@SANSForensics

CURRICULUM
dfir.to/DFIRCast dfir.to/LinkedIn

DIGITAL FORENSICS

FOR308 FOR498 FOR500 FOR518 FOR585

Digital Forensics Digital Acquisition Windows Forensic Mac and iOS Forensic Smartphone Forensic
Essentials and Rapid Triage Analysis Analysis & Incident Response Analysis In-Depth
GBFA GCFE GIME GASF

INCIDENT RESPONSE & THREAT HUNTING

Results in Seconds FOR508

Advanced Incident
FOR509
Enterprise Cloud
FOR528
Ransomware
FOR532
Enterprise
FOR572
Advanced Network Forensics:

at the Command Line

Response, Threat Hunting & Forensics & for Incident Memory Forensics Threat Hunting, Analysis &
Digital Forensics Incident Response Responders In-Depth Incident Response
GCFA GCFR GNFA

sans.org/eztools
FOR578 FOR608 FOR610 FOR710 SEC504
Cyber Threat Enterprise-Class REM: Malware Analysis Reverse-Engineering Hacker Tools, Techniques
DFPS_Command-Line_v1.6_02-23
Intelligence Incident Response Tools & Techniques Malware: Advanced & Incident Handling
GCTI & Threat Hunting GREM Code Analysis GCIH

Forensics the EZ Way:

Options Definition
-d Dir to process
Common CLI -f File to process

With the wealth of data stored on Windows computers it is often difficult to know where to start. If you Options & Switches -q Quiet mode
--dt Custom date/Time format
encounter a sizable hard drive, it could be hours or even days before you’re ready to start your investigation, Short options (single letter) --mp Higher precision timestamps are displayed and will also be reflected in any exported data
are prefixed with a --csv --json --html Data can be exported to several formats. You can request multiple formats at the same time.
never mind reporting the results. Using the EZ tools provides scriptable, scalable, and repeatable results single dash. --debug Shows debug info during tool execution (more info)

with astonishing speed and accuracy. Go from one investigation a week to several per day. This type of --trace Shows trace info during tool execution (most info) can be run with debug (--debug --trace)
Long options are prefixed --sync Sync updates from GitHub for KAPE targets & module updates. For evtxecmd map updates
performance is common with the command line versions of EZ Tools. This poster will show you how. with two dashes. -vss Process Volume Shadow Copies – Supported in EvtxECmd, MFTECmd, PECmd,and RECmd

