versions of
Windows from Vista and beyond have utilized the .evtx format, which incorporates XML payloads
within the .evtx files. EvtxECmd only parses .evtx files, so if you’re dealing with .evt files, EvtxECmd
will not parse those particular files.
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing event logs which can provide useful
program execution artifacts, NTFS file system artifacts, evidence of USB device connections, and
much more.
Private Sector
For those in the Private Sector, this tool is useful for parsing event logs which can provide useful
artifacts relating to RDP sessions, account lockouts, failed logons, and much more.
EvtxECmd 42
EvtxECmd Maps
https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps
If you are looking for guidance on how to create EvtxECmd Maps, look no further than the following
resources:
Additionally, please check out Andrew Rathbun’s 2021 SANS DFIR Summit presentation on EZ
Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions. Click here⁶³ for a
timestamped link to the section of the presentation that relates to EvtxECmd Maps.
EvtxECmd Switches
In a PowerShell window, running .\EvtxECmd.exe will provide the following options when running
EvtxECmd:
Description:
EvtxECmd version 1.0.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed with two dashes
Usage:
EvtxECmd [options]
⁶¹https://github.com/EricZimmerman/evtx/blob/master/evtx/Maps/!Channel-Name_Provider-Name_EventID.guide
⁶²https://github.com/EricZimmerman/evtx/blob/master/evtx/Maps/!Channel-Name_Provider-Name_EventID.template
⁶³https://youtu.be/mIb1GQP3ciE?t=860
EvtxECmd 43
Options:
-f <f> File to process. This or -d is required
-d <d> Directory to process that contains evtx files. This or -f is requ\
ired
--csv <csv> Directory to save CSV formatted results to
--csvf <csvf> File name to save CSV formatted results to. When present, overrid\
es default name
--json <json> Directory to save JSON formatted results to
--jsonf <jsonf> File name to save JSON formatted results to. When present, overri\
des default name
--xml <xml> Directory to save XML formatted results to
--xmlf <xmlf> File name to save XML formatted results to. When present, overrid\
es default name
--dt <dt> The custom date/time format to use when displaying time stamps [d\
efault: yyyy-MM-dd HH:mm:ss.fffffff]
--inc <inc> List of Event IDs to process. All others are ignored. Overrides -\
-exc Format is 4624,4625,5410
--exc <exc> List of Event IDs to IGNORE. All others are included. Format is 4\
624,4625,5410
--sd <sd> Start date for including events (UTC). Anything OLDER than this i\
s dropped. Format should match --dt
--ed <ed> End date for including events (UTC). Anything NEWER than this is \
dropped. Format should match --dt
--fj When true, export all available data when using --json [default: \
False]
--tdt <tdt> The number of seconds to use for time discrepancy detection [defa\
ult: 1]
--met When true, show metrics about processed event log [default: True]
--maps <maps> The path where event maps are located. Defaults to 'Maps' folder \
where program was executed
[default: C:\Users\CFUser\OneDrive - Kroll\Desktop\EZ Tools\net6\\
EvtxeCmd\Maps]
--vss Process all Volume Shadow Copies that exist on drive specified by\
-f or -d [default: False]
--dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins\
[default: True]
--sync If true, the latest maps from https://github.com/EricZimmerman/ev\
tx/tree/master/evtx/Maps are
downloaded and local maps updated [default: False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
EvtxECmd 44
-f or -d is required. Exiting
EvtxECmd 45
Switch Descriptions
--inc
This switch will provide EvtxECmd with which event ID(s) to process.
Example: .\EvtxECmd.exe -d C:\Windows\System32\winevt\Logs --inc 4624,4625
The above command WILL process 4624 and 4625 events, but will NOT process anything else.
--exc
This switch will provide EvtxECmd with which event ID(s) to ignore during process.
Example: .\EvtxECmd.exe -d C:\Windows\System32\winevt\Logs --exc 4624,4625
The above command will NOT process 4624 and 4625 events, but will process everything other event.
--sd
This switch will provide a starting date for which EvtxECmd will process all events that have
occurred AFTER that date.
Example: .\EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evt
--csv D:\ --sd "2022-07-29 00:00:00.0000000"
--ed
This switch will provide a starting date for which EvtxECmd will process all events that have
occurred BEFORE that date.
Example: .\EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evt
--csv D:\ --ed "2022-07-27 00:00:00.0000000"
--fj
This switch will include full details when using the common --json switch.
Example: .\EvtxECmd.exe -d "C:\Users\CFUser\Downloads\EventLogs\logs" --json
"C:\Users\CFUser\Downloads\EventLogs\logs\json" --fj
--tdt
This switch informs the tool with the number of seconds to look for when searching for time
discrepancy detection.
Example: EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --tdt 5
EvtxECmd 46
--met
This switch informs the tool as to whether or not to provide statistics, with the default being true.
Example: EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --met false
With --met false, the following statistics will NOT be displayed after each .evtx file that is parsed
by EvtxECmd:
By default, the above statistics will be displayed after each .evtx file is parsed by EvtxECmd.
‘–maps‘
This switch will inform the tool to look for EvtxECmd Maps at a specified location other than
.\EvtxECmd\Maps.
--vss
This switch informs the tool to mount Volume Shadow Copies from the drive letter specified using
the -f or -d switch and parse Prefetch files present within.
Example: .\EvtxECmd.exe -d "D:\evtx" --csv "D:\evtx" --vss
‘–sync‘
This switch will inform the tool to download all EvtxECmd Maps from GitHub⁶⁴ and update the
local Maps stored in .\EvtxECmd\Maps.
Example: .\EvtxECmd.exe --sync
⁶⁴https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps
EvtxECmd 47
EvtxECmd Output
1 {
2 "ChunkNumber": 0,
3 "Computer": "HostnameGoesHere",
4 "Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"param1\",\"#text\":\"86400\"},{\\
5 "@Name\":\"param2\",\"#text\":\"SuppressDuplicateDuration\"},{\"@Name\":\"param3\",\\
6 "#text\":\"Software\\\\Microsoft\\\\EventSystem\\\\EventLog\"}]}}",
7 "Channel": "Application",
8 "Provider": "Microsoft-Windows-EventSystem",
9 "EventId": 4625,
10 "EventRecordId": "1",
11 "ProcessId": 0,
12 "ThreadId": 0,
13 "Level": "Info",
14 "Keywords": "0x80000000000000",
15 "SourceFile": "C:\\temp\\evtx\\Application.evtx",
16 "ExtraDataOffset": 0,
17 "HiddenRecord": false,
18 "TimeCreated": "2022-05-19T15:34:34.9710202+00:00",
19 "RecordNumber": 1
20 },
EvtxECmd 49
1 <Event>
2 <System>
3 <Provider Name="Microsoft-Windows-EventSystem" Guid="{899daace-4868-4295-afcd-9eb8\
4 fb497561}" EventSourceName="EventSystem" />
5 <EventID Qualifiers="16384">4625</EventID>
6 <Version>0</Version>
7 <Level>4</Level>
8 <Task>0</Task>
9 <Opcode>0</Opcode>
10 <Keywords>0x80000000000000</Keywords>
11 <TimeCreated SystemTime="2022-05-19 15:34:34.9710202" />
12 <EventRecordID>1</EventRecordID>
13 <Correlation />
14 <Execution ProcessID="0" ThreadID="0" />
15 <Channel>Application</Channel>
16 <Computer>CFL-HostnameGoesHere</Computer>
17 <Security />
18 </System>
19 <EventData>
20 <Data Name="param1">86400</Data>
21 <Data Name="param2">SuppressDuplicateDuration</Data>
22 <Data Name="param3">Software\Microsoft\EventSystem\EventLog</Data>
23 </EventData>
24 </Event>
This is the preferred way to do research for creating new EvtxECmd Maps. EvtxECmd Maps use
XPath queries which would require XML output to develop a working XPath query.
EvtxECmd 50
EvtxECmd References
Blog Posts
• Introducing EvtxECmd!!⁶⁵
Community Resources
Download EvtxECmd
EvtxECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool may not prove to be immediately useful, but should there
be a case where IIS logs are relevant, this tool can parse them!
Private Sector
For those in the Private Sector, this tool is useful for parsing IIS logs and helping to identify unique
IPs that can be geolocated and ran through useful resources like VirusTotal for IOC development.
Additionally, this tool can convert the IIS logs from flat text to CSV format for better ingestion into
Timeline Explorer.
IISGeoLocate 53
IISGeoLocate Switches
In a PowerShell window, running .\IISGeoLocate.exe will provide the following options when
running IISGeoLocate:
Description:
iisgeolocate version 2.2.0.0
Usage:
iisGeolocate [options]
Options:
-d <d> (REQUIRED) The directory that contains IIS logs. This will be recursi\
vely searched
for *.log files
--csv <csv> (REQUIRED) The directory to write results to
--sbl When true, do NOT show bad lines to console (they are stil\
l logged to a
file) [default: False]
--nul When true, do NOT create updated CSV files in --csv direct\
ory [default:
False]
--version Show version information
-?, -h, --help Show help and usage information
Switch Descriptions
--sbl
This switch will instruct IISGeoLocate to not display bad lines to the console. These lines will still
be written to the file being written to the location specified with the --csv switch.
.\iisgeolocate.exe -d C:\inetpub\logs\LogFiles --csv C:\temp --sbl
--nul
This switch will instruct IISGeoLocate to not update the CSV file at the location specified with the
--csv switch.
IISGeoLocate Output
IISGeoLocate References
Download IISGeoLocate
IISGeoLocate can be downloaded from https://ericzimmerman.github.io/#!index.md
JLECmd
JLECmd Introduction
Description
JLECmd is a tool created by Eric Zimmerman used to parse JumpList files. JumpLists are native to
the Windows operating system and are common indicators of file access.
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing JumpLists which can provide useful
evidence of file access that can be attributed to a specific user account. JumpLists can provide insight
as to when a file was last opened.
Private Sector
For those in the Private Sector, this tool is useful for parsing JumpLists which can provide useful
evidence of file access that can be attributed to a specific user account. Often, these can be used
along with Shellbags and LNK files to determine which files and folders were accessed by a threat
actor during a period of unauthorized access
JLECmd 56
JLECmd Switches
In a PowerShell window, running .\JLECmd.exe will provide the following options when running
JLECmd:
Description:
JLECmd version 1.5.0.0
Short options (single letter) are prefixed with a single dash. Long
commands are prefixed with two dashes
Usage:
JLECmd [options]
Options:
-f <f> File to process. Either this or -d is required
-d <d> Directory to recursively process. Either this or -f is
required
--all Process all files in directory vs. only files matching
*.automaticDestinations-ms or *.customDestinations-ms
[default: False]
--csv <csv> Directory to save CSV formatted results to. This or
--json required unless --de or --body is specified
--csvf <csvf> File name to save CSV formatted results to. When
present, overrides default name
--json <json> Directory to save json representation to. Use --pretty
for a more human readable layout
--html <html> Directory to save xhtml formatted results to. Be sure
to include the full path in double quotes
JLECmd 57
While there are explanations for each switch, let’s walk through each one of the switches unique to
JLECmd in further detail.
JLECmd 58
Switch Descriptions
--all
This switch will instruct JLECmd to attempt to parse every file in the directory specified, regardless
of file extension. Output will be generated only for those files identified to be .LNK files.
Example: .\JLECmd.exe -d D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM
--all
-q
This switch will instruct JLECmd to output only what files were processed rather than the parsed
data from each JumpList.
For instance, running .\JLECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\"
resulted in the following: Processed 15 out of 20 files in 0.6428 seconds
Running .\JLECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\" -q
resulted in the following: Processed 15 out of 20 files in 0.1246 seconds
--ld
This switch will instruct JLECmd to include more details about .LNK files. Specifically, JLECmd will
include the following information for each JumpList:
--fd
This switch will instruct JLECmd to include the full details of the .LNK files. An example of the
additional information included can be seen below:
JLECmd 59
and
>> Property store data block (Format: GUID\ID Description ==> Value)
9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3\7 App User Model Is DestList Link =\
=> True
JLECmd 60
--appIds
This switch will instruct JLECmd to use an AppIDs.txt file specified by the user. Default is using
the built-in AppIDs.txt file included within JLECmd, which can be found here: https://github.com/
EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt
Example: .JLECmd.exe -f “D:DFIRArtifactMuseumWindowsJumpListsWin7\1b4dd67f29cb1962.automaticDestinatio
ms” –appIds “C:\tempAppIDs.txt”
--dumpTo
This switch will instruct JLECmd to dump the .LNK files associated with the JumpList to the specified
location.
Example: .JLECmd.exe -f “D:DFIRArtifactMuseumWindowsJumpListsWin7\1b4dd67f29cb1962.automaticDestinatio
ms” –dumpTo “D:DFIRArtifactMuseum\testJL”
--mp
This switch will instruct JLECmd to provide more verbose timestamps. For instance, running
.\JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win7\1b4dd67f29cb1962.automaticDestinations
resulted in the following:
JLECmd 61
--withDir
This switch will instruct JLECmd to list directories not account for in the DestList entries.
For example, running .\JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b
--withDir resulted in the following extra data:
JLECmd 62
Directory: b
Parse a single JumpList and view the results within the console
JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95\
cf55d32a.automaticDestinations-ms"
Parse a single JumpList and output the results to CSV at specified location
JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95\
cf55d32a.automaticDestinations-ms” --csv C:\Temp
JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95\
cf55d32a.automaticDestinations-ms" --json "D:\jsonOutput" --pretty
Parse a single JumpList and view the results within the console with higher
precision timestamps
JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95\
cf55d32a.automaticDestinations-ms" --mp
JLECmd 64
JLECmd Output
{
"Directory": [
{
"ClassId": "00450020006e00747200790000000000",
"UserFlags": 0,
"ModifiedTime": "\/Date(1646941766733)\/",
"FirstDirectorySectorId": 3,
"DirectorySize": 576,
"PreviousDirectoryId": -1,
"NextDirectoryId": -1,
"SubDirectoryId": 1,
"DirectoryName": "Root Entry",
"DirectoryType": "RootStorage",
"NodeColor": "Red"
},
{
"ClassId": "00000000000000000000000000000000",
"UserFlags": 0,
"FirstDirectorySectorId": 0,
"DirectorySize": 309,
"PreviousDirectoryId": -1,
"NextDirectoryId": 2,
"SubDirectoryId": -1,
"DirectoryName": "1",
"DirectoryType": "Stream",
"NodeColor": "Black"
},
{
"ClassId": "0069004c007300740000000000000000",
"UserFlags": 0,
"FirstDirectorySectorId": 5,
"DirectorySize": 216,
"PreviousDirectoryId": -1,
"NextDirectoryId": -1,
"SubDirectoryId": -1,
"DirectoryName": "DestList",
JLECmd 67
"DirectoryType": "Stream",
"NodeColor": "Red"
}
],
"AppId": {
"AppId": "573770283dc3d854",
"Description": "Windows Defender"
},
"DestListCount": 1,
"PinnedDestListCount": 0,
"LastUsedEntryNumber": 1,
"DestListVersion": 4,
"SourceFile": "D:\\DFIRArtifactMuseum\\Windows\\JumpLists\\Win10\\APTSimulatorVM\\5\
73770283dc3d854.automaticDestinations-ms",
"DestListEntries": [
{
"Hostname": "",
"VolumeDroid": "00000000000000000000000000000000",
"VolumeBirthDroid": "00000000000000000000000000000000",
"FileDroid": "00000000000000000000000000000000",
"FileBirthDroid": "00000000000000000000000000000000",
"EntryNumber": 1,
"MRUPosition": 0,
"InteractionCount": 1,
"CreatedOn": "\/Date(-12219292800000)\/",
"LastModified": "\/Date(1646941766733)\/",
"Pinned": false,
"Path": "windowsdefender://threat/",
"MacAddress": "00:00:00:00:00:00",
"Lnk": {
"TargetIDs": [
{
"__type": "Lnk.ShellItems.ShellBag0X1F, Lnk",
"PropertyStore": {
"Sheets": [
]
},
"FriendlyName": "Root folder: GUID",
"Value": "Internet Explorer (Homepage)",
"ExtensionBlocks": [
]
},
{
JLECmd 68
},
"LocationFlags": 0
}
}
]
}
JLECmd 70
Processing D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95cf55\
d32a.automaticDestinations-ms
Entry #: 1
MRU: 1
Path: knownfolder:{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5} ==> ThisPCDesktopFolder
Pinned: True
Created on: 2022-03-10 19:33:36
JLECmd 72
Entry #: 10
MRU: 2
Path: C:\Users\TestUser\Downloads\APTSimulator_pw_apt\dist
Pinned: False
Created on: 2022-03-10 16:35:09
Last modified: 2022-03-10 19:49:34
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36
Interaction count: 1
Entry #: 9
MRU: 3
Path: C:\Users\TestUser\Downloads\APTSimulator_pw_apt\APTSimulator
Pinned: False
Created on: 2022-03-10 16:35:09
Last modified: 2022-03-10 19:49:34
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36
Interaction count: 1
Entry #: 8
MRU: 4
Path: C:\Users\TestUser\Downloads\APTSimulator_pw_apt
Pinned: False
Created on: 2022-03-10 16:35:09
JLECmd 73
Entry #: 7
MRU: 5
Path: C:\Users\TestUser\Downloads\Sysmon
Pinned: False
Created on: 2022-03-10 16:35:09
Last modified: 2022-03-10 19:49:07
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36
Interaction count: 1
Entry #: 6
MRU: 6
Path: knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC} ==> Videos
Pinned: False
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36
Interaction count: 3
Entry #: 5
MRU: 7
Path: knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43} ==> Music
Pinned: False
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24
JLECmd 74
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36
Interaction count: 3
Entry #: 3
MRU: 8
Path: knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7} ==> Documents
Pinned: True
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36
Interaction count: 3
Entry #: 4
MRU: 9
Path: knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB} ==> Pictures
Pinned: True
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36
Interaction count: 3
Entry #: 2
MRU: 10
Path: knownfolder:{374DE290-123F-4565-9164-39C4925E467B} ==> Downloads
Pinned: True
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:34:28
Hostname: desktop-tmku40h
JLECmd 75
Last Modified
This timestamp will provide you with the a reliable indication of when a file was opened with a
specific application.
JLECmd References
Blog Posts
• Jump lists in depth: Understand the format to better understand what your tools are (or aren’t)
doing⁶⁹
• Introducing JLECmd!⁷⁰
• PECmd, LECmd, and JLECmd updated!⁷¹
• LECmd and JLECmd updated⁷²
• JLECmd v0.9.6.0 released⁷³
Community Resources
Download JLECmd
JLECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
⁶⁸https://binaryforay.blogspot.com/
⁶⁹https://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html
⁷⁰https://binaryforay.blogspot.com/2016/03/introducing-jlecmd.html
⁷¹https://binaryforay.blogspot.com/2016/03/pecmd-lecmd-and-jlecmd-updated.html
⁷²https://binaryforay.blogspot.com/2016/04/lecmd-and-jlecmd-updated.html
⁷³https://binaryforay.blogspot.com/2016/09/jlecmd-v0960-released.html
⁷⁴https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/JumpLists
LECmd
LECmd Introduction
Description
LECmd is a tool created by Eric Zimmerman used to parse .LNK files. .LNK files are native to the
Windows operating system and are common indicators of file access.
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing LNK files which can provide useful
evidence of file access that can be attributed to a specific user account. LNK files can provide insight
as to when a file was first opened and last opened.
Private Sector
For those in the Private Sector, this tool is useful for parsing LNK files which can provide useful
evidence of file access that can be attributed to a specific user account. Often, these can be used
along with Shellbags and JumpLists to determine which files and folders were accessed by a threat
actor during a period of unauthorized access
LECmd 79
LECmd Switches
In a PowerShell window, running .\LECmd.exe will provide the following options when running
LECmd:
Description:
LECmd version 1.5.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed with two dashes
Usage:
LECmd [options]
Options:
-f <f> File to process. Either this or -d is required
-d <d> Directory to recursively process. Either this or -f is required
-r Only process lnk files pointing to removable drives [default: Fals\
e]
-q Only show the filename being processed vs all output. Useful to sp\
eed up exporting to json and/or csv
[default: False]
--all Process all files in directory vs. only files matching *.lnk [defa\
ult: False]
--csv <csv> Directory to save CSV formatted results to. Be sure to include the\
full path in double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, override\
s default name
--xml <xml> Directory to save XML formatted results to. Be sure to include the\
full path in double quotes
--html <html> Directory to save xhtml formatted results to. Be sure to include t\
LECmd 80
While there are explanations for each switch, let’s walk through each one of the switches unique to
LECmd in further detail.
-r
This switch will instruct LECmd to parse .LNK files that point to a file being opened from a
removable drive ONLY.
Example: .\LECmd.exe -d D:\DFIRArtifactMuseum\Windows\LNK\Win10 -r
-q
This switch will instruct LECmd to output only what files were processed rather than the parsed
data from each .LNK file.
For instance, running .\LECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\"
resulted in the following: Processed 554 out of 554 files in 6.4882 seconds
Running .\LECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\" -q resulted
in the following: Processed 554 out of 554 files in 0.3951 seconds
LECmd 81
--all
This switch will instruct LECmd to attempt to parse every file in the directory specified, regardless
of file extension. Output will be generated only for those files identified to be .LNK files.
