Eric Zimmerman Tools - Foren-Ken/tech-journal GitHub Wiki

All tools can be downloaded from the following site: https://ericzimmerman.github.io/#!index.md

If the PS command to install EZ tools is used on a fresh VM. Make sure to use the command Set-ExecutionPolicy Unrestricted or similar ones to allow the tool to install the Powershell.

If a "Invoke-WebRequest" error occurs, use the following command
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

RBCmd

(The Recycling Bin Artifact Parser)

This command analyzes the "I" files in the recycling bin. These are the ones which contain the metadata of the file which it was separated from when the file was deleted (except by using the command del or pressing shift-delete).
The way this command is used is by typing:
RBCmd -f C:\$Recycling.Bin\SID OF USER\$I... where "..." is the "I" file being analyzed. This is used for singular analysis. This is due to the -f option.
RBCmd -d C:\$Recycling.Bin\SID OF USER\ This command allows the user to analyze all I files within. This is due to the -d option.

To save the content Using the flag --csv allows the command to save to a certain location. A folder should be the argument provided, like C:\Users\User\Download\RBOutput\
In addition to the previous, the flag --csvf can be used to name the file. This output should have .csv at the end since its outputting a csv file.

LECmd

(Link Explorer)

This command uses the "LECmd.exe" to parse .LNK files. The common location of LNK files is C:\Users\[User Name]\AppData\Roaming\Microsoft\Windwos\Recent\[location of lnk file].

Examples: LECmd.exe -f "C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\blast.exe.txt.lnk" - Will provide the information within the blast.exe.txt.lnk file.

PECmd

(Prefetch Explorer)

This command uses "PECmd.exe" to parse .pf files. The common location for pf files are C:\Windows\Prefetch.

Examples LECmd.exe -d "C:\Windows\Prefetch" - Will analyze pf file within the directory "C:\Windows\Prefetch.

JumpListExplorer

Unlike the previous, this provides a nice GUI to use.

To load jumplists, go to File > Load Jump Lists image

From here, head to either these two directories:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations - JumpLists curated by the program
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations - JumpLists curated by Windows

When loaded, the screen should be like this: image
This Image shows a "CustomDestination" JumpList
When clicking one of the LNK files within the left box I have outlined with red, new information will populate the box I had outlined in purple.
image

⚠️ **GitHub.com Fallback** ⚠️