AppCompatCacheParser – Shimcache Parser Advanced Usage JLECmd – JumpList Explorer Command Line Key Data Returned
PRO TIP: Watch for changes at the start of the “Path”. Anything that shows Edition The JLECmd output contains two important categories of data, evidence of
Type of Artifact “SYSVOL” ran from the host’s OS volume. Other volumes will be recorded by execution and evidence of file knowledge. The table below shows some of the
their drive letter. more significant columns to include in your review.
Application Compatibility Cache allows for older applications to be Type of Artifact
run on newer versions of Windows. When an executable is found, Path Last Modified Time UTC Executed Column Name Forensic Value
Jumplists store critical information about files and folders that have been used
Windows determines how best to run the program and stores that data.
SYSVOL\Windows\System32\notepad.exe 8/22/2019 11:00:12 Yes in Windows. Among other things, Jumplists contain information about the AppIdDescription Human readable name for AppID
AppCompatCache can be used to determine what was run.
E:\TACTICAL Subject\f-response-tacsub.exe 8/12/2019 19:21:00 Yes application used to open target files and folders and store metadata specific DestListVersion Used with MRU to detemine most recentely opened file in the Jump List
to them. Those metadata contain details such as file name and location, dates
Basic Usage and times, etc. JLECmd makes parsing this data simple and quick.
MRU Used with DestListVersion to detemine most recentely opened file in the Jump List
PRO TIP: As a file’s last written time does not change when a file is moved, Path Location and name of file opened
AppCompatCacheParser, use the -f switch and point that to the SYSTEM renamed or copied, it may be possible to track the same executable across TargetCreated Creation Timestamp of file referenced in JL
registry hive. a single or even multiple systems, as a new entry will be created in the Basic Usage
TargetModified Modification Timestamp of file referenced in JL
In the example command below, AppCompatCacheParser is run against a AppCompatCache when the file is executed from a different location or with JLECmd takes either a single Jumplist file or a directory of Jumplists as
SYSTEM hive. Output is stored on the G: drive to the “AppCompatCache” folder. a different name. The table below shows the same executable being run in input. If parsing a single Jumplist, use the -f option. If parsing a directory of
The AppCompatCacheParser application creates an output file. different scenarios. We know they are all the same executable because they Advanced Usage
Jumplists, use the -d option. It is also suggested that the -q switch be used
share the same last written time. to avoid dumping all results to the screen (which can dramatically slow down PRO TIP: Watch for changes in the “DriveType”, “VolumeSerialNumber”
AppCompatCacheParser.exe -f E:\Windows\System32\config\SYSTEM and “VolumeLabel” columns as the data in these columns can indicate
JLECmd’s execution time).
--csv G:\AppCompatCache Path Last Modified Time UTC Executed
whether files have been opened from external devices. In the example below,
SYSVOL\Windows\System32\spinlock.exe 10/23/2019 14:27:18 Yes In the example command below, JLECmd is being run against a single the change in these columns shows that a file was opened from the USB
Key Data Returned SYSVOL\Users\SRogers\AppData\Local\Temp\spinlock.exe 10/23/2019 14:27:18 Yes Jumplist. Output is stored on the G: drive to the “Jumplists” folder. device named “FILES”.
The columns of most significance are typically the “Path” (the location and name SYSVOL\Windows\prune.exe 10/23/2019 14:27:18 Yes JLECmd.exe -f E:\Users\Donald\AppData\Microsoft\ Additionally, the local path may show the same drive letter for multiple
of the executable), “LastModifiedTimeUTC” (the last written time of the executable) Windows\Recent\AutomaticDestinations\ff103e2cc310d0d. removable devices (e.g., F:\) but you should also review the volume serial
and “Executed” (whether the executable was run). The most common mistake automaticDestinations-ms --csv G:\Jumplists -q number and the volume label to determine if the drive letter is associated
made by forensicators is that they’ll assume that the LastModifiedTimeUTC In the example command below, JLECmd is being run against all automatic with the same or different devices.
value refers to the execution of the file. Don’t fall into this trap! jumplist files stored for the user “Donald”. Target Drive Type Volume Serial Volume Label Local Path
Modified Number
JLECmd.exe -d E:\Users\Donald\AppData\Microsoft\Windows\
9/1/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\NETFLIX SEC
Recent\AutomaticDestinations --csv G:\Jumplists -q
RBCmd – Recycle Bin Artifact Parser
16:53 (Hard drive) Filings\SEC-NFLX-1193125-12-53009.pdf
In the next example, RBCmd is being run against the parent folder of the $I
9/27/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\Netflix 3Q13
file above, thereby parsing all of the $I files. This time, the output is stored 17:42 (Hard drive) Conference Call Announcement 09 30 13.pdf
in a CSV stored in G:\RBFiles with the date and time in the file name. Use