Example: .\LECmd.exe -d D:\DFIRArtifactMuseum\Windows --all
--nid
This switch will instruct LECmd to suppress the Target ID list details. This will provide a message
similar to this in place of the Target ID list details: (Target ID information suppressed. Lnk
TargetID count: 6)
--neb
This switch will instruct LECmd to suppress the Extra blocks details. This will provide a message
similar to this in place of the Target ID list details: (Extra blocks information suppressed. Lnk
Extra block count: 2)
--mp
This switch will instruct LECmd to provide more verbose timestamps. For instance, running
.\LECmd.exe -f "D:\DFIRArtifactMuseum\Windows\LNK\Win10\XWFIM.lnk.test resulted in the
following:
Parse a single LNK file and view the results within the console
LECmd.exe -f "C:\Temp\foobar.lnk"
Parse a single LNK file and output the results to CSV at specified location
Parse a single LNK file while suppressing Target ID list details and Extra blocks
information
Parse all files in a directory (regardless of presence of .LNK file extension), but
only provide output for those .LNK files that point to removable drives
Parse a single LNK file and view the results within the console with higher
precision timestamps
LECmd 83
File size: 0
Flags: HasName, HasIconLocation, IsUnicode, ForceNoLinkInfo, HasExpString, PreferE\
nvironmentPath
File attributes: 0
Icon index: -108
Show window: SwNormal (Activates and displays the window. The window is restored t\
o its original size and position if the window is minimized or maximized.)
Name: @%systemroot%\system32\XpsRchVw.exe,-103
Icon Location: %systemroot%\system32\XpsRchVw.exe
>> Property store data block (Format: GUID\ID Description ==> Value)
46588ae2-4cbc-4338-bbfc-139326986dce\0 (Description not available) =\
=> 0
9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3\18 App User Model Installed By =\
=> 1
LECmd Output
Timestamps
Other Attributes
SourceFile
SourceFile will provide the file path to the LNK file being parsed.
FileSize
FileSize will provide the file size of the target file that the .LNK file is pointing to.
WorkingDirectory
WorkingDirectory will provide the parent directory that the target file resides in.
LECmd 94
DriveType
DriveType will provide insight as to what type of drive the SourceFile resided on at the time of file
access.
VolumeSerialNumber
VolumeSerialNumber will provide the Volume Serial Number of the drive the target file resided on
at the time of file access.
LocalPath
LocalPath will provide the full path to the target file that was accessed by the user.
TargetMFTEntryNumber
TargetMFTEntryNumber will provide the MFT Entry number for the Target File in hexadecimal and
decimal.
TargetMFTSequenceNumber
TargetMFTSequenceNumber will provide the MFT Sequence number for the Target File in hexadec-
imal and decimal.
MachineID
MachineID will provide the hostname of the hostnam the target file resided on at the time of file
access, if the tracker database block is present within the LNK file.
MachineMACAddress
MachineMACAddress will provide the MAC Address for the host, if the tracker database block is
present within the LNK file.
MACVendor
MACVendor will resolve the MAC address to provide the associated vendor, if known, and if the
tracker database block is present within the LNK file..
ExtraBlocksPresent
ExtraBlocksPresent will provide insight as to whether or not extra data blcoks are present within the
LNK file. The other blocks that are possible to be present within a LNK file are: TrackerDataBase-
Block and PropertyStoreDataBlock.
LECmd 95
LECmd References
Blog Posts
• Introducing LECmd!⁷⁶
• LECmd v0.6.0.0 released!⁷⁷
• PECmd, LECmd, and JLECmd updated!⁷⁸
• LECmd and JLECmd updated⁷⁹
Download LECmd
LECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
#SDS
$SDS contains a list of all the security descriptors on a given volume. Learn more about the $SDS
here⁸¹.
$Boot
$Boot is the NTFS metadata file for the NTFS Partition Boot Sector. Learn more about the $Boot
here⁸².
$MFT
$MFT contains metadata about every file and folder on an NTFS volume within FILE records. Learn
more about the $MFT here⁸³.
$J
$J tracks changes that were made to files and folders on an NTFS volume. Learn more about the $J
here⁸⁴.
$I30
$I30 files can provide insight into deleted and overwritten files. Learn more about $I30 files here⁸⁵.
⁸¹https://www.ntfs.com/ntfs-permissions-file-structure.htm
⁸²https://www.ntfs.com/ntfs-partition-boot-sector.htm
⁸³https://www.ntfs.com/ntfs-mft.htm
⁸⁴https://en.wikipedia.org/wiki/USN_Journal
⁸⁵https://www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/#:~:text=Interestingly%2C%20NTFS%
20directory%20index%20entries%20utilize%20a%20%24FILE_NAME,trove%20of%20information%20about%20the%20file%3A%20Full%
20filename
MFTECmd 97
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing NTFS metadata files that can provide
invaluable information relating to the files that currently exist, previously existed, and what changes
have occurred to those files and at what time. The $MFT should be examined in nearly every instance
as that will provide insight as to which files and folders exist on a system currently. The $J should
be examined in nearly every instance as it will provide insight as to which files changed in which
ways, including but not limited to file creations, file deletions, file renames, etc. The $I30 can provide
insight into folders that no longer exist on a system.
Private Sector
For those in the Private Sector, this tool is useful for parsing NTFS metadata files that can provide
invaluable information relating to the files that currently exist, previously existed, and what changes
have occurred to those files and at what time. The $MFT can be useful in locating suspicious files
and folders that were created by a threat actor during a period of unauthorized access. The $J can
provide insight into files that no longer exist on disk and no longer have references within the $MFT,
including but not limited to threat actor tool output or evidence of malicious executables that were
deleted after being executed.
MFTECmd 98
MFTECmd Switches
In a PowerShell window, running .\MFTECmd.exe will provide the following options when running
MFTECmd:
Description:
MFTECmd version 1.2.1.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed
with two dashes
Usage:
MFTECmd [options]
Options:
-f <f> File to process ($MFT | $J | $Boot | $SDS | $I30). Required
-m <m> $MFT file to use when -f points to a $J file (Use this to resolve\
parent path
in $J CSV output).
--json <json> Directory to save JSON formatted results to. This or --csv requir\
ed unless --de
or --body is specified
--jsonf <jsonf> File name to save JSON formatted results to. When present, overri\
des default
name
--csv <csv> Directory to save CSV formatted results to. This or --json requir\
ed unless --de
or --body is specified
--csvf <csvf> File name to save CSV formatted results to. When present, overrid\
es default name
--body <body> Directory to save bodyfile formatted results to. --bdl is also re\
MFTECmd 99
quired when
using this option
--bodyf <bodyf> File name to save body formatted results to. When present, overri\
des default
name
--bdl <bdl> Drive letter (C, D, etc.) to use with bodyfile. Only the drive le\
tter itself
should be provided
--blf When true, use LF vs CRLF for newlines [default: False]
--dd <dd> Directory to save exported FILE record. --do is also required whe\
n using this
option
--do <do> Offset of the FILE record to dump as decimal or hex. Ex: 5120 or \
0x1400 Use
--de or --debug to see offsets
--de <de> Dump full details for entry/sequence #. Format is 'Entry' or 'Ent\
ry-Seq' as
decimal or hex. Example: 5, 624-5 or 0x270-0x5.
--dr When true, dump resident files to dir specified by --csv, in 'Res\
ident'
subdirectory. Files will be named
'<EntryNumber>-<SequenceNumber>_<FileName>.bin'
--fls When true, displays contents of directory specified by --de. Igno\
red when --de
points to a file [default: False]
--ds <ds> Dump full details for Security Id as decimal or hex. Example: 624\
or 0x270
--dt <dt> The custom date/time format to use when displaying time stamps. S\
ee
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss.f\
ffffff]
--sn Include DOS file name types [default: False]
--fl Generate condensed file listing. Requires --csv [default: False]
--at When true, include all timestamps from 0x30 attribute vs only whe\
n they differ
from 0x10 [default: False]
--rs When true, recover slack space from FILE records when processing \
MFT files.
This option has no effect for $I30 files [default: False]
--vss Process all Volume Shadow Copies that exist on drive specified by\
-f [default:
False]
--dedupe Deduplicate -f & VSCs based on SHA-1. First file found wins [defa\
MFTECmd 100
ult: False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
-f is required. Exiting
MFTECmd 101
Switch Descriptions
-m
This switch informs the tool to parse an $MFT along with its associated $J. The main benefit for this
is the resolution of the Parent Path column in the $J output, which will save examiners from having
to manually cross reference the Parent Entry ID in the $MFT to the one associated with a change
recorded in the $J. This is absolutely worth the extra effort.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\J\Win10\APTSimulatorVM\$J'
-m 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT' --csv
"C:\temp"
--body
This switch informs the tool to output to a bodyfile⁸⁶. Please note, the --bdl switch is required when
using --bdl.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--body C:\temp --bdl C
--bodyf
This switch informs the tool to name the bodyfile output a specified filename.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--body C:\temp --bdl C --bodyf test
--bdl
This switch informs the tool to use a specified drive letter when providing output to bodyfile format.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--body C:\temp --bdl C
--blf
This switch informs the tool to use LF instead of CRLF for line endings in . More information about
LF vs. CRLF can be found here⁸⁷.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--csv "C:\temp" --blf
⁸⁶https://forensicswiki.xyz/wiki/index.php?title=Bodyfile
⁸⁷https://www.aleksandrhovhannisyan.com/blog/crlf-vs-lf-normalizing-line-endings-in-git/
MFTECmd 102
--dd
This switch informs the tool to save an exported FILE record to a specified directory. Please note,
the --do switch is required when using --dd.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--dd C:\temp --do 679
--do
This switch informs the tool of which decimal or hex offset to dump to a specified location.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--dd C:\temp --do 679
--de
This switch informs the tool to dump the full details of a specific entry number.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--de 679
--dr
This switch informs the tool to dump all files resident within the $MFT to a specified directory.
Please note, the specified directory will be whatever is specified for the --csv switch.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--csv c:\temp --dr
--fls
This switch informs the tool to display the contents of a folder based on the data stored within the
$MFT.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--de 500 --fls
Removing the --fls switch would display the timestamps and other NTFS metadata stored about
that directory within the $MFT.
--ds
This switch informs the tool to provide information about the specified security descriptor.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Secure_-
$SDS\Win10\APTSimulatorVM\$Secure_$SDS' --ds 256
--sn
This switch informs the tool to include DOS file names as well as a few other columns of output.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--csv C:\temp --sn
The above command output a 191MB CSV compared to 122MB without the --sn switch. Also, the
above command adds the following columns within Timeline Explorer that are available in the
Column Chooser (right-click on a column header and double click on them to add them in).
MFTECmd 105
mftecmdSNswitchcolumnsTLE
--fl
This switch informs the tool to output a simple file listing of the contents of the $MFT parsed
which will include the following columns: FullPath, Extension, IsDirectory, FileSize, Created0x10,
and LastModified0x10.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--csv C:\temp --fl
--at
This switch informs the tool to display the timestamps even when the 0x10 and 0x30 timestamps are
identical. Normally, the 0x30 timestamps would be empty if they’re identical to the 0x10 timestamps
for the purpose of making anomalies easier to spot.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--csv C:\temp --at
--rs
This switch informs the tool to attempt to recover slack space from FILE records.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--csv C:\temp --rs
MFTECmd 106
Parse a $MFT and dump the full details for entry number 5, sequence number
5 to the console
.\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Boot\Win10\APTSimulato\
rVM\$Boot'
.\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Secure_$SDS\Win10\APTS\
imulatorVM\$Secure_$SDS' --csv C:\temp
.\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\$I30\EricZimmerman\Sec\
ondDelete\$I30' --csv c:\temp
MFTECmd 108
MFTECmd Output
mftecmd3columns
SI < FN
SI < FN can be translated to Standard Information (0x10) Attribute timestamp is less than (aka earlier
than) the File Name (0x30) Attribute timestamp. This is meant to point out a potential indicator of
timestomping occuring on the volume being analyzed. Learn more about timestomping here⁸⁸ and
here⁸⁹.
u Sec Zeros
u Sec Zeros indicates that the subseconds of a timestamp has been zeroed out. An example of a
zeroed out subsecond value would be 2022-12-34 12:34:56.0000000. Prior to being timestomped, that
timestamp likely looked similar to this: 2022-12-34 12:34:56.1234567 where the subsecond values were
not zeroed out.
⁸⁸https://www.kroll.com/en/insights/publications/cyber/anti-forensic-tactics/anti-forensics-tactics-timestomping
⁸⁹https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
MFTECmd 109
Copied
Copied indicates that the Last Modified timestamp value occurs before the Creation timestamp
of a given file or folder. How can this be? During a file copy operation, the file being copied’s
Creation timestamp is untouched but the Last Modified timestamp will reflect the time of file copy.
This can often result in a file showing as being modified before it existed, which is impossible.
MFTECmd recognizes this and will provide an indicator in this Copied column as to whether or not
the timestamps indicate such a file copy operation may have occurred.
MFTECmd 110
1 {
2 "EntryNumber": 0,
3 "SequenceNumber": 1,
4 "ParentEntryNumber": 5,
5 "ParentSequenceNumber": 5,
6 "InUse": true,
7 "ParentPath": ".",
8 "FileName": "$MFT",
9 "Extension": "",
10 "IsDirectory": false,
11 "HasAds": false,
12 "IsAds": false,
13 "FileSize": 274202624,
14 "Created0x10": "2022-03-10T19:30:21.3503859+00:00",
15 "LastModified0x10": "2022-03-10T19:30:21.3503859+00:00",
16 "LastRecordChange0x10": "2022-03-10T19:30:21.3503859+00:00",
17 "LastAccess0x10": "2022-03-10T19:30:21.3503859+00:00",
18 "UpdateSequenceNumber": 0,
19 "LogfileSequenceNumber": 960937622,
20 "SecurityId": 256,
21 "SiFlags": 6,
22 "ReferenceCount": 1,
23 "NameType": 3,
24 "Timestomped": false,
25 "uSecZeros": false,
26 "Copied": false,
27 "FnAttributeId": 3,
28 "OtherAttributeId": 6
29 },
MFTECmd 111
1 0|c:/$MFT|0-128-6|r/rrwxrwxrwx|0|0|274202624|1646940621|1646940621|1646940621|164694\
2 0621
3 0|c:/$MFT ($FILE_NAME)|0-48-3|r/rrwxrwxrwx|0|0|274202624|1646940621|1646940621|16469\
4 40621|1646940621
5 0|c:/$MFTMirr|1-128-1|r/rrwxrwxrwx|0|0|4096|1646940621|1646940621|1646940621|1646940\
6 621
7 0|c:/$MFTMirr ($FILE_NAME)|1-48-2|r/rrwxrwxrwx|0|0|4096|1646940621|1646940621|164694\
8 0621|1646940621
9 0|c:/$LogFile|2-128-1|r/rrwxrwxrwx|0|0|67108864|1646940621|1646940621|1646940621|164\
10 6940621
11 0|c:/$LogFile ($FILE_NAME)|2-48-2|r/rrwxrwxrwx|0|0|67108864|1646940621|1646940621|16\
12 46940621|1646940621
13 0|c:/$Volume|3-128-3|r/rrwxrwxrwx|0|0|0|1646940621|1646940621|1646940621|1646940621
14 0|c:/$Volume ($FILE_NAME)|3-48-1|r/rrwxrwxrwx|0|0|0|1646940621|1646940621|1646940621\
15 |1646940621
16 0|c:/$AttrDef|4-128-1|r/rrwxrwxrwx|0|0|2560|1646940621|1646940621|1646940621|1646940\
17 621
18 0|c:/$AttrDef ($FILE_NAME)|4-48-2|r/rrwxrwxrwx|0|0|2560|1646940621|1646940621|164694\
19 0621|1646940621
MFTECmd 112
MFTECmd References
Blog Posts
• Introducing MFTECmd!⁹⁰
• MFTECmd v0.2.6.0 released⁹¹
• MFTECmd 0.3.6.0 released⁹²
• Locked file support added to AmcacheParser, AppCompatCacheParser, MFTECmd, ShellBags
Explorer (and SBECmd), and Registry Explorer (and RECmd)⁹³
Community Resources
Download MFTECmd
MFTECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Prefetch files which can help provide
evidence of program execution. This may be useful in situations where crimes are being investigated
that involve media players and photo viewers. Historical run times of the program can be useful in
establishing a pattern of activity relating to application use.
Private Sector
For those in the Private Sector, this tool is useful for parsing Prefetch files which can help
provide evidence of execution of suspicious applications used by a threat actor during a period
of unauthorized access.
PECmd 114
PECmd Switches
In a PowerShell window, running .\PECmd.exe will provide the following options when running
PECmd:
Description:
PECmd version 1.5.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed
with two dashes
Usage:
PECmd [options]
Options:
-f <f> File to process. Either this or -d is required
-d <d> Directory to recursively process. Either this or -f is required
-k <k> Comma separated list of keywords to highlight in output. By defau\
lt, 'temp' and
'tmp' are highlighted. Any additional keywords will be added to t\
hese
-o <o> When specified, save prefetch file bytes to the given path. Usefu\
l to look at
decompressed Win10 files
-q Do not dump full details about each file processed. Speeds up pro\
cessing when
using --json or --csv [default: False]
--json <json> Directory to save JSON formatted results to. Be sure to include t\
he full path
in double quotes
--jsonf <jsonf> File name to save JSON formatted results to. When present, overri\
PECmd 115
des default
name
--csv <csv> Directory to save CSV formatted results to. Be sure to include th\
e full path in
double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, overrid\
es default name
--html <html> Directory to save xhtml formatted results to. Be sure to include \
the full path
in double quotes
--dt <dt> The custom date/time format to use when displaying time stamps. S\
ee
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss]
--mp When true, display higher precision for timestamps [default: Fals\
e]
--vss Process all Volume Shadow Copies that exist on drive specified by\
-f or -d
[default: False]
--dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins\
[default:
False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
Switch Descriptions
-k
This switch informs the tool to highlight a list of keywords (comma separated)
Example: .\PECmd.exe -f "C:\temp\prefetch\TIMELINEEXPLORER.EXE-959F92B3.pf" -k
timeline,explorer
Within the results, one can see the (Keyword True) appended to the end of a line where the specified
keyword appears:
19: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE
20: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP
21: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP\EZ TOOLS
22: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP\EZ TOOLS\NET6
23: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP\EZ TOOLS\NET6\T\
IMELINEEXPLORER (Keyword True)
-o
This switch informs the tool to output the decompressed bytes of the Prefetch file to a specified
location. Please note, this works in Windows 10 and newer as those operating systems compress
Prefetch files.
Example: .\PECmd.exe -f "C:\temp\prefetch\TIMELINEEXPLORER.EXE-959F92B3.pf" -o
D:\Prefetch
Please note, in the above example a binary file called Prefetch will be output to the root of the D:\
drive. Do not expect PECmd to output the bytes as a binary file into the D:Prefetch folder.
--mp
This switch will instruct PECmd to provide more verbose timestamps. For instance, running
.\PECmd.exe -f "C:\temp\prefetch\TIMELINEEXPLORER.EXE-959F92B3.pf" --mp resulted in the
following:
--vss
This switch informs the tool to mount Volume Shadow Copies from the drive letter specified using
the -f or -d switch and parse Prefetch files present within.
Example: .\PECmd.exe -d "C:\temp\prefetch" --vss
PECmd 118
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf"
Parse a directory of Prefetch files and output to console window with specified
keywords highlighted in the output
Parse a directory of Prefetch and output to CSV to a specified location with the
filename foo.csv and output to JSON to a specified location
PECmd.exe -d "C:\Windows\Prefetch"
PECmd 119
PECmd Output
The timeline output will provide all of the entries from the PECmd output in a single timeline sorted
on the run time stored within Prefetch.
PECmd 120
1 {
2 "SourceFilename": "C:\\temp\\prefetch\\TIMELINEEXPLORER.EXE-959F92B3.pf",
3 "SourceCreated": "2022-05-28 03:22:25",
4 "SourceModified": "2022-07-08 12:42:40",
5 "SourceAccessed": "2022-09-09 03:22:30",
6 "ExecutableName": "TIMELINEEXPLORER.EXE",
7 "Hash": "959F92B3",
8 "Size": "447074",
9 "Version": "Windows 10 or Windows 11",
10 "RunCount": "24",
11 "LastRun": "2022-07-08 12:42:38",
12 "PreviousRun0": "2022-06-29 17:56:46",
13 "PreviousRun1": "2022-06-28 13:06:32",
14 "PreviousRun2": "2022-06-26 02:57:37",
15 "PreviousRun3": "2022-06-22 18:12:52",
16 "PreviousRun4": "2022-06-13 20:37:15",
17 "PreviousRun5": "2022-06-11 20:57:04",
18 "PreviousRun6": "2022-06-10 17:50:59",
19 "Volume0Name": "\\VOLUME{01d7b51f5d5ed7cd-b45d68a4}",
20 "Volume0Serial": "B45D68A4",
21 "Volume0Created": "2021-09-29 10:47:14",
22 "Directories": TooManyToListHere
23 "FilesLoaded": TooManyToListHere
24 "ParsingError": false
PECmd References
Blog Posts
Community Resources
• Prefetch Forensics¹⁰³
• Forensic Investigation : Prefetch File¹⁰⁴
• DFIR Playbook - Windows Forensics(WIP APR21)¹⁰⁵
Download PECmd
PECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Recycle Bin files which can provide
indications of what files were deleted when and by which user. This can be crucial for crimes
involving contraband multimedia files as key evidence.
