Scribd
Upload
339 views5 pages

TL DR: Eric Zimmerman's Tools

Zim Tools

Uploaded by

bob jones
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
339 views5 pages

TL DR: Eric Zimmerman's Tools

Zim Tools

Uploaded by

bob jones
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Eric Zimmerman's tools https://ericzimmerman.github.io/#!index.

md

(https://ericzimmerman.github.io/logoSmall.jpg)

TL;DR
1. READ the Requirements and troubleshooting (https://ericzimmerman.github.io
/#!index.md#Requirements_and_troubleshooting) section!!
2. Use Get-ZimmermanTools (https://f001.backblazeb2.com/�le/EricZimmermanTools/Get-
ZimmermanTools.zip) to download all programs at once

Contribute/support opportunities
(https://github.com/sponsors/EricZimmerman) GitHub Sponsors (https://github.com/sponsors
/EricZimmerman)

(https://paypal.me/ericrzimmerman) Paypal (https://paypal.me/ericrzimmerman)

(https://www.patreon.com/ericzimmerman) Patreon (https://www.patreon.com/ericzimmerman)

Forensic tools
Name Version Purpose

AmcacheParser 1.4.0.0 (https://f001.backblazeb2.com Amcache.hve parser with lots of extra


/�le/EricZimmermanTools features. Handles locked �les
/AmcacheParser.zip)

AppCompatCacheParser 1.4.4.0 (https://f001.backblazeb2.com AppCompatCache aka ShimCache


/�le/EricZimmermanTools parser. Handles locked �les
/AppCompatCacheParser.zip)

1 of 5 6/4/21, 8:43 PM
Eric Zimmerman's tools https://ericzimmerman.github.io/#!index.md

Name Version Purpose

bstrings 1.5.1.0 (https://f001.backblazeb2.com Find them strings yo. Built in regex


/�le/EricZimmermanTools patterns. Handles locked �les
/bstrings.zip)

EZViewer 1.0.0.0 (https://f001.backblazeb2.com Standalone, zero dependency viewer


/�le/EricZimmermanTools for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf,
/EZViewer.zip) .otd, .htm, .html, .mht, .csv, and .pdf.
Any non-supported �les are shown in
a hex editor (with data interpreter!)

Evtx 0.6.5.0 (https://f001.backblazeb2.com Event log (evtx) parser with


Explorer/EvtxECmd /�le/EricZimmermanTools standardized CSV, XML, and json
/EvtxExplorer.zip) output! Custom maps, locked �le
support, and more!

Hasher 1.9.3.0 (https://f001.backblazeb2.com Hash all the things


/�le/EricZimmermanTools/hasher.zip)

JLECmd 1.4.0.0 (https://f001.backblazeb2.com Jump List parser


/�le/EricZimmermanTools
/JLECmd.zip)

JumpList Explorer 1.4.0.0 (https://f001.backblazeb2.com GUI based Jump List viewer


/�le/EricZimmermanTools
/JumpListExplorer.zip)

LECmd 1.4.0.0 (https://f001.backblazeb2.com Parse lnk �les


/�le/EricZimmermanTools/LECmd.zip)

MFTECmd 0.5.0.1 (https://f001.backblazeb2.com $MFT, $Boot, $J, $SDS, and $LogFile


/�le/EricZimmermanTools (coming soon) parser. Handles locked
/MFTECmd.zip) �les

MFTExplorer 0.5.1.0 (https://f001.backblazeb2.com Graphical $MFT viewer


/�le/EricZimmermanTools
/MFTExplorer.zip)

PECmd 1.4.0.0 (https://f001.backblazeb2.com Prefetch parser


/�le/EricZimmermanTools
/PECmd.zip)

2 of 5 6/4/21, 8:43 PM
Eric Zimmerman's tools https://ericzimmerman.github.io/#!index.md

Name Version Purpose

RBCmd 0.5.0.0 (https://f001.backblazeb2.com Recycle Bin artifact (INFO2/$I) parser


/�le/EricZimmermanTools
/RBCmd.zip)

RecentFileCacheParser 1.0.0.0 (https://f001.backblazeb2.com RecentFileCache parser


/�le/EricZimmermanTools
/RecentFileCacheParser.zip)

Registry 1.6.0.0 (https://f001.backblazeb2.com Registry viewer with searching, multi-


Explorer/RECmd /�le/EricZimmermanTools hive support, plugins, and more.
/RegistryExplorer_RECmd.zip) Handles locked �les

SDB Explorer 1.0.0.0 (https://f001.backblazeb2.com Shim database GUI


/�le/EricZimmermanTools
/SDBExplorer.zip)

ShellBags Explorer 1.4.0.0 (https://f001.backblazeb2.com GUI for browsing shellbags data.