Type of Artifact of the -q switch prevents all of the output from being sent to the window,
9/3/2018 Removable storage B0A9FE90 FILES F:\Forms\fy08-form-10k.pdf
A mapping of app_ids to app name can be found at 14:13 media (Floppy, USB)
When a user deletes a file, it is sent to the Recycle Bin. During that process, it making processing faster. 9/1/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\NETFLIX SEC
is renamed. For example, if cat.jpg was deleted, the deleted file would have a https://for500.com/appid. 16:43 (Hard drive) Filings\SEC-NFLX-1065280-13-8.pdf
RBCmd.exe -d F:\$Recycle.Bin\S-1-5-21-718126207-1171771683-
name such as $R7YQ28P.jpg. The $R prefix means that it contains the content
1750804747-1001 --csv G:\RBFiles -q
(Resource) of the original file. In addition to the $R file, a new corresponding
$I (Information) file is created in the Recycle Bin. The $I file contains the
Key Data Returned
information about the original location of the file and the date and time of
deletion. RBCmd takes this data and presents it in a human-readable format. Processed Recycle Bin data is either output to the screen (if no output file
VSCMount – Volume Shadow Copy Mounter Key Data Returned
is specified). The screenshot below shows an example of the output when run When run, VSCMount maps each
Basic Usage against a single file. The source file is shown, as is the file size, original file Type of Artifact shadow copy to a separate folder. From
name and location and date of deletion. the example command given above,
In this example, RBCmd is being run against a single $I (information) file Volume Shadow Copies are created periodically to capture the previous state
VSCMount found and mapped three
on a mounted drive (E:). The output is displayed in the window where the of a system. This means that deleted and wiped files, or even older versions
volume shadow copies.
command was run. of a file or folder, can be recovered from volume shadow copies. VSCMount
allows an investigator to mount each volume shadow copy. Inside the map point, there are three
RBCmd.exe -f E:\$Recycle.Bin\S-1-5-21-718126207-1171771683- mapped volume shadow copies from the
1750804747-1001\$I7YQ28P.jpg Basic Usage mounted E drive. Each of these can be
Advanced Usage expanded and viewed as needed.
Source file: .\$IG1VEXX.xls PRO TIP: Running RBCmd on a mounted drive will work, but remember that Before running the VSCMount tool, an evidence file must itself be mounted
when doing so, Windows does not see deleted files, so RBCmd won’t pick them as a physical drive. Once mounted, note the drive letter. In the example below
Version: 1 (Pre-Windows 10)
up. It is often worth extracting deleted $I files using another tool and then it is drive letter E. Advanced Usage
File size: 16384 (16KB)
File name: C:\Users\Donald\SkyDrive\Documents\WACC Calc Spreadsheet -SECRET.xls running RBCmd over those recovered files. PRO TIP: Looking at the mapped
Deleted on: 2013-10-21 18:32:52.5320000
Volume Shadow Copies, it isn’t
immediately clear as to when they were
created. Adding the “--ud” switch to
the command adds the creation date of
bstrings – Extract Text From Binary Files Interesting options and switches: Open an Administrator PowerShell window and run VSCMount. In the example each mapped Volume Shadow Copy, as
shown in the example below:
bstrings.exe -f <file> --ls "password" command below, the “--dl” switch stands for “drive letter”. This is the drive
letter from the evidence file mounted above. The “--mp” switch stands for
Type of Artifact Use the -x and -m switches to set maximum and minimum string lengths. “map point”. In this example, the drive letter is “E”. This is the location where .\VSCMount.exe --dl E --mp C:\VSCs --ud
Bstrings can be used to search any type of file for potentially valuable information.
Use --off to show the offset for each search hit. VSCMount will create the links to all of the volume shadow copies found on
the mounted evidence. In this instance, the volume shadow copies will be
Basic Usage Advanced Usage
mapped to “C:\VSCs”.
bstrings.exe -f <file> .\VSCMount.exe --dl E --mp C:\VSCs
--lr Regular Expression searches bstrings and also contains over a dozen
built-in regular expression patterns for things like credit card numbers, social
Option/Switch Use Example
security numbers, IP addresses, email addresses, and more.
--Is Search for string bstrings -f suspect.exe --Is password
--Ir Search with regular expression bstrings -f suspect.exe --Is (ntos|win32k)
-p shows a list of built-in regular expressions. When using a built-in expression,
use the value in the Name column. For example, to look for email addresses, SQLECmd – SQLite Parser To parse a folder of SQLite databases, point SQLECmd at the folder and use
the -d switch.
--p List builtin regular expressions bstrings -p use this command:
--Ir XX The XX represents a builtin regex bstrings -f suspect.exe --Ir ipv4 Type of Artifact SQLECmd.exe -d G:\databases\ --csv G:\SQLECmd_output
bstrings.exe -f <some file> --lr email
--fr Read file containing regex’s to use in search bstrings -f suspect.exe -fr DFIR_RegExs.txt SQLite databases are used to store data for many applications. On a Windows