Private Sector
For those in the Private Sector, this tool is useful for parsing Recycle Bin files which can provide
indications of what files a threat actor deleted before ending a period of unauthorized access. Often,
there will be indicators of threat actor tool output having been deleted by a compromised user
account within the Recycle Bin. This can help build out the timeline of events during a period of
unauthorized access
RBCmd 123
RBCmd Switches
In a PowerShell window, running .\RBCmd.exe will provide the following options when running
RBCmd:
Description:
RBCmd version 1.5.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed
with two dashes
Usage:
RBCmd [options]
Options:
-d <d> Directory to recursively process. Either this or -f is required
-f <f> File to process. Either this or -d is required
-q Only show the filename being processed vs all output. Useful to sp\
eed up
exporting to json and/or csv
--csv <csv> Directory to save CSV formatted results to. Be sure to include the\
full path in
double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, override\
s default name
--dt <dt> The custom date/time format to use when displaying time stamps. See
https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss\
[default:
yyyy-MM-dd HH:mm:ss]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
RBCmd 124
Switch Descriptions
Thankfully, RBCmd doesn’t have any unique switches that aren’t already covered in the common
switches chapter.
Parse a legacy INFO2 Recycle Bin artifact and output to the console window
RBCmd.exe -f "C:\Temp\INFO2"
RBCmd Output
RBCmd References
Blog Posts
Download RBCmd
RBCmd can be downloaded from https://ericzimmerman.github.io/#!index.md
RecentFileCacheParser Switches
In a PowerShell window, running .\RecentFileCacheParser.exe will provide the following options
when running RecentFileCacheParser:
Description:
RecentFileCacheParser version 1.5.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed
with two dashes
Usage:
RecentFileCacheParser [options]
Options:
-f <f> File to process. Required
--csv <csv> Directory to save CSV formatted results to. Be sure to include the\
full path in
double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, override\
s default name
--json <json> Directory to save json representation to. Use --pretty for a more \
human readable
layout
--pretty When exporting to json, use a more human readable layout [default:\
False]
-q Only show the filename being processed vs all output. Useful to sp\
eed up
exporting to json and/or csv [default: False]
--version Show version information
-?, -h, --help Show help and usage information
RecentFileCacheParser 129
-f is required. Exiting
Switch Descriptions
Thankfully, RecentFileCacheParser doesn’t have any unique switches that aren’t already covered in
the common switches chapter.
RecentFileCacheParser Output
File names
c:\windows\system32\werfault.exe
c:\program files\jetico\bcwipe\bcwipesvc.exe
c:\program files\jetico\bcwipe\bcwipetm.exe
c:\windows\system32\icacls.exe
c:\windows\system32\systempropertiesprotection.exe
c:\windows\bcuninstall.exe
1 {
2 "SourceFile": "D:\\DFIRArtifactMuseum\\Windows\\RecentFileCache\\Win7\\EricZimmerma\
3 n\\RecentFileCache.bcf",
4 "SourceCreated": "\/Date(1656814015362)\/",
5 "SourceModified": "\/Date(1656814015362)\/",
6 "SourceAccessed": "\/Date(1662743665086)\/",
7 "FileNames": [
8 "c:\\windows\\system32\\werfault.exe",
9 "c:\\program files\\jetico\\bcwipe\\bcwipesvc.exe",
10 "c:\\program files\\jetico\\bcwipe\\bcwipetm.exe",
11 "c:\\windows\\system32\\icacls.exe",
12 "c:\\windows\\system32\\systempropertiesprotection.exe",
13 "c:\\windows\\bcuninstall.exe"
14 ]
15 }
RecentFileCacheParser 132
RecentFileCacheParser References
Download RecentFileCacheParser
RecentFileCacheParser can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Registry hives which can contain a
wealth of artifacts that can be attributed to a specific user of interest. There are artifacts within
the Windows Registry that can help prove evidence of program execution, evidence of file opening,
evidence of user logon, and many more. The Registry is simply too valuable to ignore on almost any
possible criminal invesitgation.
Private Sector
For those in the Private Sector, this tool is useful for parsing Registry hives which can contain possible
indicators of threat actor persistence. Additionally, the user-attributable artifacts listed above can
be useful when targeting the activity of compromised user accounts.
If you are looking for guidance on how to create RECmd Batch Files, look no further than the
following resources:
Additionally, please check out Andrew Rathbun’s 2021 SANS DFIR Summit presentation on EZ
Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions. Click here¹¹² for a
timestamped link to the section of the presentation that relates to RECmd Batch Files.
¹¹⁰https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/!RECmdBatch.guide
¹¹¹https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/!RECmdBatch.template
¹¹²https://youtu.be/mIb1GQP3ciE?t=318
RECmd 134
RECmd Switches
In a PowerShell window, running .\RECmd.exe will provide the following options when running
RECmd:
Note: Enclose all strings containing spaces (and all RegEx) with double quotes
Command line:
Description:
RECmd version 2.0.0.0
Note: Enclose all strings containing spaces (and all RegEx) with double quotes
Example: ``RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl
RECmd.exe --f "D:\temp\UsrClass 1.dat" --StartDate "11/13/2014 15:35:01"
RECmd.exe --f "D:\temp\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
Usage:
RECmd [options]
Options:
-d <d> Directory to look for hives (recursively). -f or -d is requir\
ed
-f <f> Hive to search. -f or -d is required
--kn <kn> Display details for key name. Includes subkeys and values
--vn <vn> Value name. Only this value will be dumped
--bn <bn> Use settings from supplied file to find keys/values. See incl\
uded sample
file for examples
--csv <csv> Directory to save CSV formatted results to. Required when -bn\
is used
--csvf <csvf> File name to save CSV formatted results to. When present, ove\
rrides default
RECmd 135
name
--saveTo <saveTo> Saves --vn value data in binary form to file. Expects path to\
a FILE
--json <json> Export --kn to directory specified by --json. Ignored when --\
vn is specified
--jsonf <jsonf> When true, compress names for profile based hives.
--details Show more details when displaying results [default: False]
--base64 <base64> Find Base64 encoded values with size >= Base64 (specified in \
bytes)
--minSize <minSize> Find values with data size >= MinSize (specified in bytes)
--sa <sa> Search for <string> in keys, values, data, and slack
--sk <sk> Search for <string> in value record's key names
--sv <sv> Search for <string> in value record's value names
--sd <sd> Search for <string> in value record's value data
--ss <ss> Search for <string> in value record's value slack
--literal If true, --sd and --ss search value will not be interpreted a\
s ASCII or
Unicode byte strings [default: False]
--nd If true, do not show data when using --sd or --ss [default: F\
alse]
--regex If present, treat <string> in --sk, --sv, --sd, and --ss as a\
regular
expression [default: False]
--dt <dt> The custom date/time format to use when displaying time stamp\
s [default:
yyyy-MM-dd HH:mm:ss.fffffff]
--nl When true, ignore transaction log files for dirty hives [defa\
ult: False]
--recover If true, recover deleted keys/values [default: False]
--vss Process all Volume Shadow Copies that exist on drive specifie\
d by -f or -d
[default: False]
--dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found \
wins [default:
False]
--sync If true, the latest batch files from
https://github.com/EricZimmerman/RECmd/tree/master/BatchExamp\
les are
downloaded and local files updated [default: False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
RECmd 136
Switch Descriptions
--kn
This switch informs the tool to dump the full details of a provided key within the Registry.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win10\APTSimulatorVM"
--kn ROOT\ControlSet001\Control\BackupRestore\FilesNotToBackup
--vn
This switch informs the tool to dump the full details of the value name specified. Please note,
one of the following switches is required when using --vn: --sk, --sv, --sd, --ss, --kn, --Base64,
--MinSize, and --bn.
--bn
This switch informs the tool to use a specified batch file when parsing registry hives.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win10\APTSimulatorVM"
--bn BatchExamples\Kroll_Batch.reb --csv C:\temp
Please note, the Kroll Batch file is the most updated and actively maintained RECmd Batch file.
--saveTo
This switch informs the tool to save the binary data from a specified value name to a specified
location.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win10\APTSimulatorVM"
--kn "ROOT\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" --vn
LastLoggedOnSAMUser --saveTo c:\temp\output
Please note, output is a binary file that can be opened in a text editor to view the contents.
--details
This switch informs the tool to display more details when displaying results.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware
RECmd 137
--base64
This switch informs the tool to search for Base64 values that are larger than the amount of bytes
specified.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win11\RathbunVM"
--base64 10
--minSize
This switch informs the tool to search for values with a minimum size in bytes.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win11\RathbunVM"
--minSize 500
1 Found 18 search hits with size greater or equal to 500 bytes in D:\DFIRArtifactMuseu\
2 m\Windows\Registry\Win11\RathbunVM\SAM
3 Key: SAM\Domains\Account\Users\000001F4, Value: V, Size: 688
4 Key: SAM\Domains\Account\Users\000001F5, Value: V, Size: 664
5 Key: SAM\Domains\Account\Users\000001F7, Value: V, Size: 680
6 Key: SAM\Domains\Account\Users\000001F8, Value: V, Size: 836
7 Key: SAM\Domains\Account\Users\000001F8, Value: SupplementalCredentials, Size: 1,168
8 Key: SAM\Domains\Account\Users\000003E9, Value: V, Size: 580
9 Key: SAM\Domains\Builtin\Aliases\00000221, Value: C, Size: 560
10 Key: SAM\Domains\Builtin\Aliases\00000222, Value: C, Size: 600
11 Key: SAM\Domains\Builtin\Aliases\00000223, Value: C, Size: 520
12 Key: SAM\Domains\Builtin\Aliases\00000227, Value: C, Size: 504
13 Key: SAM\Domains\Builtin\Aliases\0000022C, Value: C, Size: 564
14 Key: SAM\Domains\Builtin\Aliases\0000022F, Value: C, Size: 664
15 Key: SAM\Domains\Builtin\Aliases\00000232, Value: C, Size: 504
16 Key: SAM\Domains\Builtin\Aliases\00000242, Value: C, Size: 504
17 Key: SAM\Domains\Builtin\Aliases\00000243, Value: C, Size: 584
18 Key: SAM\Domains\Builtin\Aliases\00000244, Value: C, Size: 744
19 Key: SAM\Domains\Account\Users\000003E8, Value: V, Size: 632 (Deleted: True)
20 Key: SAM\Domains\Account\Users\000003E8, Value: SupplementalCredentials, Size: 1,552\
21 (Deleted: True)
RECmd 138
–sa‘
This switch informs the tool to search for a specified string within keys, values, data, and slack.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sa VMware
--sk
This switch informs the tool to search for a specified string within a value record’s key names.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sk VMware
The above command provides results similar to the following:
--sv
This switch informs the tool to search for a specified string within a record’s value names.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sv VMware
--sd
This switch informs the tool to search for a specified string within a value record’s value data.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware
The above command provides results similar to the following:
--ss
This switch informs the tool to search for a specified string within a value record’s slack.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --ss VMware
The above command will provide no results.
--literal
This switch informs the tool to not interpret the specified string as ASCII or Unicode byte strings.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware --literal
--nd
This switch informs the tool to not show data when using --sd or --ss.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware --nd
--regex
This switch informs the tool to treat the specified string as a regular expression for the following
switches: --sk, --sv, --sd, and --ss.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd
"\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?
--regex
The above regular expression is the IPv4 regular expression taken from here¹¹³.
--nl
--recover
‘–sync‘
This switch will inform the tool to download all RECmd Batch Files from GitHub¹¹⁴ and update the
local Batch Files stored in .\RECmd\BatchExamples.
Example: “‘.RECmd.exe –sync‘
¹¹⁴https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples
RECmd 141
Parse a specified file for specified regular expression within the value names
RECmd Output
The above command will dump from the ROOT (aka topmost) key in the hive, regardless of what
it’s called, to JSON.
RECmd 143
RECmd References
Blog Posts
• Introducing RECmd!¹¹⁵
• RECmd 0.6.0.0 released!¹¹⁶
• RECmd 0.6.1.0 released!¹¹⁷
• Reintroducing Registry Explorer and RECmd!¹¹⁸
• Registry Explorer/RECmd 0.7.1.0 released!¹¹⁹
• Registry values starting with a NULL character¹²⁰
• Updates to the left of me, updates to the right of me, version 1 releases are here (for the most
part)¹²¹
• Everything gets an update, Sept 2018 edition¹²²
• Registry Explorer and RECmd 1.2.0.0 released!¹²³
• Locked file support added to AmcacheParser, AppCompatCacheParser, MFTECmd, ShellBags
Explorer (and SBECmd), and Registry Explorer (and RECmd)¹²⁴
Community Resources
Download RECmd
RECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
¹¹⁵https://binaryforay.blogspot.com/2015/05/introducing-recmd.html
¹¹⁶https://binaryforay.blogspot.com/2015/05/recmd-0600-released.html
¹¹⁷https://binaryforay.blogspot.com/2015/06/recmd-0610-released.html
¹¹⁸https://binaryforay.blogspot.com/2015/07/reintroducing-registry-explorer-and.html
¹¹⁹https://binaryforay.blogspot.com/2015/07/registry-explorerrecmd-0710-released.html
¹²⁰https://binaryforay.blogspot.com/2016/01/registry-values-starting-with-null.html
¹²¹https://binaryforay.blogspot.com/2018/03/updates-to-left-of-me-updates-to-right.html
¹²²https://binaryforay.blogspot.com/2018/09/everything-gets-update-sept-2018-edition.html
¹²³https://binaryforay.blogspot.com/2019/01/registry-explorer-and-recmd-1200.html
¹²⁴https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
¹²⁵https://aboutdfir.com/toolsandartifacts/windows/registry-explorer-recmd/
RECmd 144
RLA Switches
In a PowerShell window, running .\RLA.exe will provide the following options when running
JLECmd:
Command line:
Description:
rla version 2.0.0.0
Usage:
rla [options]
Options:
-f <f> Hive to process. -f or -d is required
-d <d> Directory to look for hives (recursively). -f or -d is required
--out <out> Directory to save updated hives to. Only dirty hives with logs app\
lied will end
up in --out directory
--ca When true, always copy hives to --out directory, even if they aren\
't dirty.
[default: True]
--cn When true, compress names for profile based hives. [default: True]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
RLA 147
Switch Descriptions
--out
This switch will output updated hives (aka dirty -> clean) to the specified directory. This will only
occur if there are dirty hives with transaction logs applied.
Example: .\rla.exe -d "D:\TODO" --out "D:\TODO\clean"
--ca
This switch will tell RLA.exe to always copy hives to the specified directory, even if they aren’t dirty.
Example: .\rla.exe -d "D:\Hives" --out "D:\Hives\clean" --ca
--cn
Replay transaction logs from a directory or Registry hives and output the clean
Registry hives to a specified location
RLA References
Download RLA
RLA can be downloaded from https://ericzimmerman.github.io/#!index.md
SBECmd
SBECmd Introduction
SBECmd is a tool created by Eric Zimmerman used to parse the NTUSER.dat and UsrClass.dat
Registry hives. These hives contains shell items that are recorded by Windows which indicate which
folders a user has traversed.
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing the NTUser.dat and UsrClass.dat user
Registry hives which will contain artifacts of folder traversal. Since the NTUser.dat and UsrClass.dat
Registry hives exist for each user, one can attribute the folder traversal artifacts to a specific account.
For Law Enforcement, these artifacts may provide pointers to folders or ZIP files that no longer exist.
This artifact will provide the first and last time the specific user interacted with a specific folder or
ZIP file, in most cases.
Private Sector
For those in the Private Sector, this tool is useful for enumerating what a user of interest did during
unauthorized access to a given host. Often, artifacuts during periods of unauthorized access will
show the threat actor accessing and viewing files and folders that are highly sensitive to the client’s
business.
SBECmd 149
SBECmd Switches
In a PowerShell window, running .\SBECmd.exe will provide the following options when running
SBECmd:
Description:
SBECmd version 2.0.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed
with two dashes
Usage:
SBECmd [options]
Options:
-d <d> Directory to look for registry hives. This or -l is required
-l Process live registry (Requires Administrator rights). This or -d \
is required
[default: False]
--csv <csv> Directory to save CSV formatted results to. This or --json require\
d unless --de
or --body is specified
--csvf <csvf> File name to save CSV formatted results to. When present, override\
s default name
--dedupe When true, SBECmd processes all hives in -d <directory> and remove\
s duplicates.
See manual for details [default: False]
--dt <dt> The custom date/time format to use when displaying time stamps. See
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss]
--nl When true, ignore transaction log files for dirty hives [default: \
False]
--debug Show debug information during processing [default: False]
SBECmd 150
-d or -l required. Exiting
Switch Descriptions
-l
This switch will inform SBECmd to process the live user Registry hives.
Example: .\SBECmd.exe -l --csv D:\temp\sbecmd
The above command will output a filename similar to this: YYYYMMDD_HHMMSS_hostname_LIVE_-
REGISTRY.csv
-nl
This switch will inform the tool whether to replay transaction logs or not.
Below is an exmaple of replaying transaction logs:
Example: .\SBECmd.exe -d "D:\temp\hives" --nl false --csv "D:\temp"
When processing transaction logs, you will see a message similar to this:
Registry hive is dirty and transaction logs were found in the same directory, but --\
nl was provided. Data may be missing! Continuing anyways...
Sequence numbers do not match! Hive is dirty and the transaction logs should be revi\
ewed for relevant data!
Found 1,024 cache entries for Windows10Creators in ControlSet001
SBECmd 152
Parse offline user Registry hives and output to CSV to a specified location
Parse offline user Registry hives and output to CSV to a specified location with
timestamps adjusted to a specified timezone
#### Parse offline user Registry hives and output to CSV to a specified location with deduplicated
output
SBECmd Output
Username_NTUSER.csv
Username_usrClass.csv
If the system you’re analzying has had 100 users who have traversed directories at some point in
time, you should see 200 CSVs for your output!
THe FirstInteracted timestamp for a shell item will provide you with the timestamp of the first time
a given user had traversed a directory within Windows. The LastInteracted timestamp for a shell
item will provide you with the last time a given user had traversed a directory within Windows.
There are no timestamps for in between those two bookends within this artifact.
SBECmd 154
SBECmd References
Blog Posts
Download SBECmd
SBECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing SQLite databases which often store
common web browser artifacts. SQLECmd can provide as a validation tool to many commonly used
forensic suites that parse browsing history, as well. The SQLite queries are available on GitHub and
can be modified by the community if ever the database schema evolves enough to where current
SQLite queries do not work any longer. Additionally, this tool can be used to parse mobile artifacts
which can serve as a validation tool for common mobile forensic suites.
Private Sector
For those in the Private Sector, this tool is useful for parsing SQLite databases which often store
common web browser artifacts.
SQLECmd Maps
https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps
If you are looking for guidance on how to create SQLECmd Maps, look no further than the following
resources:
Additionally, please check out Andrew Rathbun’s 2021 SANS DFIR Summit presentation on EZ
Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions. Click here¹³⁸ for a
timestamped link to the section of the presentation that relates to SQLECmd Maps.
¹³⁶https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/!OS_Application_OptionalDescription.guide
¹³⁷https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/!OS_Application_OptionalDescription.template
¹³⁸https://youtu.be/mIb1GQP3ciE?t=682
SQLECmd 156
SQLECmd Switches
In a PowerShell window, running .\SQLECmd.exe will provide the following options when running
JLECmd:
Description:
SQLECmd version 1.0.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed
with two dashes
Usage:
SQLECmd [options]
Options:
-f <f> File to process. This or -d is required
-d <d> Directory to process that contains SQLite files. This or -f is req\
uired
--csv <csv> Directory to save CSV formatted results to
--json <json> Directory to save JSON formatted results to
--dedupe Deduplicate -f or -d files based on SHA-1. First file found wins [\
default: True]
--hunt When true, all files are looked at regardless of name and file hea\
der is used to
identify SQLite files, else filename in map is used to find databa\
ses [default:
False]
--maps <maps> The path where event maps are located. Defaults to 'Maps' folder w\
here program
was executed [default: C:\Users\CFUser\OneDrive - Kroll\Desktop\EZ
Tools\net6\SQLECmd\Maps]
--sync If true, the latest maps from
https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps a\
re downloaded
SQLECmd 157
-f or -d is required. Exiting
Switch Descriptions
‘–hunt‘
This switch informs the tool to hunt for SQLite databases. This is useful due to SQLite databases
often having inconsistent file extensions (or sometimes none at all). This switch will search for the
file header for SQLite databases and inform examiners which files are SQLite databases. Please note,
only those databases that have Maps made for them will be parsed.
Example: .\SQLECmd.exe -d "D:\DFIRArtifactMuseum\Windows" --csv C:\temp --hunt
SQLECmd will display the following message when a SQLite file is not found:
D:\DFIRArtifactMuseum\Windows\SRUM\Win10\RathbunVM\Clean\SRU00004.log is not a SQLite
file! Skipping...