/�le/EricZimmermanTools Handles locked �les
/ShellBagsExplorer.zip)

SQLECmd 0.5.0.0 (https://f001.backblazeb2.com Find and process SQLite �les


/�le/EricZimmermanTools according to your needs with maps!
/SQLECmd.zip)

SumECmd 0.5.0.0 (https://f001.backblazeb2.com Process Microsoft User Access Logs


/�le/EricZimmermanTools found under 'C:\Windows\System32
/SumECmd.zip) \LogFiles\SUM'

SrumECmd 0.5.0.2 (https://f001.backblazeb2.com Process SRUDB.dat and (optionally)


/�le/EricZimmermanTools SOFTWARE hive for network,
/SrumECmd.zip) process, and energy info!

Timeline Explorer 1.3.0.0 (https://f001.backblazeb2.com View CSV and Excel �les, �lter, group,
/�le/EricZimmermanTools sort, etc. with ease
/TimelineExplorer.zip)

VSCMount 1.0.0.0 (https://f001.backblazeb2.com Mount all VSCs on a drive letter to a


/�le/EricZimmermanTools given mount point
/VSCMount.zip)

3 of 5 6/4/21, 8:43 PM
Eric Zimmerman's tools https://ericzimmerman.github.io/#!index.md

Name Version Purpose

WxTCmd 0.6.0.0 (https://f001.backblazeb2.com Windows 10 Timeline database parser


/�le/EricZimmermanTools
/WxTCmd.zip)

Other tools
Name Version Purpose

KAPE NA (https://learn.duffandphelps.com Kroll Artifact


/kape?utm_campaign=2019_cyberitbn-KAPE-launch& Parser/Extractor: Flexible,
utm_source=kroll&utm_medium=referral& high speed collection of �les
utm_term=kape-gui-blogpost) as well as processing of �les.
Many many features

iisGeoLocate 2.0.0.2 (https://f001.backblazeb2.com Geolocate IP addresses found


/�le/EricZimmermanTools/iisGeolocate.zip) in IIS logs, extracts unique
IPs, records bad data from
logs

TimeApp NA (https://f001.backblazeb2.com A simple app that shows


/�le/EricZimmermanTools/TimeApp.zip) current time (local and UTC)
and optionally, public IP
address. Great for testing

XWFIM NA (https://f001.backblazeb2.com X-Ways Forensics installation


/�le/EricZimmermanTools/XWFIM.zip) manager

Get- NA (https://f001.backblazeb2.com PowerShell script to auto


ZimmermanTools /�le/EricZimmermanTools/Get-ZimmermanTools.zip) discover and update
everything above.

Other �les
Name Version Purpose

4 of 5 6/4/21, 8:43 PM
Eric Zimmerman's tools https://ericzimmerman.github.io/#!index.md

Name Version Purpose

nlog.con�g NA (https://f001.backblazeb2.com Place this in same directory as CLI tools and you
/�le/EricZimmermanTools/nlog.con�g) can alter the colors used. Good for white
background with black font, etc. Do not change
anything but the colors.

Change NA (https://f001.backblazeb2.com
log /�le/EricZimmermanTools
/ChangeLog.txt)

Requirements and troubleshooting


All software requires at least Microsoft .net 4.6.2 (https://www.microsoft.com/en-us/download
/details.aspx?id=53344) or newer! You will get errors running these without at least 4.6.2. When in
doubt, install it!
DO NOT RUN ANYTHING FOUND HERE FROM 'C:\PROGRAM FILES' DIRECTORY (unless you run
them as administrator)!
DO NOT USE WINDOWS TO EXTRACT THINGS. Use 7-Zip or Winrar as Windows will block the DLLs!
All software is digitally signed. Once you verify the signature as coming from me, any anti-virus hits are
false positives. When in doubt, download the �les directly from here!
If you get DPI scaling issues, make a shortcut (or directly against the exe), edit the properties, then
click Compatibility. Under Change high DPI settings, check Override high DPI scaling behavior at
bottom and choose System, then click OK out of the dialog

Open Source Development funding and support provided by the following contributors: SANS Institute
(http://sans.org/) and SANS DFIR (http://d�r.sans.org/).

All content and images © Eric Zimmerman Website generated with MDwiki (http://www.mdwiki.info) © Timo Dörr and contributors.

5 of 5 6/4/21, 8:43 PM

You might also like