-h List all options bstrings -h bstrings also allows searching for several strings or regular expressions at computer, the most common use of SQLite is web browser data such as Key Data Returned
--cp Use a different ANSI code page bstrings -f Powershell.evtx --Is download --cp 1201
once using the --fr and --fs switches. history, cloud storage, chat applications, phone backups, etc. Depending on the database being analyzed, several CSV files may be output.
note: Windows Event Log require the 1201 specific code page for bstrings to find the search string In addition to Unicode strings, bstrings looks for strings encoded using As each SQLite database is different, SQLECmd makes use of custom maps. In the example of Google Chrome, pointing SQLECmd to the history database
Western (1252) code page. Use the --cp switch to search in any other code page These maps are created to parse specific items. For example, when parsing the will result in history, downloads, and keyword search files, each containing
supported by .net. Google Chrome History database, SQLECmd recognizes the database schema their respective results.
A full listing of available code pages is available at
(layout) for application and uses the relevant map file to interpret the data
https://goo.gl/ig6DxW specific to Google Chrome. Advanced Usage
PRO TIP: SQLECmd only parses a database if a map file exists for that schema.
Basic Usage Due to the large number of SQLite-based applications, it is impossible to have
To parse a single SQLite database, point SQLECmd at a single database file maps for every eventuality. However, creating a custom map file is as simple
SRUMECmd – SRUM Parser switch points to the SOFTWARE registry hive on a mounted evidence file (E:). The using the -f switch. as generating a SQL query and adding it to SQLECmd folder.
results are output to another folder.
SQLECmd.exe -f G:\databases\database.db --csv G:\SQLECmd_output
Type of Artifact SRUMECmd.exe -f G:\sru_fixed\SRUDB.dat -r E:\Windows\System32\
config\SOFTWARE --csv G:\SRUM_output
SRUM (System Resource Usage Manager) records application usage, network
usage, power usage, etc. Investigation of this artifact can assist in determining
Key Data Returned
what applications were used, while also providing context into the network
connection (including names of wireless networks) that was in use at the time.
SumECmd – User Access Log Parser Note that <GUID>.mdb is not actually named this way, the GUID will be
Several CSV files will be output different on every server. Once the repair is complete, SumECmd can be run.
SRUM can also determine how much data was uploaded and downloaded by from running the command. In the example below SumECmd is being run against the repaired files in the
the application and even whether a laptop was connected to power or running Each CSV represents a different Type of Artifact copied folder.
on battery at the time. aspect of SRUM, including User Access Logs are found in Windows Server operating systems. These logs
SumECmd.exe -d G:\sum_fixed\ --csv G:\sum_output
application resource usage, records user requests related to a server. For example, if a user connects to
Basic Usage energy usage, network usage, a server, the username and client IP address are recorded with associated
network connections, etc. Each date and time. This can help track a user’s lateral movement through the Key Data Returned
SRUMECmd takes a SRUDB.dat database and the SOFTWARE registry hive as input.
table is named and formatted according to the data contained therein. Note environment. A series of files is output from running the command. Perhaps the most
However, the SRUDB.dat file must first be repaired by copying the contents of
that the results are provided in time segments of 30 to 60 minutes. significant of the files is named ClientDetail. In this file we are provided with
the Windows\System32\sru and running the following two commands in the
folder containing the copied files: Basic Usage dates and times of when the activity occurred and Role Description (used to
Advanced Usage SumECmd takes the contents of the C:\Windows\System32\LogFiles\SUM
identify the service being accessed). In addition, the domain, username, and
esentutl.exe /r sru /i /o IP address of the incoming access is also recorded.
PRO TIP: As SRUM is recorded in 30-to-60-minute segments, the data can folder as input. However, the databases stored in this folder must first be
esentutl.exe /p SRUDB.dat /o be opened in Excel and a graph plotted to show specific bandwidth and/or repaired by copying the contents of the folder and running the following
application usage over time. The graph output can then be used in reports to commands on the copied files: Advanced Usage
Once the repair is complete, SRUMECmd can be run. In the example below
SRUMECmd is being run against our newly repaired SRUDB.dat file. The -r (registry) provide a clear visual of activity. PRO TIP: Looking for domains, users and IP addresses that are not part of
esentutl.exe /r svc /i /o
the organization will help to detect anomalous behavior and gives clues
esentutl.exe /p Current.mdb about the attacker.
The most trusted source for esentutl.exe /p SystemIdentity.mdb
cybersecurity training, certifications, @SANSForensics dfir.to/DFIRCast dfir.to/LinkedIn esentutl.exe /p <GUID>.mdb
degrees, and research