SQLECmd will display the following message when a SQLite file is found:
Processing D:\DFIRArtifactMuseum\Windows\WindowsTimeline\Win10\APTSimulatorVM\ActivitiesCache.db...
‘–maps‘
This switch will inform the tool to look for SQLECmd Maps at a specified location other than
.\SQLECmd\Maps.
‘–sync‘
This switch will inform the tool to download all SQLECmd Maps from GitHub¹³⁹ and update the
local Maps stored in .\SQLECmd\Maps.
Example: .\SQLECmd.exe --sync
¹³⁹https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps
SQLECmd 158
Parse SQLite databases located within C:\Temp and output to CSV to a specified
location
Hunt for SQLite Databases recursively in a specified directory and output CSVs
of any mapped databases to a specified location
The --hunt command will inform you as to which files are SQLite databases! This is very helpful
when searching for new SQLite databases to research.
SQLECmd 159
SQLECmd References
Download SQLECmd
SQLECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing the SRUM database which can provide
another source of program execution for media players, photo viewers, etc. Additionally, being able
to see Bytes Read and Bytes Written by various programs may help provide insight as to the size
of files certain applications were handling. This may be important relating to crimes involving
contraband multimedia files. Additionally, for P2P cases, Bytes Sent and Bytes Received artifacts
can prove to be crucial datapoints for the purpose of the investigation.
Private Sector
For those in the Private Sector, this tool is useful for parsing the SRUM database which can provide
another source of program execution for potentially malicious executables. Additionally, Bytes Sent
and Bytes Received can sometimes be the only indicator of data exfiltration in the instance of a
ransomware case. If a case is known to involve data exfiltration, the SRUM database should be a
mandatory artifact to parse and analyze so long as the suspected data exfiltration occurred within
the 30 days of when the SRUM database was parsed.
SrumECmd 161
SrumECmd Switches
In a PowerShell window, running .\SrumECmd.exe will provide the following options when running
JLECmd:
Description:
SrumECmd version 0.5.1.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed
with two dashes
Usage:
SrumECmd [options]
Options:
-f <f> SRUDB.dat file to parse
-r <r> SOFTWARE hive to process. This is optional, but recommended
-d <d> Directory to recursively process, looking for SRUDB.dat an\
d SOFTWARE
hive. This mode is primarily used with KAPE so both SRUDB.\
dat and
SOFTWARE hive can be located
--csv <csv> (REQUIRED) Directory to save CSV formatted results to. Be sure to inc\
lude the full
path in double quotes
--dt <dt> The custom date/time format to use when displaying time st\
amps. See
https://goo.gl/CNVq0k for options
[default: yyyy-MM-dd HH:mm:ss]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
SrumECmd 162
Switch Descriptions
-r
This switch informs the tool to parse a SOFTWARE Registry hive at a specified location. This is
beneficial because applications referenced in the SRUM database can be resolved using data stored
within the SOFTWARE Registry hive for better results.
Example: .\SrumECmd.exe -d "C:\temp\SRUMdb" -r "C:\temp\SOFTWAREhive" --csv
"C:\temp\SRUMoutput
Please note, that using the -d switch against a directory where a SRUM database and a SOFTWARE
Registry hive resides within the subdirectories, SrumECmd will find both without needing to utilize
the -r switch to specifically point to the SOFTWARE Registry hive.
Example: .\SrumECmd.exe -d "C:\temp\KapeTriage\tout\C" --csv "C:\temp\SRUMoutput"
SrumECmd 163
SrumECmd Output
• %timestamp%_SrumECmd_AppResourceUseInfo_Output.csv
• %timestamp%_SrumECmd_EnergyUsage_Output.csv
• %timestamp%_SrumECmd_NetworkConnections_Output.csv
• %timestamp%_SrumECmd_NetworkUsages_Output.csv
• %timestamp%_SrumECmd_PushNotifications_Output.csv
• %timestamp%_SrumECmd_Unknown312_Output.csv
• %timestamp%_SrumECmd_UnknownD8F_Output.csv
%timestamp%_SrumECmd_AppResourceUseInfo_Output.csv
This output can be useful for seeing which applications were running at a given time.
%timestamp%_SrumECmd_NetworkUsages_Output.csv
This output can be useful for seeing which applications were sending and receiving data. This is
helpful in Incident Response engagements where data exfiltration is an important part of the mission
for examiners.
SrumECmd 165
¹⁴¹https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/SRUM
SrumECmd 166
SrumECmd References
Blog Posts
Community Resources
Download SrumECmd
SrumECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, SumECmd may not have an immediate use unless the system(s)
being analyzed is attached to a domain. The SUM database can provide authentication history
within a Domain, IP resolution within the Domain, and the first and last time an account has been
authenticated within a Domain.
Private Sector
For those in the Private Sector, SumECmd can provide helpful information regarding which
compromised accounts have authenticated where and when within a Domain. Additionally, having
visibility into the DNS history of a Domain for the current year and previous 2 years is incredibly
helpful when trying to figure out which IP address resolved to which host when.
SumECmd 168
SumECmd Switches
In a PowerShell window, running .\SumECmd.exe will provide the following options when running
SumECmd:
Description:
SumECmd version 0.5.2.0
Short options (single letter) are prefixed with a single dash. Long com\
mands are
prefixed with two dashes
Usage:
SumECmd [options]
Options:
-d <d> Directory to process, looking for SystemIdentity.mdb, Current.mdb,\
etc.
Required.
--csv <csv> Directory to save CSV formatted results to. Be sure to include the\
full
path in double quotes
--wd Generate CSV with day level details. Default is TRUE [default: Tru\
e]
--dt <dt> The custom date/time format to use when displaying time stamps. See
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
-d is required. Exiting
SumECmd 169
Switch Descriptions
--wd
This switch will generate CSVs with day level details. This means an extra CSV will be generated
named TIMESTAMP_SumECmd_DETAIL_ClientsDetailed_Output.csv. When running SumECmd with
--wd false, this CSV will not generate.
SumECmd Output
%timestamp%_SumECmd_DETAIL_Clients_Output.csv
This output is useful for helping examiners observe which accounts authenticated where within a
given domain. Insert Date and Last Access can be interpreted as the first and last time an account
authenticated to the IP Address listed in the column of the same name.
%timestamp%_SumECmd_DETAIL_ClientsDetailed_Output.csv
This output will provide a different look at the most of the same info from the output mentioned
above. Between this output and the above output, examiners can glean good insight as to which
accounts authenticated where, when, and how many times along with an idea of when the first and
last authentication occurred.
%timestamp%_SumECmd_DETAIL_DnsInfo_Output.csv
This output is incredibly useful for providing the examiner with historical DNS information within
the domain. If an examiner needs to know which host a certain IP address resolves to within a
domain, first locate a Domain Controller that has the ADDS role assigned (often trial and error) and
locate this table’s output!
As a protip, in Timeline Explorer, sort ascending on the hostname and then secondary sort (hold
down shift while clicking on the next column you want to sort on) on Last Seen. This will give you
a great overview of which hosts had which IP addresses when.
%timestamp%_SumECmd_DETAIL_RoleAccesses_Output.csv
This output will provide examiners with an idea of which roles were assigned to the Windows Server
endpoints within a given domain along with their Role GUIDs.
SumECmd 171
%timestamp%_SumECmd_SUMMARY_ChainedDbInfo_Output.csv
This output will provide examiners with an idea of which calendar years are covered within the SUM
database for a Domain Controller within a given domain. Please note, that the second a Domain
Controller connects to a domain for the first time, it will only have information from that point
forward. It will not inherit historical information within the domain prior to the time of host coming
online within the domain.
SumECmd References
Blog Posts
Community Resources
Download SumECmd
SumECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, VSCs may provide access to files that no longer currently exist on
the forensic image being analyzed. Taking advantage of VSCs may provide more evidence for an
investigation.
Private Sector
For those in the Private Sector, VSCs may provide more visibility into historical artifacts within
event logs, Registry hives, and NTFS metadata files. These are common sources for quick wins that
are often subject to data rolling over, si the more visibility, the better.
VSCMount 173
VSCMount Switches
In a PowerShell window, running .\VSCMount.exe will provide the following options when running
JLECmd:
Description:
VSCMount version 1.5.0.0
Short options (single letter) are prefixed with a single dash. Long comm\
ands are
prefixed with two dashes
Usage:
VSCMount [options]
Options:
--dl <dl> Source drive to look for Volume Shadow Copies (C, D:, or F:\ for e\
xample)
--mp <mp> The base directory where you want VSCs mapped to
--ud Use VSC creation timestamps (yyyyMMddTHHmmss.fffffff) in symbolic \
link
names [default: True]
--debug Show debug information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
Switch Descriptions
--dl
This switch will allow for the examiner to specify which drive letter to search for Volume Shadow
Copies to be mounted. In the below example, a folder will be created at the root of the C:\ drive
labeled vssroot_C and the following folders will be created, as an example:
• vss067-20220802T071544.8950680
• vss069-20220802T111643.1360760
• vss073-20220802T151751.7332050
• vss075-20220802T191857.4091500
• vss077-20220802T231954.8229610
• vss079-20220803T145849.8753330
• vss081-20220803T154303.5886250
• vss082-20220803T185949.1160530
• vss084-20220804T122438.3318770
• vss085-20220804T125916.5830320
• vss087-20220804T170016.7516520
• vss089-20220805T002628.8687860
--mp
This switch will allow for the examiner to specify the directory in which the Volume Shadow Copies
found with the --dl switch will be mounted to for easy access.
Example: .\VSCMount.exe --dl C --mp C:\vssroot
--ud
This switch will use the creation timestamps (yyyyMMddTHHmmss.fffffff) in symbolic link names.
Given that the default is true, if you run the below command, you will find the following output
compared to the exmaple listed above for the --dl switch:
• vss067
• vss069
• vss073
• vss075
• vss077
• vss079
• vss081
VSCMount 175
• vss082
• vss084
• vss085
• vss087
• vss089
VSCMount References
Blog Posts
• Introducing VSCMount¹⁴⁷
Download VSCMount
VSCMount can be downloaded from https://ericzimmerman.github.io/#!index.md
¹⁴⁷https://binaryforay.blogspot.com/2018/09/introducing-vscmount.html
WxTCmd
WxTCmd Introduction
WxTCmd is a tool created by Eric Zimmerman used to parse the Windows Timeline¹⁴⁸.
The Windows Timeline feature was added to Windows 10 with the 1804 (April
2018) feature update. The Windows Timeline can be found at the following location:
C:\Users\%User%\AppData\Local\ConnectedDevicesPlatform\L.CFUser\ActivitiesCache.db.
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Windows Timeline artifacts which
can provide program execution activity that can be attributed to a specific user account. This can
be useful for providing attribution of activity for various crimes involving media players, photo
viewers, etc. Establish which Windows account the suspect was using during the time of interest
and see what this artifact can provide to you.
Private Sector
For those in the Private Sector working ransomware cases, this tool is useful for parsing Windows
Timeline artifacts which can provide program execution activity that can be attributed to a specific
user account. For instance, an account compromised by a threat actor may have useful artifacts
within the user of interest’s Windows Timeline.
For insider threat cases, this artifact can provide useful program execution artifacts that can be
attributed to a specific user of interest. Any applications used by the user during the timeframe
of interest may be recorded here so long as the events occurred within 30 days of acquiring the
Windows Timeline artifact.
¹⁴⁸https://support.microsoft.com/en-us/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039
WxTCmd 178
WxTCmd Switches
In a PowerShell window, running .\WxTCmd.exe will provide the following options when running
JLECmd:
Description:
WxTCmd version 1.0.0.0
Examples: WxTCmd.exe -f
"C:\Users\eric\AppData\Local\ConnectedDevicesPlatform\L.eric\ActivitiesCache.db" -\
-csv
c:\temp
Short options (single letter) are prefixed with a single dash. Long comm\
ands are
prefixed with two dashes
Usage:
WxTCmd [options]
Options:
-f <f> File to process. Required
--csv <csv> Directory to save CSV formatted results to. Be sure to include the\
full
path in double quotes
--dt <dt> The custom date/time format to use when displaying timestamps. See
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
-f is required. Exiting
WxTCmd 179
Switch Descriptions
Thankfully, WxTCmd doesn’t have any unique switches that aren’t already covered in the common
switches chapter.
WxTCmd.exe -f "C:\Users\eric\AppData\Local\ConnectedDevicesPlatform\L.eric\Activitie\
sCache.db" --csv c:\temp
WxTCmd Output
‘%timestamp%_Activity_PackageIDs.csv‘
This CSV will contain GUIDs of applications that were executed on disk. Generally speaking, this
CSV is not going to be as useful as the CSV highlighted below.
‘%timestamp%__Activity.csv
This CSV will contain the Start Time and End Time of an application’s execution by a given user. This
database is user specific, so this activity can be associated with a specific user account. Additionally,
there is a JSON payload for each entry within the Windows Timeline SQLite database that may
provide further context for an entry within the database.
WxTCmd 180
Timestamps
WxTCmd References
Blog Posts
• Introducing WxTCmd!¹⁵⁰
Community Resources
Download WxTCmd
WxTCmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Law Enforcement
For those in Law Enforcement, this tool is useful for bringing on site to a search warrant and not
having to worry about having a certain application to open a certain file type.
Private Sector
For those in the Private Sector, this tool is useful for bringing on site to a client engagement and not
having to worry about having a certain application to open a certain file type.
EZViewer 184
EZViewer Screenshot
EZViewer References
Download EZViewer
EZViewer can be downloaded from https://ericzimmerman.github.io/#!index.md
Hasher
Hasher Introduction
Hasher is a tool created by Eric Zimmerman used to generate hash values for files and/or folders.
Hasher Screenshot
Hasher 188
Hasher Features
Hasher can generate hash values for a single file or a folder of files, as seen below.
Hasher Options
Hasher provides examiners with multiple options in the Tools -> Options menu.
Hasher 189
Within these options, examiners can choose which hash algorithms Hasher should calculate, how
many worker threads, the default save path, default file delimiter, and other settings.
These settings will be saved within a Hasher.ini settings file.
Hasher Settings
Below is an example of Hasher.ini.
Hasher 190
1 [General]
2 DefaultSavePath =
3 AutoSaveResults = False
4 FileDelimiter = Tab
5 ClearResultsBetweenRuns = False
6 MAXThreads = 10
7 [Algorithms]
8 MD5 = True
9 SHA1b32 = True
10 SHA1b16 = False
11 MD4 = False
12 Tiger = False
13 Whirlpool = False
14 SHA-256 = False
15 SHA-512 = False
16 RipeMD-256 = False
17 eMule = False
18 CRC32 = False
19 [Theme]
20 Theme = Visual Studio 2013 Blue
Hasher 191
Hasher References
Quick Help
Below is the information located in Help -> Quick Help.
1 To use, select some files and/or folders and drag/drop them onto the main program wi\
2 ndow. Alternatively, use the File menu options to select files or a folder.
3
4 As files are hashed, you can sort, filter, search, etc. by interacting with the colu\
5 mn headers: Left click to sort and right click for a context menu with many more opt\
6 ions.
7
8 CTRL-C will copy the highlighted row to the clipboard. ALT-C will copy only the sele\
9 cted cell to the clipboard.
10
Hasher 193
11 You can export the search via the File menu once hashing is complete.
12
13 You can set various options via the Options menu.
Download Hasher
Hasher can be downloaded from https://ericzimmerman.github.io/#!index.md
JumpList Explorer
JumpList Explorer Introduction
JumpList Explorer is a tool created by Eric Zimmerman that can be used to visually parse JumpList
files. JumpList files are OLE containers¹⁵⁶ like many other filetypes within the Windows operating
system.
Below is a screenshot of JumpList Explorer without any artifacts loaded.
¹⁵⁶https://learn.microsoft.com/en-us/cpp/mfc/ole-background?view=msvc-170
JumpList Explorer 195
Search
The search bar can be enabled by clicking on the magnifying glass in the top right corner, as seen
below.
JumpList Explorer 200
Once the magnifying glass is clicked on, the search bar will be visible, as seen below.
JumpList Explorer 201
Find Panel
Enabling the Find panel is done by simply right-clicking on a column header and clicking Show Find
Panel, as seen below.
Once enabled, the Find panel will be visible in the top right corner, as seen below.
Revision history
2015-07-01 Rev. 1 – Initial release
2016-06-08 Rev. 2 – Updated for v0.8.1.0
2017-05-19 Rev. 3 – Updated for v0.9.0.0
2017-03-02 Rev. 4 – Updated for v1.0.0.0
2019-01-15 Rev. 5 – Updated for v1.2.0.0
2022-07-14 Rev. 6 - Leanpub release
Registry Explorer fills the gaps in existing tools and expands the capabilities of Registry viewers in
many unique and powerful ways. It is GUI based and contains powerful searching, filtering, and
other visualization concepts that makes exploring Registry hives very easy while exposing all the
technical information contained in Registry hives.
RECmd was created in order to be able to script access to Registry hives, conduct new research, and
automate searching across multiple Registry hives at once from the command line.
Because both tools use the same back end, both have the same searching and viewing capabilities
including the full recovery of deleted keys and values. The parser also exposes value slack.
In summary, the capabilities of Registry Explorer and RECmd allows for quickly examining multiple
hives at once and they can be leveraged to find new places where currently understood data is located
in an easy to use and systematic way. It can be used in educational settings to not only understand
the Registry from a functional level, but also from a deeply technical perspective.
Getting Started
After starting Registry Explorer, the main interface is displayed.
Registry Explorer 207
Settings for various things like program options, window size, slider positions, window positions,
recent searches, etc. are all saved and reloaded between program executions. You can reset these
options by deleting the relevant files under the Settings directory in the main Registry Explorer
folder. The .layout files are for the trees and grids.
Tooltips are shown when hovering over different areas of the program. For example, hovering over
the Key section of the status bar shows the following:
Interface sections
Registry hives
On the left side of the window is the Registry hives tab. This tab displays the Registry hives that have
been loaded and the keys contained therein. Once at least one hive is loaded and a key is selected,
a context menu is available by right clicking on a key. The context menu options will be discussed
below in the Key context menu section.
Available bookmarks
Next to the Registry hives tab is the Available bookmarks tab. This tab will be discussed in detail
below.
Values
The Values grid shows all the values contained in the key that is selected in the Registry hives tab.
Once a value is selected, a context menu is available by right clicking on a value. The context menu
options will be discussed below.
Registry Explorer 208
Value details
The Value details area contains one or more tabs that dynamically adjust depending the type of
value selected. In every case, a type viewer will be displayed that shows the value of the selected
key. If a value has slack, a separate tab will be shown that allows you to view the slack space in a
hex viewer.
These concepts will be explained in more detail in the Using Registry Explorer section below.
Status bars
Across the bottom of the interface are several status bars as seen below.
The top status bar contains details about the path to the selected key and the selected value. On the
far left is a check box that toggles whether to show the root key name in the key path. By default,
the root key path is not shown. The screen shot below shows what this option does when turned on
and off.
By hiding the root key name, longer key paths will not be truncated as different keys are selected.
To the far right of the top status bar is a button that, when clicked, will collapse all loaded hives back
to their default state. This is a handy shortcut to clean up the Registry hives tree after interacting
with it and expanding many keys and subkeys.
Double clicking the key path will copy the key path to the clipboard. Holding Shift and double
clicking will copy only the key name to the clipboard.
Double clicking the value will copy the value’s name to the clipboard. Holding Shift and double
clicking will copy the value’s data to the clipboard.
The bottom status bar contains the last write timestamp, the status of filters for values, a section for
general status messages, an indicator of the total number of keys that are hidden from view, and the
total number of messages available on the Messages form.
Double clicking on the Total messages counter will show the Messages form. If there are any errors in
the Messages form, the background will be changed to yellow. If there are any errors, the background
Registry Explorer 209
will be changed to red. When the Messages tab is viewed, the background color will be changed back
to its default.
Double clicking the last write timestamp will copy it to the clipboard.
Main menu
The main menu contains options that allows for loading hives, searching hives, opening bookmarks,
and so on. In many cases, the menu items will have shortcut keys associated with them. Pressing
the keys shown by a menu item on the keyboard will activate that menu item.
The various sections below will explain these submenus. Where things are obvious (like File | Exit),
no additional information will be provided.
File
The File menu contains options for loading hives (you can also simply drag and drop one or more
hives onto the main interface to load them) and exporting.
• Load offline hive: Allows for loading one or more hives. To select more than one file, select a
file, then hold Shift and select the last file to load. You can also hold Ctrl and click files to select
them individually.
• Unload all hives: Unloads all hives at once vs. removing one at a time
• Project: Allows for loading/saving of projects. Projects will be discussed below.
• Export ‘Registry hives’: Exports what is shown in the Registry hives tab to a variety of formats.
As an example, if the Registry hives tree looked like this:
Registry Explorer 210
Exporting to PDF would generate a PDF file that contains the following:
Registry Explorer 211
This is useful for generating reports or other documentation that is easier to manipulate than simply
taking a screen shot.
Tools
Using this option will be explained in full detail below in the Using Registry Explorer section
Options
This menu contains several options that control such things as recovering deleted records, viewing
hidden keys, etc.