DFPS_Command-Line_v1.6_02-23.indd 1 1/31/23 8:57 AM

 PECmd – Prefetch Parser Key Data Returned EvtxECmd – Windows Event Log Parser Basic Usage
PECmd, in csv mode, will output two CSV files, one of which is a timeline. The Recursively parsing a directory of event logs is probably the most efficient way
Type of Artifact Timeline csv will have “_Timeline” in the file name. The main Prefetch ouptut Type of Artifact to use EvtxECmd. To parse a directory, copy Event Logs to a temporary directory
file will contain important information such as: and use the -d option. Additionally, use the --inc option to only include
Prefetch provides evidence of execution. Prefetch files are created or updated There are many Event Logs in the evtx folder, some aimed at system-wide
specific Event _ IDs in the processing.
in the C:\Windows\Prefetch folder when a program attempts to run. • Executable name and full path from which it was executed events like Security.evtx, System.evtx and Application.evtx. Others may
Prefetch files are not automatically deleted if the related program is deleted contain more specific events. All Event Logs are stored in the same format but You have extracted the Event Log to a folder named e:\evtx\logs and now you
• Volume name and serial number from which the program ran
and therefore can be a source of historical information. the actual data elements collected varies. It is this variation of data elements want to process all those logs in a single command.
• Run Count – the number of time that the program was run, from that that makes correlation of Event Logs a challenge. This is where EvtxECmd
Prefetch is limited to 128 files, meaning that older files may be overwritten EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf
location shines. All events are normalized across all event types and across all Event
when that limit is reached. The creation time of a prefetch file is typically done evtxecmd_out.csv
Logs file types!
so 10 seconds after first run. • Timestamps (UTC) for the last eight executions
Process all event logs and only include event_id specified by the --inc option
The EvtxECmd parser has custom maps and locked file support. EvtxECmd has
• Volumes, files and directories accessed during execution.
Basic Usage a unique feature, “Maps,” that allows for consistent output. EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf
evtxecmd_out.csv --inc 4624,4625,4634,4647,4672
Process a single Prefetch files and send results to screen Advanced Usage Event Log Location: Event Logs for Windows Vista or later are found in
%systemroot%\System32\winevt\logs Exclude specific event_id’s by using the -exc option
PECmd.exe -f C:\Windows\Prefetch\CMD.EXE-8E75B5BB.pf KEYWORDS: Using comma-separated list of keywords will cause any hits to be
shown in red. Parsing all events could end in millions of results. Using EvtxCMD's maps can EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf
Process a directory of Prefetch files and send results to a CSV file named prefetch. help target specific artifacts. evtxecmd_out.csv --exc 4656,4660,4663
csv. The --csvf allows you to provide the name of the prefetch output csv. PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf
prefetch.csv -k "system32, downloads, fonts"
PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf Key Data Returned
prefetch.csv PRO TIP: PECmd can extract and process Prefetch files from Volume Events without maps are still processed, but output format will vary. The
Process a directory of Prefetch files, including VSS, and send the results to a Shadow Copies by using the “--vss” option. This will process Prefetch Check out this PowerShell script that copies out the normalized Event Log output makes it possible to analyze many different types
CSV file named prefetch.csv and higher precision timestamps from ALL Volume Shadow Copies. The output files will be separated by relevant Event Logs and processes only specific Event of Event Logs in a single view. Timeline Explorer is perfect for this analysis.
individual VSS numbers. IDs (your list of relevant logs and Event IDs may vary).
PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf
PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf Advanced Usage
prefetch.csv --vss --mp https://for500.com/evtx2process
prefetch.csv --vss PRO TIP: Process only the Event Logs and Event IDs that are relevant to your case.

AmcacheParser – Amcache Parser
Type of Artifact
Amcache is part of the Application Experience Service in Windows. As such, it
stores information about what application was run and a hash value of the
executable.
Basic Usage
AmcacheParser takes the Amcache.hve registry hive as input.
In the example command below, AmcacheParser is being run against
an Amcache.hve registry hive. Output is stored on the G: drive to the
“Amcache” folder.
\Programs\Amcache.hve --csv G:\Amcache
Key Data Returned
The columns of most significance are typically the “FileIDLastWriteTimestamp”
(the first time the executable was run), “SHA1” (the SHA-1 hash of the file being
executed) and FullPath (the location and name of the executable ran). Other
data of potential interest include the Volume ID (used to determine from
which volume the executable was run), MFT Entry number and Sequence
numbers (used to determine if the executable was run from an NTFS volume)
and information about the internal metadata of the executable itself.
MFTECmd – MFT Explorer
Type of Artifact
MFTECmd parses a number of different files from NTFS-formatted drives. At
a high level, MFTECmd parses each of these internal NTFS System files. At a
lower level, the application dives deep into NTFS and helps uncover much
data of interest.
Advanced Usage
PRO TIP: Watch for changes in the VolumeID, as these can be indicative
of applications being run from external devices. In the example below, the
VolumeID is different for each executable run, meaning that they were all run
from different volumes even though two entries reference the E:\ drive.
File ID Last-Write
Volume ID Timestamp SHA1
abcd082d-3b8e-11e3- 10/23/2013 3:09 f107ec56d650bf2cb00b186cbfbd202f66209ecf E:\FTK Imager\FTK Imager.exe
be8d-24fd52566ede
afd25598-3b2c-11e3- 10/22/2013 21:42 ca5fd519a43ff95d1ec0bbdf3533e9392109af74
be8c-24fd52566ede
dbcc2aeb-5826-41c0- 10/13/2013 9:42 9fef303bedf8430403915951564e0d9888f6f365 C:\Windows\System32\
8011-f0153438122b
PRO TIP: Looking for something specific in the Amcache? You can use the
switches -b (blacklist) or -w (whitelist). Blacklisting will include only those
Amcache entries that match the SHA-1 hashes specified in the file, while
whitelisting will exclude those Amcache entries that match the SHA-1 hashes.
In the example below, we’ve provided SHA-1 values in the Blacklist.txt,
meaning that the output CSV will contain items that are only responsive to the
SHA-1 values in the text file.
AmcacheParser.exe -f E:\Windows\AppCompat\Programs\Amcache.hve -b
G:\Blacklist.txt --csv G:\Amcache
the creation of a file named $IT74KUZ, then data is added to the file before it is
closed. Immediately afterwards, the file sdelete64.exe is renamed to $RT74KUZ
before also being closed. This all happens within the same hundredth of a
second as sdeleted64.exe being sent to the $Recycle.bin
SBECmd – Shellbags Explorer
Type of Artifact
Every time Windows Explorer interacts with a folder, an entry is created in the
user’s Shellbags. Folders also include other “Explorer Like” items like the
Control Panel, zip files, ISOs, and mounted encrypted containers. The simple
Full Path
existence of a directory in Shellbags is evidence the specific user account
once interacted with that folder. Shellbags may persist long after the original
directories, files, and physical devices have since been removed.
E:\TACTICAL
Subject\f-response-tacsub.exe ShellBags are a set of Windows Registry keys located in NTUser.dat and
USRClass.dat Registry hives (primarily USRClass.dat) that maintain viewing
notepad.exe preferences of folders when using Windows Explorer. We used to say the
Shellbags tracked folders that a user opened.
Basic Usage
SBECmd uses -d for a directory to recursively process user registry hives. There
is no -f option for SBECmd.
To process a single user’s ShellBags data, use the following command:
SBECmd.exe -d E:\Users\nromanoff --csv G:\temp\sbe_out
PRO TIP: If you need to process several users ShellBags data, you might
consider exporting their data first and then processing just folder containing
the exported data. This is a performance decision. Recursively processing
many user folder and be very slow.
To process all Users in the Users folder, use the following command.
SSBECmd.exe -d E:\Users --csv G:\tmp\sbe_out
RECmd – Registry Explorer Command Line Edition
Type of Artifact
Key Data Returned
File system dates and times for target folders and first and last folder
interaction times. The Bag Path, Slot, Node Slot, and MRU position for each
entry are also shown. These can initially be confusing to decipher in table
form. Using the GUI verion of ShellBags Explorer to see the table view
translated in a hierarchal tree format can be very useful.
Timestamps Shown in SBECmd output:
Because of the nature of how registry key timestamps have only a single last
update value for each key, the hierarchal data in the BagMRU registry key can
become stale. This means that there may be a value in the key but it could
be outdated. Therefore if SBECmd is not positive that a date is current and
accurate, that date will not be shown in the output. This why you will often
see that an entry has a Last Interacted Timestamp an no First Interacted
Timestamp. The First Interacted Timestamp is stale and can’t be relied upon.
You will also notice that SBECmd will only show Last Interacted Timestamps
for MRU values.
Advanced Usage
PRO TIP: SBECmd can pull data from a live system. This make for a great
learning and testing feature. Pull some baseline Shellbags data, run a test like
navigating into a folder, pull the data again and compare. See what you own
activity does to the Shellbags data.
Keys collection – Each entry consists of:
• Description: A user-friendly description of what this key will find. Can be
anything from the key name to a friendlier description of what it means, etc.