Registry Explorer 212
• Recover deleted keys/values: When enabled (the selector is to the right), Registry Explorer will
recover any deleted records available during hive loading
• Show associated deleted records: When enabled, all associated deleted records will be shown in
a special group under the main Registry hive data. Any recovered keys that could be associated
with an active (that is, not deleted) key will also be shown in relation to the active key. This
will be explained more in a subsequent section.
• Show unassociated deleted records: Like the previous option, but this group contains all of the
keys that could not be associated with an active key.
• Show parent keys when filtering: This option changes the way the Registry hives tree works
when using the column filters. When this option is enabled, any keys that match a filter will
be displayed, along with the parent keys that the matching key belongs to as seen in the screen
shot below.
The keys highlighted in yellow are parent keys that may not contain the text entered in the filter
column.
Registry Explorer 213
If we turn off this option, we get a much different result as seen below.
Registry Explorer 214
Notice in this screen shot only the keys that match the filter criteria are shown. This can greatly
reduce noise in the results in addition to lessening the need to scroll to the keys that match the filter
criteria.
The other aspect this option controls is whether to show subkeys of keys that match a given filter.
With the option on, any subkeys of keys that match the filter will continue to be shown. With the
option off, subkeys of keys matching the filter are hidden.
• Show hidden keys: When enabled, any keys that have been hidden will be shown in the Registry
hives tree. In the screen shot below, several keys are shown.
While we haven’t discussed how to hide keys yet (it has its own section below), if we right click on
a key, an option to hide the selected key (based on the key path, not just the key name) is shown.
For example, if we hide the MuiCache key, it will disappear, as seen below.
Registry Explorer 215
Notice the MuiCache key is no longer visible (assuming the Show hidden key option is off). If we
enable this option, the MuiCache key will be shown in its original place, but the icon is different to
show that it is in fact a hidden key.
When a key is hidden, the lower right corner will have a red dash to indicate this.
• Manage hidden keys: Brings up an interface to remove keys from the auto hide list. There
are two options available when hiding keys: hide for session and hide and add to auto hide.
The Manage hidden keys interface only displays key paths that have previously been added to
the auto hide list. Any key paths removed from the auto hide list will be unhidden when the
Manage hidden keys interface is closed. Additional ways to unhide keys will also be discussed
in a subsequent section.
• Skins: Allows for selecting a skin or theme that Registry Explorer will use.
• Preferences: Program options such as timestamp format, binary data as base64, etc.
The Preferences dialog allows you to change the default timestamp format and other parameters as
seen below.
Registry Explorer 216
Bookmarks
The Bookmarks menu contains both common (included with Registry Explorer) and user created
bookmarks to “of interest” Registry keys. Bookmarks can be created for any Registry key (we will
see how to create our own bookmarks soon). Bookmarks that are included with Registry Explorer
will show up under the ‘Common’ menu and any user created bookmarks will appear under the
‘User created’ menu.
Bookmarks live in a subdirectory of the main Registry Explorer program directory in a directory
named Bookmarks. The Bookmarks directory contains two subdirectories, Common and User. To
move a user created bookmark from the User created to Common submenu, simply move the
bookmark file from the User directory to the Common directory.
The Manage bookmarks interface can be used to edit or delete bookmarks. Additionally, simply
deleting the bookmark file from the Common or User directory will also remove the bookmark.
Bookmarks are simple json files and can also be edited with any text editor. Since they are simple
json files, exchanging a good set of bookmarks with other users is as easy as sending someone else
the bookmark files from the User directory. There is a project on GitHub, found here¹⁵⁸, that you
can push your Bookmarks to.
¹⁵⁸https://github.com/EricZimmerman/RegistryExplorerBookmarks
Registry Explorer 217
The main Bookmarks menu contains two numbers at the end. The first number is the total number
of Common bookmarks that exist in the selected hive and the last number is the number of User
bookmarks that exist in the selected hive. Clicking on any of the bookmarks will cause Registry
Explorer to jump to the bookmarked key.
Bookmarks are tied to a Registry hive type and a key path within that hive type. When we discuss
creating bookmarks below this will become clearer, but for now remember that each bookmark is
associated with a certain flavor of Registry hive (NTUSER, UsrClass, SYSTEM, etc.).
The Bookmarks menus dynamically adjust as hives are loaded and selected. For example, suppose
you have the following bookmarks by hive type:
• NTUSER.DAT: 40 bookmarks
• USRCLASS.DAT: 8 bookmarks
You then load an NTUSER and USRCLASS hive. The NTUSER hive contains 25 out of the 40 key
paths as defined in the NTUSER.DAT related bookmarks (25 from Common). The USRCLASS hive
contains two out of the eight bookmarks (one from common and one from user created). If you
click on anything in the NTUSER.DAT hive, the Bookmarks menu will change to show you only the
bookmarks that actually exist in the NTUSER hive, like this:
Registry Explorer 218
If you then click on the USRCLASS hive, the Bookmarks menu will again dynamically adjust to
show what is available in the USRCLASS hive.
Again, clicking a bookmark will jump to the key as defined in the bookmark. For example, clicking
on the BagMRU bookmark results in the following key being selected (and of course all parent keys
will be expanded so the bookmarked key is visible).
Registry Explorer 219
Because the Bookmarks menu dynamically adjusts itself based solely on what exists in the active
hive, you do not have to click on bookmarks before you know whether they exist. This is a huge
time saver and makes drilling down into hives much easier.
As you interact with loaded hives, the Bookmarks menu will show you at a glance how many
bookmarks are available, but as we will soon see, Registry Explorer has an even easier way to interact
with bookmarks (the Available bookmarks tab).
The bookmark names are sorted alphabetically as well so it’s easy to find the bookmark you are
interested in.
View
The total number of messages is also shown on the main window’s bottom status bar to the far right.
Double clicking the message count will show the Messages form.
As mentioned above, the background of the messages count will be yellow if and warning message
exists and red if an error message exists. The background color will return to default when the
Messages window is shown.
The Plugins option displays a list of available plugins and includes such details as the author, key
paths, and descriptions of what the plugin does.
Registry Explorer 221
Help
The Help menu contains three options: Quick help, Legend, and About. The Legend shows the
various icons seen in the Registry hives tree and a description about them.
The legend contains descriptions for the different icons used for various Registry objects such as
hives, keys, and existing key placeholders. The legend can be seen below.
Registry Explorer 222
General concepts
Once hives are loaded into Registry Explorer, Registry Explorer allows you to sort, filter, etc. on both
the tree on the left as well as any grids on the right.
Sorting
Sorting works like most every other program in that you can click on a column header to sort that
column. Here the Value Name column has been sorted.
Other options
Right clicking on a column header will bring up a context menu that allows for sorting (as well
as removing any existing sorting), grouping, and customization of columns including hiding or
showing any columns.
Registry Explorer 223
page 21 of 86 done
Filtering
A column can be filtered by clicking in the blank space below the column header and entering
something to filter by. The data will be filtered in real time and the bottom status bar will indicate
how many things have been filtered out.
When filters are in place (by entering text in the areas below the column name), information about
the active filter will be shown at the bottom of the tree or grid as shown below.
Registry Explorer 224
The leftmost X can be used to clear the active filter, the checkbox can be used to disable the filter
without clearing it, and the down arrow on the right side contains a history of the different filters
that have been recently used.
The ‘Edit filter’ button on the far right allows you to edit the current filter as needed. This is the
same option that is available in the context menu from above.
Registry Explorer 225
Conditional formatting
The Registry hives tree, Available bookmarks tree, values grid, and Find results grid all support
creating rules to format any column contained therein.
For example, by right clicking on the Key name column in the Registry hives tree, the following
menu is shown.
Registry Explorer 227
If we select the ‘Text that contains…’ option and enter ‘Bags’ along with how we want any matching
rows to be formatted, the tree will reflect these changes. For example, if we entered the following
conditions:
Registry Explorer 228
The Registry hives tree would then look like the screen shot below. The instances of ‘Bags’ in the
highlighted rows have been circled for emphasis.
These formatting options allow you to create powerful visual indicators when data that is relevant
to you is present in the hives you are looking at. Of course, all formatting options are remembered.
Use the same conditional formatting menu to edit rules.
Loading hives
To load hives into Registry Explorer, either select one or more hives and drag/drop them onto the
main interface. You can also use File | Load offline hive or press Alt+1 to select hives.
Registry Explorer will load the hives in parallel and as such, smaller hives will show up in the
interface before larger ones. When loading more than one hive at a time, check the status bar at the
bottom of the main window to see how many more hives are being processed.
After selecting a hive, Registry Explorer will fully process the hive. Once that is done, the hive will
be displayed on the main interface. The top-level node for a hive is the full file path to the hive as
seen below. The hive node has a green icon and is also in bold to differentiate it from keys.
Registry Explorer 229
The last write timestamp for the hive is the timestamp value from the header of the hive.
Below the hive name is the root key for the hive. The root key name can vary for every hive that
is loaded. All other keys in the active (that is, not deleted) portion of the Registry will be displayed
under the root key.
If the option to recover deleted records is enabled, up to two different virtual keys may be created:
one for Associated deleted records and one for unassociated deleted records. These virtual keys will
not be shown if there aren’t any deleted records of that type available. As discussed above, these
keys can also be hidden using the relevant option under the Options menu.
The number after Registry hives in parenthesis is the total number of hives loaded. In the example
below, there are 18 hives loaded.
Registry Explorer 230
Dirty hives
In some cases, Registry Explorer will inform you that a hive is dirty when it is loaded. This means
the hive’s header primary and secondary sequence numbers do not match. More importantly, there
is uncommitted data in one or more transaction logs that need to be applied to the original hive to
ensure the most recent data is presented.
The transaction logs are found in the same directory as the hive itself and end with .LOG1 and
.LOG2. Both are needed to accurately replay the transactions contained therein. Registry Explorer
will determine which logs to apply and the order to apply them.
Once the logs have been replayed, Registry Explorer will offer to save out the updated hive to a new
location. The new hive’s header sequence numbers will also be updated to match. This hive (along
with the dirty hive, optionally) can then be loaded into Registry Explorer for review.
Projects
Projects allow you to load one or more hives into Registry Explorer and save the currently loaded
hives into a project file. This allows you quickly load the same hives for a particular case quickly vs
having to load a bunch of hives individually. You can also drag and drop Registry Explorer project
files (.re_proj) just like you would a registry hive.
Selecting keys
Selecting keys in Registry Explorer works much the same as it does in regedit or selecting directories
in Windows Explorer. Clicking the small arrow to the left of the key name or double clicking a key
will expand that key, displaying any subkeys that are present. If the arrow is not visible, the key does
not have any subkeys.
Keys can be double clicked and expanded, drilling down into the key hierarchy, until the key you
are interested in is located. Alternatively, you can simply start typing a key’s name and the keys will
be dynamically expanded as matching keys are found in the tree.
For example, assume Registry Explorer looks like this:
Registry Explorer 231
If you want to look at the contents of the BagMRU key, click on either the hive path or the root key,
then start typing BagMRU. As each letter is typed, Registry Explorer will search for matching keys
and select them. After a few keystrokes, the following key is selected.
Notice also the part of the key that matched what was typed is highlighted. While a bookmark can
be used to quickly jump to a particular key, using this technique can save a lot of time when you
know the name of the key you are interested in.
Registry Explorer 232
Filtering keys
The top of the Registry hives tree contains areas to enter text to filter that column. One thing to
note is that only expanded keys are included in the filter results. To filter against all keys in a hive,
use the context menu option to expand all subkeys (or press Alt+Down) before filtering. The next
section will cover the context menu in detail.
The Options | Show parent keys when filtering option affects what is shown when filtering keys. See
the Options section for a full discussion on how this option works.
While it may seem that filtering is the quickest way to find a certain key, it is quite often faster to
type the name of a key you are interested in (or better yet, using Tools | Find if it exists in more than
one place).
As in other places, the context menu changes dynamically depending on what you right click on.
For example, if you right click on a hive’s full path, you will see the option to remove the hive from
Registry Explorer. Right clicking anywhere else but the hive’s path will hide this option from view.
Similarly, if a key is hidden, an option to unhide the key will be shown, else it will be hidden, and
so on.
The key context menu looks like this:
The name of the currently selected key is shown at the top. Most options also have shortcuts which
can be used in lieu of using the mouse.
• Remove hive: Removes the loaded hive from Registry Explorer. This option is only shown when
a hive is selected (denoted by the full path to the hive name, shown in bold, and with a different
icon).
• Add bookmark: Creates a new user bookmark. Full details will be discussed below.
Registry Explorer 233
• Hide key
– For this session only: Hides keys matching the selected key’s path from all loaded hives
until Registry Explorer is restarted
– Hide and add to auto hide: Same as the above option, except the key’s path is remembered
between restarts of Registry Explorer. This option is useful to hide non-useful keys in the
Registry that get in your way.
• Unhide key: Unhide previously hidden keys with the same path as the selected key. If a key has
been auto hidden, this option will remove it from the auto hide list.
• Export
– To .reg format: Exports the selected key and its values to plaintext format. This file can
then be imported into the active Registry by double clicking on the generated file.
– To .reg format recursively: The same as above, except all keys and values for the selected
key and all subkeys are exported.
• Copy
oKey name: Copies the selected key’s key name to the clipboard. Double clicking the key path in the
status bar while holding Shift also copies the key name to the clipboard.
* Key path: Copies the selected key’s key path to the clipboard. Double clicking the key path in the
status bar also copies the key path to the clipboard.
* Last write time: Copies the selected key’s last write timestamp to the clipboard. Double clicking the
last write timestamp in the status bar also copies the last write timestamp to the clipboard. Double
clicking the status bar while holding Shift will copy the key name and last write timestamp to the
clipboard.
• Expand subkeys: Recursively expands the selected key and all subkeys. You can also hold the
CTRL key while right clicking a node to expand each key.
• Collapse subkeys: Collapse all subkeys below the selected key
• Technical details: Displays full technical details about the selected key, its subkeys, values,
security records, and hive header. This option will be fully explored below.
• Export
– Value data: Exports selected value’s data in binary form to a file
– Value slack: Exports selected value’s slack data in binary form to a file. If a value has no
slack, this option is disabled
• Copy
– Value summary: Copies a summary of the selected value to the clipboard. An example is
shown below.
• Data interpreter: Brings up the Data interpreter window for the currently selected value and
converts the value’s raw data to a variety of formats. The image below is shows how binary
data for a 128-bit timestamp gets converted to different formats.
Registry Explorer 235
Value details
The Value details area will change depending on the type of value selected.
Type viewer
For all values except RegBinary values, a simple string representation of the value is shown as seen
below.
Registry Explorer 236
The other thing to notice here is the raw value is also shown (highlighted in yellow above). This
allows you to export out raw data into other tools, etc.
For RegBinary keys, a hex viewer will be shown to display the value’s binary data.
Selecting a byte or a range of bytes will update the Current offset and Bytes selected values at the
bottom of the hex viewer.
Registry Explorer 237
Slack viewer
For values that have value slack, a Slack viewer tab will be added. This viewer works the same as
the Type viewer for RegBinary values.
Double clicking on the offset allows for entering an offset to jump to in the hex display.
Registry Explorer 238
When viewing binary data, you can copy the selected bytes to the clipboard as either hex, ASCII, or
Unicode via the context menu:
Data interpreter
In the lower right corner of the hex viewer is a Data interpreter button. Clicking this button will bring
up the Data interpreter that converts the raw hexadecimal data into a variety of formats including
dates and times, GUIDs, IP addresses, and more. The Data interpreter window is shown below.
In the example above, a RegBinary value is selected and the 14th byte has been selected (click on a
Registry Explorer 239
byte to select it). To the right of the hex display is an ASCII interpretation of the binary data. In this
case, 70 corresponds to the ‘p’ character.
The Data interpreter also shows the same offset, 14, but it goes a step further and decodes the ASCII
string ‘please’ from bytes 70 6C 65 61 73 65. Registry Explorer will look for a single Null terminator
for ASCII strings (00) and double Null terminators (00 00) for Unicode strings. If no Null terminators
are found, the bytes will be interpreted from the current offset to the end of the data.
The Data interpreter can also convert GUIDs to known folder/location names as seen below.
Registry Explorer 240
In this case, a GUID was found at offset 0x04, 26ee0668-a00a-44d7-9371-beb064c98683, that maps to
‘Control panel.’
To copy values from the Data interpreter to the clipboard, press Ctrl+C.
Registry Explorer can recover both deleted Registry keys and values. It also reassociates deleted
values with their parent keys and subkeys to their parent keys.
In some cases, it is not possible to reassociate recovered keys to an active Registry key because the
deleted key’s parent cell index does not correspond to a key’s offset in the active Registry.
Registry Explorer shows recovered deleted keys in up to three ways: “Inlined’ with existing keys
(that is, deleted keys are shown where they used to exist), Associated deleted records (the same info
as inlined keys, but the parent keys are placeholders), and Unassociated deleted records (no parent
key could be found in the active Registry).
When Registry Explorer can reassociate a key with an active parent key, it is shown under the root
key under its parent key. The icon for the deleted key (and all its subkeys) is the same as an active
key, but a red X is shown in the lower right corner to denote it is a deleted key. The font for deleted
keys is red.
All associated deleted records are also shown under a virtual key called ‘Associated deleted’ records.
Under this key, placeholder keys (keys with a link icon in the lower right) are created that denote
active keys, down to the point where the deleted key can be found. In the example below, the same
path as seen above is reflected down to the ‘BagMRU’ key. At this point, the icon and font color
changes to indicate the key is in fact deleted and has been reassociated.
Registry Explorer 241
In the cases where an active parent key could not be found, the recovered deleted key will be placed
under another virtual key called ‘Unassociated deleted records’ that functions in a similar way to
the Associated deleted records. The primary difference between the two is that there will not be any
active parent keys shown for unassociated records. Unassociated records can be explored like any
other records (looking at values, viewing Technical details, etc.).
Registry Explorer 242
Creating bookmarks
Since Registry Explorer knows the hive type and key path already, these values will be prepopulated.
In the example below, a UsrClass hive is active and the VirtualStore key is selected.
Registry Explorer 243
The Category field allows you to place this particular Registry key into a high-level group. This
will eventually be used for reporting. Several preexisting categories are included but typing a new
Category will add it to the list.
The Short description serves as a summary for what the key means or why it is relevant. The value
entered for Short description will show up after the name of the bookmark in the bookmarks menu.
The Long description should contain technical information, links to web pages with more informa-
tion, or any other information you want to convey.
Recall the bookmarks menu is dynamic and will update according to the keys that are available for
the selected hive. If, before adding the bookmark, the Bookmarks menu looked like this:
Registry Explorer 244
The Bookmarks menu will look like this once the Save button is clicked:
Registry Explorer 245
A ‘User created’ menu is now visible as is our VirtualStore bookmark (with the short description
shown in parenthesis after the key name).
Selecting the ‘VirtualStore’ bookmark expands all child keys to the bookmarked key in the selected
Registry hive.
Managing bookmarks
Recall bookmarks are kept in two folders, one for included bookmarks and one for user created
bookmarks. Registry Explorer contains a Bookmark manager that is available under the Bookmarks
menu.
The column headers in bold (Type, Hive Type and Key Path) are read only. To edit any of the other
columns, click on that column’s value and adjust. The bookmark is saved automatically, and the
Bookmarks menu will be updated accordingly.
Registry Explorer 246
Available bookmarks
The Available bookmarks tab is an optimized way to view all available bookmarks across all loaded
hives. Using the Available bookmarks tab allows you to see all bookmarks that exist without the
distraction of parent keys or having to drill down into different hives to review things.
After loading one or more hives, click on the Available bookmarks tab. An example of this is shown
below.
When the root folder for a bookmark is selected (BagMRU in the example above), information about
the bookmark is shown at the bottom of the window in the Bookmark information section.
The numbers at the end of the Available bookmarks tab indicate the total number of common
bookmarks (20 in this case) and the total number of user created bookmarks (5 in this case). Available
bookmarks dynamically updates as hives are loaded/unloaded, bookmarks are created/removed, etc.
Right clicking on a key brings up a context menu. The options work the same way as on the Registry
hives tab. The ‘Jump to key’ option will change the active tab to the ‘Registry hives’ tab and select
the bookmarked key. This is useful to see the bookmarked key in context with other keys.
Registry Explorer 247
Finally, common bookmarks are differentiated from user created bookmarks by showing user created
Registry Explorer 248
This makes it easy to spot bookmarks you have added vs ones that were included with Registry
Explorer.
Searching
Registry Explorer contains powerful searching capabilities including standard string searches and
regular expression-based searches. It can also search for keys where the last write timestamp is
before, between or after a given timestamp or pair of timestamps, or for values that have a data size
greater than a certain number of bytes.
Registry Explorer allows you to search all hives at once across key names, value names, value data
and/or value slack. Searching is done against each hive asynchronously and results will appear as
they are available.
Options menu
Clear recent
When conducting a standard search, search terms in the ‘Search for’ box are remembered between
program executions. Use this option to clear these recent searches.
Convert
Registry Explorer 249
The convert menu contains options to convert the selected search string in the ‘Search for’ box to
its ASCII or Unicode hexadecimal value. This is useful when searching for patterns in Value data.
For example, selecting ‘Eric’ (without the quotes) and using the conversion options results in the
following being shown in the ‘Search for’ box:
• ASCII: 45-72-69-63
• Unicode: 45-00-72-00-69-00-63-00
The converted value can now be used to search for the initial string in its encoded form. You can
also convert terms to ROT-13 and search for encoded strings as well.