File Description Contents This command line tool is used to access, search and recover, and export any • HiveType: The type of hive this entry corresponds to. Valid choices
data found in the WIndows Registry. To grasp why this tool is so powerful, just are NTUSER, SAM, SECURITY, SOFTWARE, SYSTEM, USRCLASS,
$MFT Index of each file and folder on volume File name timestamps, and other metadata think about searching and exporting registry in a consistent output format. It’s COMPONENTS, BCD, DRIVERS, AMCACHE, SYSCACHE
$Boot Volume boor record Volume serial nbr, volume signature, nbr of sectors no big deal to do this with other tools until you have to do exactly the same
A few moments later, both files are deleted as the $Recycle.bin is emptied. • KeyPath: The path to the key to look for
$SDS File ownership Contains a list of all the Security Descriptors on the volume thing across tens, hundreds, or thousands of machines.
$J USN Journal Transaction log of all changes to a file • ValueName: OPTIONAL value that, when present, is looked for under
(write, delete, rename, etc.) (file change journal)
Basic Usage KeyPath
$Logfile Transaction Log File Used by NTFS to maintain the integrity of the filesystem in
the event of a crash (metadata change journal) The $SDS file allows us determine file ownership. For example, in the first Search NTUSER.dat for the key name that contains “Dropbox” • Recursive: Whether or not to process KeyPath recursively
screenshot below we see output from the parsed $MFT loaded into Timeline
Explorer. Looking at the NTUSER.DAT entry we can see that the Security ID for RECmd.exe -f "C:\Temp\NTUSER.dat" --sk Dropbox • Comment: Like Description in that you can add various things here that end
Basic Usage this file is 8271.
up in the CSV
Search UsrClass.dat for the key value that contains “Dropbox”
MFTECmd takes a $MFT, $J, $SDS, $Logfile or $Boot as input. HiveType determines which kind of hive the entry corresponds to. This saves
If we then go to the $SDS output RECmd.exe -f "C:\Temp\UsrClass.dat" --sd Dropbox
These input files can be in the form of an exported copy of the file(s) or by time in that RECmd won’t search a SOFTWARE hive for keys that won’t ever
and search for that same Security
referencing them from within a mounted image. The example command below Search the directory registry_files for the key value that contains “Dropbox”. exist (because they are NTUSER-specific, for example).
ID, we find that the NTUSER.DAT file
shows MFTECmd being run against a $MFT file that has been exported from an The last write time is >= Startdate, and the value name contains
is owned by the user with the Relative ID of 1001. If needed, we can take the Batch File Example
evidence file. either “AppName” or “DisplayName”, so don’t recover deleted keys and don’t
SID and tied it to a username via the SAM Registry Hive.
MFTECmd.exe -f 'G:\Exports\$MFT' --csv G:\MFT_Output process log files. Detailed, fully functional example batch files can be found in
RECmd.exe --d "C:\Temp\registry_files" --sk "Dropbox" the ZimmermanTools\RegistryExplorer\BatchExamples folder.
In the next example MFTECmd is run against a $MFT file.
--StartDate "11/13/2014 15:35:01" --RegEx --sv "(App|Display)
MFTECmd.exe -f 'E:\$MFT' --csv G:\MFT_Output Name" --recover false --nl Wildcards are supported in the KeyPath within the batch file. Example:
Note the command line syntax for referencing the alternate data streams RECmd will replay and apply all registry hive logs automatically. Use --nl to SOFTWARE\Microsoft\Office\*\*\User MRU\*
$UsnJrnl and $Secure. Advanced Usage suppress this. To use batch mode, supply the file to the --bn switch, along with --csv to tell
MFTECmd.exe -f 'E:\$Extend\$UsnJrnl:$MFT' --csv G:\USN_Output PRO TIP: It is important to remember that NTFS stores two sets of dates and RECmd where to save results:
times in each $MFT entry. These are known as the Standard Information Search
MFTECmd.exe -f 'E:\$Secure:$SDS’ --csv G:\SDS_Output Attributes (SIA) and the FILENAME attributes. This means that each • Export UserAssist data via RECmd batch file that uses a Registry
file and folder will have timestamps in both groups. These dates and times • StartDate Start date: last write timestamps (UTC) Explorer plugin
Key Data Returned behave differently and can indicate when a file was truly created, not just • EndDate End date: last write timestamps (UTC) RECmd.exe --bn .\BatchExamples\BatchExampleUserAssist.reb -f
The columns of most significance are highly dependent on the type of what Windows reports. For example, in the table below we see a number of • MinSize Find values with data size >= MinSize (specified in bytes) C:\Temp\NTUSER_dblake.DAT --nl --csv C:\Temp
investigation and the reason for parsing the files in the first place. For files stored under the Windows directory. The Created0x10 is the created
date and time as stored in the SIA and Created0x30 relates to those stored • sk Search for <string> in key names • Export Registry many of the Registry Explorer Plugin CSVs using a batch file
example, the dates and times in the $MFT could provide an indication as to
the copying of files from external devices. If the written/modification time in the FILENAME attributes. • sv Search for <string> in value names RECmd.exe --bn .\BatchExamples\RECmd_Batch_MC.reb -d G:\blake\
precedes the creation time, there is a high degree of probability that the file As can be seen in the table, both dates and times are the same for the first • sd Search for <string> in value record’s value data Registry\E --nl --csv g:\blake\recmd_out
was copied from another volume. two entries, but the third entry shows a FILENAME creation date that is • ss Search for <string> in value record’s value slack
In the example below, the $MFT has been parsed to CSV and loaded into much later than the creation date stored in the SIA. This may be an indication PRO TIP: Be as specific as possible about the directory to process as it can
of manipulation of the SIA timestamp for the syncmon.exe file and would • Regular expressions must of course be valid .net regular expressions have a significant impact on performance. These two commands generate the
Timeline Explorer. In each row the Last Modified time precedes the
warrant further investigation. • If either the key or value has spaces in them, enclose in quotes same results but the second one runs much faster.
Created time. This is a clear indication that these files were copied from
another volume. Created0x10 Created0x30 Path (combined from Parent Path and File Name) • To get default values, use a value name of “(default)” This is much slower because the RECmd has to process the entire drive.