Help menu
Search tips
Shows several tips for different kinds of searches
Regular expressions
Launches a web page with information about creating .net regular expressions
Standard search
To conduct a standard search, simply enter one or more values in the ‘Search for’ box and click
‘Search.’ You can also press the Enter key twice on an empty line after entering a search term to
perform the search.
Registry Explorer 250
The Literal checkbox controls whether the term searched for is looked for in binary data when
searching in value data and/or slack. This is explained in more detail below.
If you entered a regular expression, change the radio button to ‘Regular expression’ so Registry
Explorer knows to use RegEx when searching. The Help menu can be used to get additional help on
building .net regular expressions. For additional resources on regular expressions, click here to view
the regular expression searching section for RECmd.
The History drop down will contain a list of your recent searches
To conduct a last write timestamp search, choose the date range to search for via the radio buttons
and enter the required time stamp values, and then click Search (or press Enter).
Registry Explorer 251
Note: Depending on the Date/Time format under Preferences you may see extra characters in the
earliest and latest time stamp fields. These can be ignored.
When searching for values above a minimum size, the size of the value data’s length is shown in the
Value Data column as seen below.
Registry Explorer 252
This works the same as a minimum value size but validates the value’s data contains a valid base64
encoded string.
Once a search is underway, results will show up in the Results grid at the bottom of the Find window.
Registry Explorer 253
In the above example, a simple search was done for the string ‘mui’ and ‘cache’ which resulted in
334 hits. The search results contains the hive the hit was found in, what type of hit it was (key name,
value name, etc.), the hit text, and other relevant information.
The columns shown in the Results grid will change depending on what kind of search was done.
When searching in value name and/or value data, two additional columns will be shown as seen
below.
Registry Explorer 254
When searching in value data and/or value slack, the Search for term will be found regardless of
case or encoding (Western 1252 and/or Unicode to be exact). This makes it easy to find strings that
have been encoded in binary data.
The way this works is to take the raw bytes that make up the value data and/or value slack and
convert it to a string (again, in Western 1252 and Unicode), which is then searched using a regular
expression. The regex will find the hit with exact capitalization, and the exact hit is then converted
back to a byte string. This hit can then be reported back to the application and the data highlighted
in context with the rest of the data, regardless of encoding or capitalization.
Here is an example of some search hits for ‘cache’ that were found in binary data:
Registry Explorer 255
If the Literal checkbox is checked, the additional search against the converted data is not done behind
the scenes. This allows you to look for specific byte patterns without Registry Explorer converting
binary data to strings.
Here is an example where the string ‘las’ was found in value slack:
In the screen shot above, notice the hit in value slack was found in two different encodings.
To view the search hit in the main Registry Explorer window, simply double click on the result you
wish to view. The Registry hive containing the hit will be selected along with the key where the hit
Registry Explorer 256
was found. If the Hit location is in a value name or in value data, the corresponding value will be
selected under the key.
For all simple searches, the search hit will be highlighted (or, in the case of a RegBinary hit, the bytes
that make up the hit will be selected). A few more examples of this are shown below.
For key name hits, the matching part of the key name is highlighted.
For value data (when the value type is RegBinary) and value slack, the bytes that make up the search
Registry Explorer 257
For value name and non-RegBinary value data hits, all instances of the search term are highlighted.
Registry Explorer 258
Search tips
The fastest searches are against key names. Searching against value names will be slower than key
names only. Searching value data/value slack is slower still. This is because every value of every key
must be looked at in order to search for value names or value data/slack across all loaded hives.
Do not let this stop you from searching against value names and data however. Even with these
options selected, Registry Explorer can still search multiple hives very quickly (often under a second),
but this depends on the number of keys and values in the loaded hives.
You can export the search results to Excel via the button in the lower right.
One unique feature of Registry Explorer is the ability to view the technical details of any key, its
values, security information, etc. This feature bridges the gap between a hex editor and other viewers
in that Registry Explorer can be used to validate itself as to its interpretation of Registry data.
To view the technical details of a key, select the key you are interested in, then right click and select
‘Technical details’ from the context menu. F5 can also be used as a shortcut.
Registry Explorer 259
In the example above, the Technical details for the ‘Local SettingsSoftwareMicrosoftWindowsShell-
BagMRU’ key are shown. The bytes at the bottom of the details form are the bytes for the NK record
as they are found in the Registry hive as viewed in a hex editor.
As different properties are selected, the highlighted bytes change to reflect the location in the raw
data where that property lives. The Last write timestamp property is selected, as are the bytes that
this property is derived from.
The selected bytes can be copied via Ctrl+C. Hold Ctrl+Alt+C to copy both the property name and
the value to the clipboard.
If a key contains one or more values, the Values tab is visible and contains a list of all the key’s
values. Selecting a value will display the VK record’s properties and raw data as we saw with the
NK record above.
Registry Explorer 260
At the bottom of the Values tab, the raw VK record is shown. A hex viewer for the value data and
value slack (if the value has slack) is also shown. This allows you to see both the VK records and the
data in one place. The value data/slack is the data that is available at the Data offset.
Registry Explorer 261
If a key contains subkeys, the Subkeys tab is visible and contains a list of the current key’s subkeys.
Double clicking on a subkey will open the Technical details report for that key in its own window.
Keys found in the active Registry (in other words, not deleted) will have an SK record tab that
contains the security key information for the NK record. The SK record tab works the same as the
NK and VK tab in that the hex editor updates when properties are selected, etc.
Registry Explorer 262
The ‘Full details as text’ tab contains a textual representation of the selected key including the NK
record, all VK records, and the SK record. This can be copied and pasted into reports as needed.
Finally, the Hive details tab contains information about the hive where the key was found. This
includes the sequence numbers, timestamp, length, root key name, checksum, and so on.
Registry Explorer 263
Plugins
Plugins provide a means to process a key and/or value in the Registry. They are primarily intended
for binary or otherwise obfuscated keys and values to be decoded to a more user-friendly manner.
The plugin architecture is open source and easy to implement.
Each release of Registry Explorer will contain all available plugins, but the hope
is that others will also contribute to the Registry Explorer project, located at
https://github.com/EricZimmerman/RegistryPlugins.
Plugins live under the main Registry Explorer directory in a subdirectory called ‘Plugins’ which can
also contain other directories as needed. Plugins are named according to the format:
RegistryPlugin.*.dll
Where the * is a description of what the plugin is for. Any subdirectories under the Plugins directory
are also checked for files matching the above specification.
When Registry Explorer is started, it looks for all files matching that pattern. It then verifies that
each file found is indeed a plugin. If it is, the plugin is made available to Registry Explorer.
To view all available plugins, use the View | Plugins menu option. When this is selected, the following
dialog is displayed:
Registry Explorer 264
As different plugins are selected, the properties for the plugin are updated. In the above example we
can see the name of the plugin and the exact key path (or paths) a plugin will handle.
Plugins can be tied to a key name or a key name and a value name. When a plugin processes particular
value, that value name will be shown in the appropriate field.
The Internal GUID is an identifier Registry Explorer uses to make sure each plugin is unique. In this
way you can have multiple plugins for a given key and things would still work properly (vs. basing
uniqueness off of a name or similar).
The short and long descriptions are used to explain in more detail what a plugin is doing, why it is
relevant, etc. The long description can also include even more details including links to blogs, etc.
Registry Explorer 265
Using plugins
There is no requirement on a user’s part other than clicking on a given key and/or value. As Registry
Explorer is used to navigate around a hive, Registry Explorer checks if any plugins have registered
an interest in the selected key/value. If any plugins are found, the key is passed to the plugin for
processing and the plugin then returns results to Registry Explorer which it then displays.
For example, say a user clicks on the SOFTWAREMicrosoftWindowsCurrentVersionExplor-
erComDlg32CIDSizeMRU key. This key’s values look like this:
There are many RegBinary values and an MRUListEx value that tracks the order each of the values.
Clicking on a value would display all the binary data in the hex viewer, like this:
Registry Explorer 266
A Unicode string can be seen in the data, but it is difficult to see all the data at once. This is where
the plugin steps in and presents a much easier to use presentation of the values under this key. After
a plugin processes a key, a new tab is displayed next to the Values tab at the top of the right side of
Registry Explorer:
Each value is processed, and the results are displayed in a grid which can then be sorted on, filtered,
Registry Explorer 267
or exported as needed
For plugins that handle a key and a value, like the AppCompatCache plugin, the results of the plugin
are displayed on a tab next to the Type viewer at the bottom part of the interface (below the values
tab).
As an example, the 7-Zip archive history value is a NULL terminated list of archives opened in 7-Zip.
When this value is selected, the 7-Zip plugin processes the value and returns a much nicer list, like
this:
Registry Explorer 268
The data returned can now be filtered, sorted, and exported as we saw earlier.
Some plugins can return a vast amount of information which can make displaying it all in a
grid overwhelming. In these cases, Registry Explorer will, by default, hide the details from the
plugin view (but this column can easily be unhidden if you like). As an example, let’s look at the
LastVisitedPidlMRULegacy plugin. When this key is selected, all values are processed, and the results
are displayed as we saw before. This plugin has a property named ‘Details’ which contains just that,
a very detailed listing of information extracted from a value. When a value is selected a new tab is
shown next to the Type viewer tab that contains the details of the selected value, like this:
Registry Explorer 269
This particular plugin decodes all of the shell items found in the binary data and places this decoded
data into the Details property. This is what is displayed when a value is selected.
When exporting plugin results for plugins that have a Details property, this column will be exported
as well, like this:
Registry Explorer 270
The Details column seen in the Excel sheet above is the same that is available after unhiding the
details column in Registry Explorer.
Creating plugins
NOTE: THIS MAY NOT BE 100% CURRENT AS YOU ARE READING THIS! USE THE EXAMPLES
IN THE GITHUB REPOSITORY FOR WORKING SAMPLES!!
To create a new plugin, download the RegistryPlugins project from Github, open the project in
Visual Studio, and create a new project that follows the correct naming convention similar to what
we saw earlier, RegistryPlugin.<something>. Once the project is created, add a reference to the
RegistryPluginBase project as this project will contain the base types and classes needed for a plugin.
Once this is done, the actual coding can begin. By default, a generic class is created in the new project.
Rename this to something more meaningful. This main class will contain the “brains” of the plugin.
Next, add a new class to the project and call it ValuesOut. While you can name this class anything,
most other plugins use this same convention.
The ValuesOut class defines the objects the plugin will return for display in Registry Explorer. For
example, the 7-Zip plugins ValuesOut class looks like this:
Registry Explorer 271
The important things to remember is to add read only properties and define a constructor that allows
for setting up the object. By doing this way we ensure our objects are immutable.
With the ValuesOut class done, we can code the primary class. Using the 7-Zip project as a reference
again, let’s take a look at the top section of the class:
Registry Explorer 272
After the class name we can see a reference to an Interface, IRegistryPluginGrid. This interface
contains the ‘rules’ the class must follow as it relates to properties. The interface definition looks
like this:
Registry Explorer 273
Which in turn references another interface, IRegistryPluginBase, that looks like this:
Registry Explorer 274
These interfaces define what properties must exist in a class that implements a given interface.
Looking back at our SevenZip class, we can see several of the properties from the interface definitions
along with a few other fields and variables. First, we see a read-only collection named _values which
will hold each of our ValueOut objects we create. Next is the constructor which initializes the class.
The internal GUID is nothing more than a unique GUID that can be generated via the C# Interactive
window (or any other means using Guid.NewGuid.ToString() method).
Registry Explorer 275
The next two properties define the key that this plugin is interested in and optionally, a value. This
particular plugin does contain a value name and as such, a combination of the key name and value
name is used.
The PluginType defines the how the resulting data from the plugin will be displayed. As of 0.8.0.0,
Grid is the only valid option.
The Author, Email, and Phone properties contain information about who made the plugin and how
to get a hold of them.
The PluginName, descriptions, and Version properties are next and are self-explanatory.
The Errors collection will contain a list of any errors encountered by the plugin as it processes a key
and/or value.
The remaining part of the class looks like this:
Registry Explorer 276
The ProcessValues function is called by Registry Explorer when it is determined a given key should
be processed by a plugin. This is where a key should be looked at and processed into ValuesOut
objects. It is very important to properly handle any possible errors by use or Try/Catch blocks. This
keeps the plugin from crashing and allows for reporting errors to a user in a consistent manner.
The AlertMessage can be anything a plugin author wishes and will be displayed in Registry Explorer
below the grid containing plugin results.
The Values property at the bottom is the property Registry Explorer will use to display the data
returned by the plugin.
Creating plugins is very simple in that it is some basic plumbing code (name, email, key path, etc.)
and a single function to process things. While this example showed a simple plugin, there are other,
more complicated examples in the Github project you can use as templates for new plugins.
RECmd
RECmd is a command line tool used to access offline Registry hives. It includes many of the same
features as Registry Explorer including searching, looking at keys and values, and exporting data.
Version 1.2 added batch mode and plugin support for automated searching and extracting of data to
CSV.
RECmd uses the same back end as Registry Explorer to process Registry hives. RECmd is open source
and the source code is available here.
Getting started
Running RECmd.exe without any arguments displays a list of command line options as shown below.
Registry Explorer 277
There are several groups of command line options for RECmd. They are not case sensitive.
Source
• f: The full path to the hive to process. If the path contains spaces, include them in double quotes.
• d: The full path to a directory to recursively search for hives to process. If the path contains
spaces, include them in double quotes.
Batch
• bn: Path to batch configuration file (see section below for details).
• csv: The directory to save batch results to
• csvf: File name to save CSV formatted results to. When present, overrides default name
Query
If either the key or value has spaces in them, be sure to enclose them in quotes.
Registry Explorer 278
When passing in key names, the root key name is optional. This is because most of the time you will
not even know the root key name in order to be able to include it.
To get default values, use a value name of “(default)”.
• kn: The key name to look for. If used without –vn, displays all subkeys and values.
• vn: Display only the value specified
• SaveTo: Saves –vn value data in binary form to a file
• json: Export –kn to directory specified by –json. Ignored when –vn is present
• details: Show more details when displaying results. Default is FALSE
Search
This is a particularly useful feature to locate data across hives in key names, value names, and
perhaps most importantly, in value data.
Searching is broken down into four types, by last write timestamp, value data minimum size, simple
string searches (and regular expression (RegEx) based searches when –RegEx is present).
• MinSize: Find values with value data size greater than or equal to the specified size (in bytes).
• Base64: Find Base64 encoded values greater than or equal to the specified size (in bytes).
• sk: Search for <string> in key names
• sv: Search for <string> in value names
• sd: Search for <string> in value record’s value data. The value data will be converted to its
equivalent in ASCII and Unicode and searched/compared to <string> unless the –Literal switch
is used
• ss: Search for <string> in value record’s value slack. The value slack will be converted to its
equivalent in ASCII and Unicode and searched/compared to <string> unless the –Literal switch
is used
• RegEx: If present, treat <string> in –sk, –sv, –sd, and –ss as a regular expression
• literal: If present, the –sd and –ss search value is not interpreted as ASCII and Unicode strings
• nd: When true, suppress showing data when –sd or –ss is used. Default is FALSE.
Other
Simple searches
The two letter search options starting with ‘s’ are string search options. These options look for
matches via ‘contains’ logic rather than ‘begins with’ or similar. For example, if you search for
‘cache’, the following keys would match if they existed in the Registry hive:
• Muicache
• Cache items
• UnCAcHeD
This allows you to find signatures for common data structures ANYWHERE in the Registry. The
binary signature used above is that of a BEEF0004 extension block, commonly used in ShellBags. It
contains information such as MAC dates/times, MFT info, etc.
When using the sd and ss switches, the value data or slack will be converted to its equivalent ASCII
and Unicode representation from the raw bytes. For example, if you searched for Ask, three searches
would actually happen:
1.For the ASCII string itself
2.Raw data converted to ASCII string. A case insensitive search against this string is performed. If
found, the position of the hit is used to extract the exact string that was hit on. This string is then
converted back to bytes and reported as a hit.
3.Raw data converted to Unicode string. The rest happens as in step 2.
Registry Explorer 280
This allows string searches to find data regardless of encoding or case. If data is found in encoded
form, the exact bytes making up the hit are highlighted. These bytes may differ from the searched
for string if the capitalization was different.
If the –Literal switch is used with sd or ss, then only the first search is done behind the scenes. This
allows you to look for specific byte patterns without RECmd interpreting raw data or slack to ASCII
or Unicode.
When the –RegEx switch is present, the search term used is treated as a regular expression. Regular
expression searches offer much more powerful capabilities to find things at the cost of having to
follow a more complex set of rules when building search terms. Another tradeoff is that it can be
slower depending on how complicated your RegEx is.
Enclose the RegEx in quotes to make sure the shell does not try to interpret anything in there.
As with simple searches, regular expression-based searches are case insensitive.
Finding keys
To find all keys that contain ‘Microsoft.Bing’ followed by an F, H, or a W, then an o, use the following
search:
RECmd.exe -f "D:\temp\re\UsrClass 1.dat" --RegEx --sk "Microsoft.Bing[FHW]o”
Finding values
To find all values with names that contain either ‘AppName’ or ‘DisplayName’, use the following
search:
RECmd.exe -f "D:\temp\re\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
326 results were found, but due to the length of the output, only a few are shown below.
Registry Explorer 281
Notice that some of the hits are in red. This means they were recovered keys/values.
Finding data
To find all values whose data contains ‘URL:bing’ followed by either an m, h, or s, use the following
search:
RECmd.exe -f "D:\temp\re\UsrClass 1.dat" --RegEx --sd "URL:bing[mhs]"
For more examples, run RECmd.exe without any command line arguments.
All regular expressions must of course be valid .net regular expressions. Different flavors of RegEx
providers allow for different syntax, so be sure to use the proper syntax.
RegEx tutorials for .NET.
* https://msdn.microsoft.com/en-us/library/az24scfc%28v=vs.110%29.aspx
* http://regexhero.net/reference/
* https://msdn.microsoft.com/en-us/library/hs600312%28v=vs.110%29.aspx
* http://www.codeproject.com/Articles/9099/The-Minute-Regex-Tutorial
* http://www.systemtextregularexpressions.com/help
RegExBuddy is an awesome tool for building and testing RegEx against data sets.
Batch mode
Batch mode works by crafting a YAML formatted document and passing it into RECmd via the –bn
switch. Data will be saved to the directory specified by –csv. Batch mode also allows for the use of
plugins. These plugins are the same plugins as found in Registry Explorer and work the same way.
When used by RECmd, the data from the plugin will be normalized into a standard format for CSV
output. With that said, when a plugin is used to process a key or key/value, the data generated by the
plugin is also saved out to a CSV. In this way, it is very similar to exporting the data from Registry
Explorer (albeit to Excel vs CSV).
Several example batch file specifications ship with RECmd, but let’s take a look at one in more detail.
Registry Explorer 282
Keys collection
Each entry consists of:
• Description: A user-friendly description of what this key will find. Can be anything from the
key name to a friendlier description of what it means, etc.
Registry Explorer 283
• HiveType: The type of hive this entry corresponds to. Valid choices are: NTUSER, SAM,
SECURITY, SOFTWARE, SYSTEM, USRCLASS, COMPONENTS, BCD, DRIVERS, AMCACHE,
SYSCACHE
• KeyPath: The path to the key to look for
• ValueName: OPTIONAL value that, when present, is looked for under KeyPath
• Recursive: Whether to process KeyPath recursively or not
• Comment: Like Description in that you can add various things here that end up in the CSV
While the example above only includes NTUSER, you can mix and match as many different hive
types as you like (again, see the examples) so you can extract data from NTUSER hives, SYSTEM,
and SOFTWARE for example.
To use batch mode, supply the file to the –bn switch, along with –csv to tell RECmd where to save
results:
RECmd.exe --bn D:\Code\RECmd\RECmd\BatchExampleUserAssist.reb -f C:\Temp\NTUSER_-
dblake.DAT --nl --csv C:\Temp
We only searched a single hive here, but if we used -d vs -f, we could search entire directories for
hives to process.
This results in a few files being created, one for the batch data, which is named after the name of
the batch file passed in, and the other is named after the Plugin that was executed (Services) along
with the full path to the hive for that particular file.
This lets you know exactly what was found (Services) and where it was found (C:TempSYSTEM_-
loneWolf). If you had 10 NTUSER.DAT hives and 3 plugins ran on each, you would end up with 31
files generated, 1 for the main batch mode CSV, and 30 for the plugins.
The main batch mode CSV also contains a pointer to the detailed plugin CSV so if you do need to
drill down you can do so easily.
Version changes
For versions after 1.2.0.0, see ChangeLog at https://ericzimmerman.github.io
Registry Explorer 284
Version 1.2.0.0
NEW: Updated controls and nuget
NEW: Display deleted values with red gradient in values list
NEW: Display deleted values with non-resident data with purple gradient when the data record that
value points to has been reallocated to another cell somewhere else.