3/18/2019 09:17 3/18/2019 09:17 C:\Windows\System32\cmd.exe • “--sX” are search options; they use the “contains” logic RECmd.exe --bn "C:\Forensic Program Files\ZimmermanTools\
3/18/2019 09:18 3/18/2019 09:18 C:\Windows\System32\mountvol.exe • -sd will convert the compare values to ASCII and Unicode before doing RegistryExplorer\BatchExamples\UserActivity.reb" -d G:\blake\
comparison unless the”--l” literal switch is used Registry\E --nl --csv g:\blake\registry\recmd_out
3/18/2019 09:19 8/18/2019 01:12 C:\Windows\System32\syncmon.exe
In the example command below, we are looking for large registry key (1MB and This is much faster because RECmd is only processing a single user directory
PRO TIP: When an evidence file is mounted as a drive MTFECmd can also dive base64 encoded) that often contain malware. Deleted keys are also retrieved RECmd.exe --bn "C:\Forensic Program Files\ZimmermanTools\
into the volume shadow copies and retrieve previous versions of the $MFT, the and parsed. RegistryExplorer\BatchExamples\UserActivity.reb" -d G:\blake\
$J and $SDS files. This can be done by virtue of the switches --vss and --dedupe
RECmd.exe -d "C:\Temp\registry_files" --minsize 1M --Base64 Registry\E\Users\Donald --nl --csv g:\blake\registry\recmd_out
The processed $J data can be used to determine the date and time that as demonstrated in the command below. The --vss switch tells MFTECmd to
search in the volume shadow copies and the --dedupe switch stops MFTECmd --recover true
specific actions were taken on a file. These actions include (but are not limited PRO TIP: A RECmd batch file can contain instructions for processing different
to) creating a new file, making changes to a file, deleting a file, overwriting from reporting duplicate entries found in the volume shadow copies. To search for binary data in value data, simply string together the hex
Hives & Keys. Using the -f option allows you to target a specific hive instead,
a file, and renaming a file. The $LogFile tracks changes to the information MFTECmd.exe -f 'E:\$Extend\$UsnJrnl:$J' --csv characters you want to find, separated by dashes (04-00-EF-BE, for example).
if desired, all hives mentioned in the batch file.
found in the MFT such as timestamps and other metadata. In the example G:\MFT_Output --vss --dedupe RECmd.exe -hive "C:\Temp\registry_files" --sd"
below follow the flow of activity the files recorded in $J. The first entry is for When RECmd runs in batch mode, several files will get generated in the --csv
directory (see the example below).
Batch Mode
By default, batch mode utilizes the same plugins as found in Registry Explorer
LECmd – LNK File Explorer Advanced Usage and works the same way. When used by RECmd, the data from the plugin will
PRO TIP: Taking the data from key columns not only tells a forensic be normalized into a standard format for CSV output. When a plugin is used
to process a key or key/value, the data generated by the plugin are also saved
Type of Artifact investigator when the file was opened, but may also provide details about
the number of times a user accessed a file with that name. In the table out to a CSV. In this way, it is very similar to exporting the data from Registry
Shortcut files (*.lnk) are not entirely human-readable. Lnk files are most Explorer (albeit to Excel vs. CSV).
below, the first row of results indicates that the file was only opened once,
frequently created when a user opens a non-executable file by double-
as SourceCreated and SourceModified contain the same time. The Batch File
clicking. These shortcut files are stored under the user profile that opened the
second instance indicates that the file has been opened at least twice, as the
file and contain information relating to the opened target file. This includes Header
SourceCreated occurred around seven hours before the SourceModified.
information such as the target file dates and times, file name and path, the
drive type, volume serial number, volume label and more. LECmd takes this
We also see that the Target dates are identical, suggesting that the file has • Description: A general description of what this batch file is going to find
not been changed since it was created. The last row indicates that the file
data and presents it in a human-readable format.
was only opened once, since the Source entries are identical, However, the • Author: Name of this batch file (can be more, too, like contact information)
TargetModified precedes the TargetCreated, indicating that the file has • Version: A version number that should be incremented as changes happen
Basic Usage been copied to the F: drive from another location.
• Id: A unique (across all other batch files) GUID (Global Unique Identifier) that
LECmd takes, as input, either a single lnk file or a folder containing several
Source Source Target Target Path identifies this batch file
such files. Created Modified Created Modified (Combined from Local Path and Common Path)
In the example command below, LECmd is being run against a single lnk file. 9/1/2018 9/1/2018 8/27/2018 9/6/2018 C:\Users\Donald\Documents\NETFLIX SEC Filings\
16:53 16:53 09:24 14:43 SEC-NFLX-1193125-12-53009.pdf
When running this command the output is shown in the window running the
command (command line window or PowerShell). 9/27/2018
10:42
9/27/2018
17:37
9/27/2018
10:28
9/27/2018
10:28
C:\Users\srogers\Documents\Netflix 3Q13
Conference Call Announcement 09 30 13.pdf WxTCmd – Timeline Explorer For example, “Program Files x86\Adobe\Acrobat Reader DC\Reader\
Acrord32.exe” would show that Acrobat Reader was opened. “Display Text”
LECmd.exe -f E:\Users\srogers\AppData\Microsoft\Windows\ 9/3/2018 9/3/2018 9/3/2018 9/1/2018 F:\Forms\fy08-form-10k.pdf
provides information regarding the content opened and the application used.
Recent\Peggy.jpg.lnk 14:13 14:13 14:11 18:19 Type of Artifact For example, “Tax Documents.pdf (Acrobat Reader DC)” would indicate that
In the next example, LECmd is being run against a folder of lnk files. This time, PRO TIP: LNK facts to keep in mind: The 1803 update of Windows 10 introduced the Timeline feature. This keeps the file “Tax Documents.pdf” was opened using Acrobat Reader. “Content
the output is stored in a CSV stored in G:\LnkFiles. a record of the last 30 days of applications and files opened by a given user. Info” provides information relating to the location of the item that was opened.
• The target file name extension is not always provided in the LNK name. The data for this are also synchronized from other computers where the user Following the same example as above, “C:\Users\lee _ w\Desktop\Tax
LECmd.exe -d E:\Users\srogers\AppData\Microsoft\Windows\Recent
• The LNK file points to the last file of that name. Meaning, if there were two has logged in with their Microsoft account. Documents.pdf” would indicate the location of the file that was opened.
--csv G:\LnkFiles -q
files named exactly the same, the link files point to the last one opened. There are also various dates and times recorded in the Timeline. “Start Time”
Basic Usage indicates the first time, in the last 30 days, that this specific activity occurred.
Key Data Returned
WxTCmd takes a single ActivitiesCache.db file as input. Output for this
Column Name Forensic Value command is not output to the screen, so a CSV needs to be specified. Advanced Usage
PRO TIP: Among the parsed data provided by WxTCmd is the column named
AppIdDescription Human readable name for AppID In the example command below, WxTCmd is being run against
“Content Info”. As described above, this column contains the location
DestListVersion Used with MRU to detemine most recentely opened file in the Jump List the ActivitiesCache.db file. Note that the subfolder named
and name of the opened file or resource. However, it also contains another
MRU Used with DestListVersion to detemine most recentely opened file in the Jump List “a3936c317ac1474e” is not consistent. An equivalent, differently named
valuable piece of information. In the example below, a file was opened
Path Multiple Path Columns: Location and name of source and target files folder will be present for other users.
from a “D:” drive. This ActivitiesCache.db file contains information
SourceCreate Creation Timestamp of the LNK itself WxTCmd.exe -f E:\Users\srogers\AppData\Local\ for all computers synchronized to this Microsoft account, so several linked
SourceModified Modification Timestamp of the LNK itself ConnectedDevicesPlatform\a393c317ac1474e\ActivitiesCache.db computers could have a “D:” drive. The example below provides the GUID
TargetCreated Creation Timestamp of target file the LNK points to (Global Unique Identifier) for the volume that stores that file. This means that
TargetModified Modification Timestamp of target file the LNK points to Key Data Returned the file can be tied back to a specific volume on a specific device.
DriveType Network, fixed loal, ior Removable There are several columns of potential interest in a forensic investigation. The D:\Files\Cat.jpg (file:Unmapped GUID: //D:/Files/Cat.
VolumeSerialNumber MFT Entry Number “Executable” column provides the name and the path of the executable in use. jpgVolumeId={A98818E7-5868-4C06-807E-0F24C9746829}&ObjectId=
MFT Nbr & Seq nbr MFT - Seg nbr - If present then Voluome is NTFS {AE26BE95-ACAC-11E9-B3FB-60F6770E22E2})

This poster was created by Mark Hallman and

The most trusted source for Lee Whitfield with support from the SANS DFIR Faculty
cybersecurity training, certifications,
degrees, and research sans.org/eztools ©2022 Mark Hallman and Lee Whitfield. All rights reserved.

DFPS_Command-Line_v1.6_02-23.indd 2 1/31/23 9:01 AM