NEW: RECmd completely rewritten, adding support for plugins and batch mode
CHANGE: Updated back end Registry parser with tweaks and new features
CHANGE: Updated plugin interfaces to support batch mode in RECmd
FIX: Handle fringe errors related to save paths, loading bookmarks, etc
Version 1.1.0.0
NEW: Updated controls, move to Fody vs LibZ for single exe
CHANGE: Show slack tab when a plugin is used
FIX: Fixes for handle leaks
FIX: Handle NK record referencing deleted value per @errnofail’s research
FIX: Various tweaks and fixes
Version 1.0.0.0
NEW: Display warning when Header sequence 1 != sequence 2. this means the hive is dirty and
there are transactions in the log file(s) which has not been committed to the hive.
NEW: Updated controls and dependencies
NEW: For non-RegBinary values, display ‘Binary viewer’ tab which contains the value’s raw data.
NEW: When grouping in a grid, show the total number of items in the group in the header
NEW: Added plugins for Bluetooth, Bam, Dam, RecentApp, etc.
NEW: Detect dirty hives and offer to replay transaction logs (new format only) so the hive contains
all data contained in the transaction log(s).
CHANGE: RegNone values are treated like RegBinary and are shown in a hex viewer which allows
for interacting with bytes more easily
CHANGE: Merge some changes from other users to plugins (SAM)
FIX: Update existing plugins to support new cases (AppCompatcache), timestamp to UTC (Office),
etc.
Version 0.9.0.0
NEW: Added Raw Value property to non-RegBinary values that contains the bytes that make up the
value. This is useful for copying out into other programs like DCode, etc.
NEW: Plugins added for Known networks (SOFTWAREMicrosoftWindows NTCurrentVersionNet-
workList), WordWheelQuery, TypedURLs (including TypedURLsTime), Services, Terminal services
client (RDP history), DHCPNetworkHint,
NEW: Added Options | Convert selected | To ROT-13 in Find window. This allows for searching for
things ROT-13 encoded like UserAssist, etc without having to rely on a plugin
NEW: Added ‘# subkeys’ column to Registry Hives and Available bookmarks trees
NEW: Added ‘Selected hive’ to left side of status bar that tracks the name of the hive currently
selected. Double clicking copies full path of hive to clipboard
Registry Explorer 285
NEW: Allow for searching for many terms at once vs one at a time in Find dialog
NEW: Change messages count background color to yellow when there are warning messages and
red when there are error messages. This color will be cleared when the Messages window is viewed.
CHANGE: Disable Bookmarks menu when on Available bookmarks tab
CHANGE: Clear any active filters before selecting bookmarked key
CHANGE: Set focus to last used search type on Find form
CHANGE: Sort bookmarks by name
CHANGE: Load hives when they do not have an nk record with a HiveRootEntry flag set. When
this happens, an alternate method is used to find the root key
CHANGE: Put the newest search history items at the top of the list
CHANGE: Don’t trust Header length when looking for hbins as sometimes Header length is wrong
CHANGE: Values grid filters use ‘contains’ vs ‘starts with’ as default
FIX: Add missing tooltip to Literal checkbox on Find form
FIX: Update hex position in hex type viewer when moving up and down rows vs only left and right
FIX: Correct issue when selecting hits in Find panel if the Registry keys tree was sorted when a
virtual key existed (Associated Registry keys for example)
FIX: Handle rare issue when building virtual keys for ‘Associated deleted records’ where there is an
active key and a recovered deleted key with the same name
FIX: Lots of tweaks and miscellaneous fixes
Version 0.7.1.0
RECmd changes
New: Added –Dir switch. This recursively searches for hives in a given directory and searches each
of them
Registry Explorer changes
New: Registry Explorer can now function as a “default application” in that you can associate RE
with *.dat and then double click hives. This also allows for setting up RE in other apps like X-Ways
as an external viewer, dragging and dropping hives onto RE shortcut/executable, etc.
New: Added Check for updates to About menu
Version 0.7.0.0
As of 0.7.0.0, Registry Explorer and RECmd are included together.
RECmd changes
NEW: Added –Literal switch. When present, –sd and –ss switches will not be interpreted
NEW: Added –ss switch for searching Value slack space
NEW: Search terms are now highlighted in search results. Edit nlog.config to adjust colors for
foreground and background
NEW: Added –RegEx switch. When present, treat <string> in –sk, –sv, –sd, and –ss as a regular
expression
NEW: If nlog.config is missing, add default config and warn user
CHANGE: Switches are NOT case sensitive any more
CHANGE: Remove RegEx specific switches (See –RegEx above)
CHANGE: Tweak command line option descriptions
Registry Explorer 287
keys that match the filter. When ON, parent keys to keys matching the filter are also shown
NEW: Added a Total messages counter to lower status bar (far right) that indicates the total number
of messages available on the Messages form
NEW: Added skinning support. Active skin can be changed from the Options menu
NEW: Added icon for Registry hive in the Registry hives tree to visually separate it from keys
NEW: Make hive name bold to make it stand out from keys
NEW: Tech details info can be copied via Ctrl+C (just the value) or Ctrl+Alt+C (Name: Value)
NEW: All hex viewers now support Ctrl+C to copy selected bytes to clipboard
NEW: Search for minimum value sizes added
NEW: Search in value slack added
CHANGE: Allow resizing of window below 800x600
CHANGE: Drag and dropping of hives supported on any of the 3 main sections of Registry Explorer
CHANGE: Status bars adjusted. Added options to hold Shift when double clicking in order to copy
different parts of the key/value
CHANGE: Add vertical scroll bar to Technical details hex editors
CHANGE: Rename tree context menus from ‘child nodes’ to ‘subkeys’
CHANGE: Hide Messages form by default since things load and process faster when its hidden
CHANGE: Icon for existing key placeholder in Associated deleted records updated
CHANGE: Icon for Associated deleted records updated
CHANGE: Made legend icons bigger
CHANGE: Bookmarks manager now allows editing/deleted both common and user created book-
marks
FIX: Bug fixes in Registry parser (yay unit tests)
FIX: Show SK record in Technical details form
Version 0.2.0.0
NEW: Added new tab in upper left, Available bookmarks, that shows all available bookmarks across
all loaded Registry hives
NEW: Added ‘Technical details’ option to context menu. Use this to view all the down and dirty
details about a key including its bytes, its security key, subkeys, values, etc. This provides an easy to
use way to explore and validate Registry tools
NEW: Added several hotkeys for commonly used key context menu items
NEW: Allow exporting of keys either individually or recursively to .reg format via the context menu
NEW: Add ‘Collapse all hives’ button to status bar.
NEW: Added more bookmarks
CHANGE: Prevent illegal file name characters in category names (\, /, |, and so on). Any illegal
characters will be replaced with an underscore
CHANGE: Nlog logging added
CHANGE: Registry parsing is now ∼150% faster and memory usage reduced by 40-80%
CHANGE: Prevent the same hive from being loaded more than once
CHANGE: Expand the top level node after loading a hive
CHANGE: Hide or unhide all matching keys in all open hives vs only the active hive
Registry Explorer 289
FIX: When removing keys from auto hide list, remove any hidden keys in the tree that match as well
FIX: Actually export the timestamp when exporting Messages
FIX: GUI polish
Version 0.1.8.0
Initial release
Appendix A – Contributors
The following people have contributed in one way or another during the development and
refinement of SBE
SDB Explorer
¹⁵⁹https://learn.microsoft.com/en-us/windows/win32/devnotes/application-compatibility-database?redirectedfrom=MSDN
SDB Explorer 291
Using the Info -> Metrics menu, examiners can look at a visual representation of the data present
within a loaded shim datbase.
Blog Posts
Revision history
2014-11-21 Rev. 1 – Initial release
2022-07-25 Rev. 2 - Leanpub release
Requirements
ShellBags Explorer requires Microsoft .net framework version 4.5.1 full runtime or greater to be
installed. It is available at http://www.microsoft.com/en-us/download/details.aspx?id=40779.
and can be used to show knowledge and intent when it comes to accessing directories or other
resources on a computer.
From the anti-forensics standpoint, an absence of ShellBag entries may suggest system cleaning or
overt action by an end-user and potential sophistication of the actor. Lastly, bad actors are becoming
smarter every day - not every forensic examination will contain evidence in plain sight/allocated
space. ShellBags, along with other artifacts, may point to evidence that existed at one point in time
or may assist the examiner in looking at the broader picture when only a piece is known.
ShellBags are a set of Windows Registry keys located in NTUser.dat and USRClass.dat registry hives
(primarily usrclass.dat) that maintain view, icon, position, size (and other attributes) of folders when
using Windows Explorer. They are likely to persist information even when the original directories,
files, and physical devices have been removed from the system and due to this, can serve as a
“history” of sorts into data that was previously on a system but may have since been removed.
When combined with volume shadow copies (specifically, older copies of registry hives), significant
insight into a user’s activity can be gleaned.
On the left, registry keys are displayed. After selecting a key, the values for that key are displayed
in the right pane.
The values on the right correspond to ShellBags that are children of the selected key. In the screen
shot above, it is the BagMRU key. The BagMRU key represents the “Desktop” in Windows and all
ShellBags will exist under the Desktop. In other words, the Desktop is the topmost Shellbag.
In the example above, the “0” value has been opened. The contents of the ShellBag are shown in
hexadecimal. The example above contains a GUID which corresponds to the “My Computer” folder.
There are hundreds of GUIDs that map to directories, control panel items and categories, etc. SBE
contains hundreds of GUID mappings to human readable formats.
Some ShellBags will contain strings (both ANSI and Unicode) representing things such as directory
names or UNC paths. In the image below, a directory named “Timelord” was accessed. The ‘short
name’ is highlighted in green and the ‘long name’ is highlighted in blue.
Shellbags Explorer 297
While not obvious, there are also several dates and times embedded in the binary data as well as MFT
entry and sequence numbers. It is also possible to determine the file system this directory existed
on based on the contents of the ShellBag. In the example above, the directory existed on an NTFS
file system with MFT Entry Number 332634 and MFT Sequence Number 20 and was last accessed
on 11/19/2014 at 8:47:52 PM +00:00!
MRUListEx
The MRUListEx value is the Most Recently Used list and reflects the order the ShellBags were opened
with the most recently opened bag being listed first. As ShellBags are opened, the MRUListEx values
are shifted to the right and the most recently opened value is added to the leftmost position.
Double clicking the MRUListEx value brings up an editor showing the binary data contained in the
value.
Shellbags Explorer 298
Each entry in the MRU list is 4 bytes long (little endian). In the image above, the first 4 MRU positions
have been highlighted with different colors.
Based on what is in the MRUListEx key above, the order the ShellBags under BagMRU were opened
is 0, 8, 3, 7, 5, 6, 4, 2, 1. The last entry in MRUListEx is always FF FF FF FF.
NodeSlot
There is also a NodeSlot value that links to a subkey under the Bags key. This subkey contains such
things as the sorting, icon size, and other properties for a given directory. The NodeSlot value is for
the currently selected key and not the ShellBags present under a given key.
In the image above, the ShellBag with a value of 4 is the “parent” ShellBag for any ShellBags found
in the key with the same name. Selecting the key with name 4 results in the following.
As you can see, the pattern continues as we drill down into child keys. If we continue to drill down
we will eventually run out of child keys as seen in the next screen shot.
Shellbags Explorer 300
We know we are at the “bottom” because there are no more child keys and the MRUListEx value is
FF FF FF FF.
Using LastWrite values to determine First Explored and Last Explored dates
and times
Keeping in mind how LastWrite timestamps work, we can now determine when a given ShellBag
was accessed.
To determine the first time a ShellBag was explored, we can look for the “bottom” most keys and
use their LastWrite timestamps for the ShellBag in the parent key. Recall in the example above, the
key is “0” and the last write value is 11/17/2014 at 18:14:40.553 UTC. If we go “up” a level and select
the parent key of the bottommost key, we see a ShellBag value named “0.”
Note: This only works for the bottommost key and its corresponding value in the key’s parent. If a
child directory is browsed underneath the highlighted key above, it is not possible to determine the
first explored date for the intermediate folder anymore (but we would now know when the newly
browsed folder was viewed, assuming it was the bottommost directory navigated to).
To determine the last time a ShellBag was explored, we use the LastWrite timestamp in conjunction
with the MRUListEx value. Recall the first entry in MRUListEx is the most recently viewed ShellBag
in a given key. By looking at the LastWrite timestamp for a key, we know when the first entry in
the MRUListEx was last explored.
Shellbags Explorer 302
Since MRUListEx has its first entry set to a value of “4”, the ShellBag with the same value was last
explored when the “0” key was last written to. Since the MRUListEx value is updated as ShellBags
are accessed, the LastWrite timestamp is also updated.
More information on these concepts is available at http://www.4n6k.com/2013/12/shellbags-
forensics-addressing.html.
Capabilities overview
SBE is meant to be an all-inclusive tool for ShellBag artifacts. It negates the need for laborious
manual steps, decoding of data, and determining contextual relationships between directories, etc.
* Included support for all known Extension blocks and auto-detection of unknown blocks, unknown
ShellBag types, etc.
* Data interpreter to Hex view. As hex values are selected, the values update from the cursor’s
position.
* Support for NTUser.dat and USRClass.dat
* Consistent display of data for bags
* Ability to view all bags recursively to easily sort, filter, etc.
* Ability to ingest multiple registry hives and remove duplicate ShellBags. This allows for a
comprehensive view of directory access spanning the range of data in all registry hives.
* Ability to show what directories were accessed on CD and DVD media (and therefore showing
what drive letters were optical readers)
* And MUCH more
Getting started
If you are reading this, it is assumed you already have ShellBags Explorer installed somewhere on
your machine. A default installation of ShellBags Explorer includes the following files:
* SBECmd.exe: The command line version of ShellBags Explorer
* ShellBagsExplorer.exe: The GUI version of ShellBags Explorer
Either version of ShellBags Explorer (SBE) can be used to process and examine registry hives. One
program does not rely on the other for SBE to function.
ShellBagsExplorer.exe
This is the GUI version of SBE. It provides deep insight into shellbag data in an easy to use interface
that resembles Windows Explorer.
To start SBE, open the SBE folder and double click on ShellBagsExplorer.exe.
Each of the sections above will be explored further in subsequent sections below.
Shellbags Explorer 305
Tree view
The tree view displays a Windows Explorer like representation of ShellBag data. There are menu
options under Tools to automatically expand and contract all nodes.
Grid view
The grid view displays all ShellBags located below the selected node in the tree, or, in the case of
recursive viewing, a list of all ShellBags located below the selected node and all child nodes of those
nodes.
Details view
After a ShellBag is selected, the details view pane displays all known data about the selected ShellBag.
This includes basic information as well as extension blocks, MFT information, file system hints, raw
hex content, and so on.
Hex view
After a ShellBag is selected, the hex view will contain the raw hex content of the selected ShellBag.
To the right of the hex display is a data interpreter that is updated in real time as data is selected in
the hex editor. This allows for verification of data in both the grid and details view.
Shellbags Explorer 306
Status bar
The status bar on the bottom contains various details about the loaded hive, whether or not a filter
is active (including the number of visible rows vs. the total) and if there are any updates available
to SBE.
Menus
File
The File menu allows for loading either the live registry information or an offline hive. When loading
an offline hive, the user will be prompted for the location of the hive file to load.
More information is available when browsing an offline hive than browsing the live registry. This
is because as of SBE version 0.5.0.0, the LastWrite timestamp for registry keys is not available when
looking at the live registry. The live registry option can be used to explore ShellBags from the live
machine during training, research, and so on.
Export submenu
Once SBE has loaded a hive, the File menu also allows for exporting of the data in one of several
formats.
* CSV: All available columns will be exported
* Excel: The visible columns in the Grid view are exported.
* json: All data is exported in json format.
NOTE: You can customize the columns shown in the grid view by clicking the field chooser icon
in the upper left corner of the grid (this is explained in more detail in an upcoming section). This
allows you to hide or show whatever columns you choose to make your work easier.
Shellbags Explorer 307
Tools
The tools menu contains options to expand and contract tree nodes, show the messages window, or
set the time zone to be used when displaying dates and times. The messages window is displayed
automatically as messages are generated.
A time zone must be selected before selecting a source for ShellBags (the live registry or an offline
hive). By default, UTC is used for all dates and times.
Shellbags Explorer 308
Help
Quick help provides basic information on how to use SBE. About contains version information and
contact information for the developer.
Workflow overview
After selecting either the live registry or an offline hive, SBE will display a summary of the types of
ShellBags that were found as seen below.
In the image above, notice 331 ShellBags were found in the registry and 331 ShellBags were processed.
Should there be a situation where the number of ShellBags found is not equal to the number of
ShellBags displayed by SBE, the summary screen will be different to reflect this fact.
Shellbags Explorer 309
Messages window
If there are any errors when processing ShellBags, the Messages window will be displayed.
Shellbags Explorer 310
Selecting a message will show the details for that message in the lower pane. All messages can be
exported or cleared using the buttons in the lower right corner.
The Messages window can contain both errors and informational messages. Informational messages
will be displayed when unknown GUIDs are found, new extension blocks are discovered, or there
is a mismatch between the number of extension blocks in a ShellBag and the number of parsed
extension blocks (these concepts will be elaborated on soon).
NOTE: You can quickly jump to the ShellBag related to the message by double clicking anywhere
on a row. This will select the ShellBag in the tree so it can be reviewed as needed.
Tree view
The tree view will also be updated. As seen earlier, the starting point for ShellBags is the Desktop
folder.
Shellbags Explorer 311
Expanding a node displays its children. In the image below, several child objects have been expanded.
Each different kind of ShellBag is represented by a different icon. In the example above we see icons
Shellbags Explorer 312
for directories, GUIDs, control panel categories, drive letters, and user application data. This helps
you quickly visualize what kind of ShellBags are available.
As mentioned above, left clicking selects a given node in the tree and displays child bags in the grid
view. Right clicking a node will select that node and expand all child nodes and display all bags
under the selected node in the grid view.
In the example above, D: has been recursively explored. Notice the icon now shows a blue down
arrow indicating the node is being explored recursively. Exploring recursively lets you drill down
into specific areas of interest and, as we will soon see, easily search for things across a given set of
ShellBags.
Grid view
As nodes are selected in the tree view, the grid view is updated to show the child ShellBags of
the selected node. In the case of recursive viewing, all child bags from the selected node down are
displayed in the grid view.
The grid view serves as a way to view Shellbags in a consistent manner. Not all bags have data for all
of the columns, but for the most part the columns available in the grid view provide a homogeneous
view of ShellBags. Because of this, common features of different bag types can be grouped on, filtered,
sorted by, etc.
Clicking in the upper left corner of the grid view allows for customizing the fields displayed in the
grid.
Shellbags Explorer 314
Column definitions
* Ext. block count: The total number of extension blocks found in this shell bag
* Extension blocks: The names of unique extension blocks found in the shell bag
* First Explored: When available, the timestamp a folder was first explored
* Icon: A visual identifier for the shell bag
* Last Explored: When available, the timestamp a folder was last explored
* Last Write Time: Only available when loading an offline hive, this is the timestamp the ShellBag
KEY was last updated.
* MFT entry
* MFT Seq. number
* Miscellaneous: Used to report additional items of interest about shell bags as needed. This is
primarily used to report the type of file system an item was located on
* Modified on: The modified date as stored in the ShellBag
* MRU: The Most Recently Used position of the bag
* Slot: The shell bag’s numerical identifier in its parent key
* Type: The human readable description of what kind of data the shell bag represents (file, folder,
etc.)
* Type ID: The hexadecimal identifier for the shell bag. This is found in offset 0x02 in the hex that
makes up a shell bag.
* Value: The name of the file, folder, property view, etc. for the shell bag. This is the primary identifier
for a shell bag.
Note: The MFT entry and sequence number can be used to determine the file system a particular
bag came from:
* If entry number > 0 and sequence number > 0, then the file system is NTFS.
* If entry number > 0 and sequence number == 0, then the file system is FAT. (Further checks against
the accuracy of Last Access is then done to determine FAT vs. exFAT)
When applicable, the Miscellaneous column will indicate which file system the ShellBag target
originated from. Thanks to David Cowen for this idea and for testing.
Column order can be adjusted by dragging and dropping columns to new positions in the grid. Any
changes are persisted.
The grid view can be used to sort, filter, and group ShellBags.
Sorting
To sort, simply click a column header. Click it again to sort in reverse order. To sort by more than
one column, click the initial column to sort by, then hold SHIFT and click on another column. The
second column will be sorted while the first column retains its initial sorting.
Shellbags Explorer 316
Filtering
At the top of each column is a filter cell. In the image below it is highlighted in yellow.
Clicking on this cell and typing will immediately filter that column to only items containing the
entered. To the left of the cell is a button with options on how the filter should work. The default is
“contains.”
There are also dropdowns which contain all unique entries in the column plus options to add custom
filters to the list. To the right of each cell is a button that can be used to clear that column’s filter.
To the far right of the filter row is a button that can be used to clear all filters.
Grouping
At the top of the grid is an area where one or more column headers can be dragged. As columns are
dragged and dropped, each unique value in the selected column will be used to create a group.
Shellbags Explorer 317
In the example above, the “Type” column was grouped. Clicking on a plus sign expands that group.
In the example above, we first grouped by type, then by MRU. This can be useful to see a list of all
the most recently accessed directories (i.e. all the ShellBags of type directory where MRU == 0) .
To “undo” grouping, drag the columns back into the main grid area at any location.
Notice the D: drive is highlighted in the tree view and the details view reflects this. If the bag with
value “GOON2” is left clicked, then right clicked, notice the tree view is updated and the “GOON2”
bag is highlighted and the grid view is updated to show the child bags of the GOON2 bag.
The details pane is also updated with the newly selected bag in the tree view. Clicking the “Queue”
bag in grid view will update the details view to the “Queue” bag.
Shellbags Explorer 320
Details view
The details view contains all known ShellBag information in human readable (and hopefully
consumable) format. Binary data is converted to timestamps, strings, numbers, and other structures.
ShellBags in general have the following structure (For an exhaustive breakdown of ShellBag
binary layouts, including extension blocks, see the Metz document referenced above
(http://goo.gl/rJXmLY)):
* Offset 0-1: Size of the ShellBag
* Offset 2: Type indicator
* Type specific data
Shellbags Explorer 321
The type specific data contains things as timestamps, file attributes, strings, and extension blocks.
Extension blocks contain additional data relevant to a ShellBag which can be used in different
ShellBags. Because of this, extension blocks have their own formatting that is consistent across
bags.
Extension blocks can be identified by a unique signature, BE EF 00 XX, where XX varies on the type
of extension block. In the image below, the beginning of a BEEF0004 block is highlighted. Since the
data is stored in little endian format it has to be read “backwards.”
Here we can see the short name, MAC dates and times, full bag path, the absolute path, and the first
explored date.
Note: The Last Write Time of the PARENT key (BagMRU\0\2\0\3\0) this ShellBag lives in is
11/17/2014 9:26:46 PM +00:00, but the First explored timestamp is 11/17/2014 9:25:46 PM +00:00. This
is because First explored is determined by the last write date of the “bottom” key corresponding to
BagMRU\0\2\0\3\0, Slot 0. The key for this bottom slot is not shown but the Last Write timestamp is
collected and applied to the relevant bag.
Additionally we can see that the file system is NTFS. This can be determined since we have both an
MFT entry and sequence number.
Some ShellBags contain embedded property sheets. These are another data structure commonly
seen in various Windows artifacts and essentially are key/value pairs. In the example below, the
bags related to the Control Panel have been expanded.
Shellbags Explorer 323
After selecting the “Set Program Associations” bag, its details view contains:
Here we can see the various property sheets and the data contained therein. Notice that now it is
possible to tell not only WHEN program associations were changed, but WHAT program was used
to take over those associations.
Finally, the bottom of the details view contains the raw hexadecimal data.
Shellbags Explorer 324
Hex view
The hex view contains the raw hexadecimal data of the selected Shellbag. It is displayed in traditional
hex editor style in read-only mode.
To the right of the hex data is a rough interpretation of the data. A few strings can be seen in both
ASCII and Unicode format. As the position of the cursor is changed by clicking on hex values, the
data interpreter updates in real time.
Data interpreter
The data interpreter assists in decoding the contents of ShellBags when manual verification is desired.
As the cursor is moved to different offsets, the interpreter updates in real time and shows different
interpretations of the data FROM THE POSITION OF THE CURSOR IRRESPECTIVE OF ANY
SELECTED BYTES.
Shellbags Explorer 325
In this example the cursor is at offset 0x8 and we see the DOS date is showing 4/24/2014 1:09:08 PM
+00:00 which corresponds to the Modified timestamp.
In the next example we can see the data interpreter has found a GUID for the Control Panel at offset
0x4.
By using the data interpreter to explore ShellBags you can begin to see common patterns including
timestamps, extension blocks, property sheets, and so on.
NOTE: The data interpreter will show certain fields in bold based on certain conditions:
Shellbags Explorer 326
SBECmd.exe
SBECmd.exe is a command line version of ShellBags Explorer that will automatically process hive
files and export the results to TSV. The command line options are shown below.
Shellbags Explorer 327
If SBECmd.exe encounters any errors processing hives, they will be reported to the console and to
‘!SBECmd_Messages.txt’ in <directory>Out
The TSV file(s) will now reflect the selected time zone, including any adjustments for daylight
savings time.
Shellbags Explorer 331
Version changes
Version 0.6.0.0
NEW: Added NodeSlot info. This column is hidden by default in the grid, but will always be shown
in Details view
CHANGE: Updated registry parser code (∼150% faster and significant memory reduction)
FIX: Correct FAT vs exFAT file system hint in BEEF0004 blocks
FIX: Correctly detect end of ShellBag in C3 bags
Version 0.5.0.4
NEW: Build for AnyCPU vs forcing x86.
NEW: Add icon for “History folder” ShellBag type
NEW: Allow hives to be dropped on Hex view
NEW: Added millisecond precision to timestamps that have that level of resolution. These times-
tamps are visible in the details pane
NEW: Added support for http URLs in variable blocks.
NEW: Added ability to double click on Data Interpreter to copy values on Interpreter plus ShellBag
details to Clipboard
NEW: FILETIME and DOS Date fields in data interpreter will be bolded if the calculated date > Now
- 10 years AND calculated date < Now + 5 years. This provides a visual cue a valid timestamp may
have been found.
NEW: GUID field in the data interpreter will be bolded if the calculated GUID maps to a known
value
NEW: Count all ShellBag registry values seen and compare to the number of ShellBags processed.
If seen != processed, show warning on summary screen as data is missing
NEW: Added Placeholder extension block which is used to “pad” main ShellBags when they contain
additional ShellBag items (Bags containing bags). Placeholder bags are not printed to the details pane
NEW: Added detection of Beef0010 blocks in 0x71 ShellBags.
NEW: Added detection of Beef0010 blocks in 0x2f ShellBags.
NEW: Added ability to double click on a row in the Messages window which will select the related
node in the tree on the main window
NEW: Add GUID for OneDrive on Windows 10
NEW: Detect drive letters in 0x1F ShellBags.
CHANGE: Detect optional Beef0004 extension block in CDBurn ShellBags
CHANGE: Look for common signatures in several bags and act accordingly
FIX: Detect several fringe cases and set value to “!!! Unable to determine value !!!”. These need more
research for full support
FIX: Remove early return in 0x4d bag which resulted in the ShellBag not displaying properly
Version 0.5.0.3
NEW: Add new ShellBag type, ShellBagParseError, that is used as a placeholder when ShellBag
contents aren’t parsed properly.
Shellbags Explorer 333
Version 0.5.0.2
NEW: Added support for 0x61 bags (FTP). Connection date and username (when saved) are reported
NEW: Added support for Variable: FTP URI ShellBags. These show directories browsed on an FTP
server and in many cases contains the timestamp on the FTP folder
CHANGE: More support for contents in BEEF000e extension blocks
CHANGE: Improve message when BagMRU key isn’t found in a hive.
CHANGE: Updated drive letter icon to a hard drive vs green folder
CHANGE: Expand and collapse nodes now affects the selected node vs all nodes.
FIX: Some GUI fixes (when using expand/collapse nodes remove recursive icon)
Version 0.5.0.1
FIX: Remove recursive icon when right clicking an entry in the grid
FIX: Minor manual updates
Version 0.5.0.0
NEW: Completely rewritten manual
NEW: Added Time zone setting to Tools menu. Change the time zone BEFORE processing a hive to
have all dates automatically adjusted for the selected timezone
NEW: Added –timezone command line argument to SBECmd.exe. Use –timezone=”” for a list of
valid time zones
NEW: Added –dedupe option to SBECmd. This will process all hives in a directory and remove any
duplicate bags. See –help for details
FIX: Adjust Beef0025 version offset to always pull the right offset.
Version 0.4.3.0
CHANGE: Switch from CSV extension to TSV for easier processing in Excel without having to
import manually
FIX: Minor fixes to command line version if source directory is missing
Version 0.4.2.0
FIX: Correct file system hint in details pane misreporting file system. The value in Misc column was
correct but in some cases the details pane misreported the file system type
Version 0.4.1.0
NEW: A shiny manual is now included
NEW: CSV output has been added. You can optionally include the raw hex from bags as well
NEW: Added SBECmd.exe which is the command line version of SBE.
NEW: Added FirstExplored column to grid and details section (when available)
NEW: Added LastExplored column to grid and details section (when available)
NEW: More GUIDs (Windows 10, RealPlayer Cloud, etc)
NEW: Added support for ShellBags with TypeID 0x01 special case
NEW: You can now drag and drop an offline hive on the grid, tree, or details pane to load
NEW: Added note to Miscellaneous column denoting what file system a bag came from based on
MFT information (Thanks to David Cowen for idea and testing)
Shellbags Explorer 334
Version 0.3.9.0
NEW: Added icon for CDBurn bags
NEW: Added CTRL-A and CTRL-C functionality to main grid. This lets you quickly select all rows
and copy selected rows to clipboard
NEW: SBE now remembers its size and will restore the last size on startup
CHANGE: Add detection of certain special signatures earlier in the process as these types of bags
can occur in different places (CDBurn, etc)
CHANGE: Rename “Variable: CDBurn” to “CDBurn” since they can be seen in different places
Version 0.3.8.0
NEW: Added operating system information for beef0004 blocks based on Identifier property. 0x14
⇒ Windows XP, 2003 | 0x26 ⇒ Windows Vista | 0x2a ⇒ Windows 2008, 7, 8.0 | 0x2e ⇒ Windows 8.1
NEW: Report unmapped GUIDs to messages window
NEW: Added support for 0x35 identifiers, which contain Unicode strings vs ascii
NEW: Added support for ShellBag with type ID 0x64 and 0x65. These refer to browser history folders
NEW: Even MORE GUIDS!!!!!1
CHANGE: Improvements to message form details pane
CHANGE: Hide InternalID and HexView from grid field chooser
FIX: Deal with improperly terminated Unicode strings so a ? isn’t displayed as the last character
FIX: Handle embedded property stores in 0x71 (Control panel bags) vs reporting unknown GUID
FIX: Lots of fringe case cleanup
Version 0.3.7.0
NEW: Report unknown type IDs to Messages window so they can be reported
NEW: Added support for Beef0010 extension block. This block contains property store data. Vector
data in one of the sheets looks to contain additional property stores with additional data. More work
to be done here
NEW: Added support for Beef0021 extension block. This block has been seen to contain the URL
where files have been downloaded from
NEW: Added support for Beef0016 extension block. This looks to contain what was searched for (ie
*.inf)
CHANGE: Do not force ‘Last write time’ column visible when loading an offline hive
CHANGE: Added more GUIDs
FIX: Don’t crash when grouping and a group is selected
Version 0.3.6.0
NEW: Pull extension blocks out of property sheets in 0x00 and 0x1F ShellBag types. These appear
to be the results of searches. More research is needed to confirm
CHANGE: Clean up some messages
Version 0.3.5.0
NEW: Added ‘Absolute path’ to grid which contains the full path from the Desktop to the bag item
NEW: Added a few dozen more GUIDs
Shellbags Explorer 335
TimeApp Screenshots
TimeApp 337
TimeApp References
Download TimeApp
TimeApp can be downloaded from https://ericzimmerman.github.io/#!index.md
Timeline Explorer
Timeline Explorer Introduction
Timeline Explorer is a tool created by Eric Zimmerman that can be used by forensic examiners (or
anyone) to ingest CSV files (and a few other filetypes). Timeline Explorer can handle large files
(over 14GB) and provides a user friendly experience for dealing with data contained within CSV
files. Timeline Explorer can have multiple files open at a time (over 300) and contains many familiar
keyboard shortcuts to move through analysis more efficiently.
Timeline Explorer uses Plugins¹⁶¹ that will allow Timeline Explorer to ingest multiple filetypes.
The benefit of these Plugins allows for the Line and Tag columns to be populated for the various
supported file types as well as other enhancements to boolean (True/False) and timestamp values.
• .csv
• .tsv
• .xlsx
• .txt
Timeline Explorer only runs on Windows due to the .NET Desktop Runtime¹⁶² currently only being
available for Windows and not macOS or Linux.
¹⁶¹https://github.com/EricZimmerman/TLEFilePlugins
¹⁶²https://dotnet.microsoft.com/en-us/download/dotnet/6.0
Timeline Explorer 339
File Menu
The File menu has a couple of noteworthy features that we’ll cover in this section
Sessions
When you have multiple CSVs ingested into Timeline Explorer, you can save a session which will
open all the same files that are opened at the time of session save. Timeline Explorer will create a
.tle_sess file which is simply a JSON file that will look similar to the example below:
{
"SessionFiles": {
"C:\\temp\\20220913030423_RECmd_Batch_Kroll_Batch_Output.csv": [
],
"C:\\temp\\20220913030450_RECmd_Batch_Kroll_Batch_Output.csv": [
]
}
}
Opening this particular session file will instruct Timeline Explorer to open the files specified.
Additionally, any tagged rows will persist when saving and reloading sessions.
Export
Timeline Explorer can export an opened file as CSV or XLSX. This may be helpful where if you have
a CSV file ingested but want to export it as XLSX, or vice-versa. Please note, the Export function
Timeline Explorer 340
is WYSIWYG, so whatever data is visible due to active layouts, filters, sorting, etc will be what is
exported.
Tools Menu
Timeline Explorer offers multiple useful features within the Tools menu.
Find
Timeline Explorer provides an incredibly useful Find window where examiners can search for terms
amongst all open files. The below example shows the term microsoft and the amount of hits within
each open file. Double-clicking on a search result will warp to the file in question and automatically
filter on the search term.
Right-Click to Copy
One of the most convenient features Timeline Explorer offers is the ability to carry out copy
functions with a simple right-click of the mouse. This allow for minimal, if any, interaction with a
keyboard when copying data from a file opened in Timeline Explorer. Every click saved matters!
This can be useful for when headers need to be copied out of a file that’s open within Timeline
Explorer.
Timeline Explorer 342
Groups
Timeline Explorer allows examiners to grab a column header and drag above to the box which
contains the text Drag a column header here to group by that column, as seen below.
Grabbing the Time Created column header and dragging it into the blank area above the column
headers will create a grouping that can be very helpful during everyday analysis.
Timeline Explorer 343
RECmd
When pushing CTRL+K, the Hive Type groups will collapse which can then be expanded with CTRL+M.
Timeline Explorer 344
EvtxECmd
With this particular grouping, examiners can see how many overall events resides in the Secu-
rity.evtx file as well as how many events exist within each Provider that logs to that particular
.evtx file.
Tagging
As long as there are Line and Tag columns visibile for a file ingested into Timeline Explorer,
examiners can take advantage of the Tag feature. Rows that contain data of interest can be tagged
by checking the box in the Tag column. This can be useful for when analysis is complete on a given
file to where an examiner is ready to filter on only the rows of interest. This can be done by filtering
on the Tag column for checked boxes only. This will allow for all untagged rows to disappear and
only rows that were tagged by the examiner will appear.
Timeline Explorer 346
Clear Filters
CTRL+E is one of the most useful keyboard shortcuts in Timeline Explorer. Regardless of how many
filters are applied by an examiner, this shortcut will clear them all.
CTRL+SHIFT+F is another useful keyboard shortcut available in Timeline Explorer. When a given cell
is highlighted in Timeline Explorer, this keyboard shortcut will allow for the value within that cell
to be applied as a filter in the column it resides in. The filter type can be changed once the value is
populated in the column header filter box.
As examinations progress, columns get resized and it can be a pain to manually resize the columns
back to a reasonable size. CTRL+R provides the quickest method to reset all columns to their default
width.
Timeline Explorer 348
Tabs Menu
The Tabs menu provides examiners with an overview of all files opened within a Timeline Explorer
instance.
In addition to providing an easy way to see a massive amount of tabs open within Timeline Explorer,
this box also serves as a search box so you can filter on a specific open file that you want to analyze.
View Menu
The View menu provides helpful information when trying to troubleshoot issues with Timeline
Explorer.
Messages
Timeline Explorer offers a Messages window that can provide insight as to how long a file takes
to ingest into Timeline Explorer, which plugin was used to process a file during ingestion, and
error messages that may come up while ingesting unsupported output. As always, toggling Debug
Messages will provide much more verbose messaging in this window but it will also likely drastically
slow the ingestion of a file.
Help Menu
Timeline Explorer provides helpful resources within the Help menu.
Quick Help
Below is the information located in Help -> Quick help.
Legend
When ingesting Super Timelines, the following Legend can prove to be helpful.
Conditional Formatting
Custom Conditions
Manage Rules
Timeline Explorer allows for examiners to set conditional formatting for certain criteria within rows,
columns, and/or cells. This can be done using the Manage Rules menu.
Example Rule
Clicking New Rule in the top left will bring up the following window.
Below is an example of what highlighting every row containing the string successful in the Map
Description column looks like.
Diving deeper into the Rules Manager will show the settings for applying this conditional formatting
to every row containing the desired string.
Using the bottom formula option allows the examiner to craft a filter similar to the filter editor used
in the main Timeline Explorer window.
A public copy of this exact TLE_settings.xml file is hosted on Andrew Rathbun’s GitHub here¹⁶³.
¹⁶³https://github.com/AndrewRathbun/TimelineExplorerSettings
Timeline Explorer 361
DateTimeFormat
It is very important that the .fffffff values are added to this whether in the Timeline Explorer GUI
or directly into the XML file itself. Without these subseconds enabled, it will be impossible to detect
timestomping¹⁶⁴ within MFTECmd output or leverage more precise timestamps that other EZ Tools
provide.
¹⁶⁴https://www.kroll.com/en/insights/publications/cyber/anti-forensic-tactics/anti-forensics-tactics-timestomping
Timeline Explorer 362
Expected Headers
Each Plugin looks for headers within CSV output so it can know that a plugin matches with the tool
output being ingested.
It doesn’t NEED plugins but plugins will allow for a better experience when dealing with supported
tool output.
For instance, here¹⁶⁵ is an excerpt from the EZ Tools plugin where the plugin is looking for certain
headers within the CSV in order to ingest the output properly:
¹⁶⁵https://github.com/EricZimmerman/TLEFilePlugins/blob/13055b37b5880c131e1cf6ae4d5ff1a57a537467/TLEFileEZTools/EZTools.cs#
L368
Timeline Explorer 363
Checkboxes
Excel is unable render checkboxes for True/False values when dealing with MFTECmd output.
Excel is unable to handle the values within MFTECmd output (and other EZ Tools’ output) without
input from the user.
¹⁶⁶https://github.com/EricZimmerman/TLEFilePlugins/tree/master/TLEFileGenericCsv
Timeline Explorer 364
When converting the timestamp manually in Excel to the specified format, it works, but why do
all of that work? Timeline Explorer displays each timestamp as a DateTime object and allow the
examiner to digest the data quicker.
Now that we’ve established the power of plugins for timestamp values, let’s further demonstrate the
power of a plugin that’s catered towards a specific tool’s output compared to the GenericCsv plugin.
By removing the TLEFileEZTools.dll prior to ingesting MFTECmd output, we can see that Timeline
Explorer won’t know to convert the values within the timestamp-specific columns to DateTime
objects.
When we leverage the plugin built for EZ Tools output, we can see what value Timeline Explorer
provides.
The above provides a much more user friendly method of filtering on years, months, and days when
conducting analysis.
Timeline Explorer 367
Blog Posts
Community Resources
¹⁷⁵https://www.x-ways.net/
XWFIM 369
Using XWFIM
XWFIM provides many features to assist with installing, managing, and verifying a local installation
of X-Ways.
XWFIM 370
X-Ways Credentials
Prior to using XWFIM, one must have valid credentials to download X-Ways using XWFIM.
XWFIM 371
Once valid credentials are entered, XWFIM will provide a prompt similar to below.
Typical Installation
Installing X-Ways Forensics can be done following the steps below.
First, select the desired version using the dropdown, as seen below.
XWFIM 372
Once a version is selected, ensure the install directory and X-Ways folder name are populated and
hit Install.
Once the installation is complete, XWFIM will display a prompt similar to below.
XWFIM 373
Portable Installation
To create a portable installation of X-Ways using XWFIM, select the Tools -> Create portable
installation feature. Please note, if you try to do this without having executed X-Ways successfully on
the host system, a similar error message will likely display: WinHex.cfg is missing from 'C:\xwf'.
Open X-Ways at least once to create it and try again. Aborting...
With a USB flash drive plugged in, one will see all attached USB flash drives available to create the
portable installation on.
XWFIM 374
Selecting the E:\ as the destination, a progress window will emerge once the Create button is pushed.
XWFIM 375
On the destination USB flash drive, one can see similar files to what can be found in C:\xwf from
the previous example.
XWFIM 377
Verifying Installation
XWFIM can verify a local installation of X-Ways using the Tools -> Verify installation feature. First,
specify which directory for XWFIM to verify the installation of. In this example, we’ll use the C:\xwf
directory as shown in previous screenshots.
XWFIM 378
Once a directory is specified, choose whether or not a log file should be generated and hit Verify.
Generating a log file will output the same data in the above screenshot to an .XLSX file.
XWFIM 379
XWFIM References
Download XWFIM
XWFIM can be downloaded from https://ericzimmerman.github.io/#!index.md
Errata
Reporting Errata
If you think you’ve found an error relating to spelling, grammar, or anything else that’s currently
holding this book back from being the best it can be, please visit the book’s GitHub repository¹⁷⁶ and
create an Issue detailing the error you’ve found. Anyone is also welcome to submit a Pull Request
with new content, fixes, changes, etc.
¹⁷⁶https://github.com/EZToolsManuals/EZToolsManuals/issues