In this module

IR1.3 Eric Zimmerman Tools — The Parsing Arsenal

90-120 minutes · Module 1 · Free

Operational Objective

The Raw Data Problem: KAPE collects the artifacts, but the raw files — binary Prefetch, binary event logs (.evtx), binary registry hives, raw NTFS $MFT — are not human-readable. You cannot open a Prefetch file in Notepad and read which program executed. You cannot open a registry hive in a text editor and find the persistence keys. You cannot scan through a 16 million row $MFT in Excel and find when the attacker created update.exe. Eric Zimmerman Tools (EZTools) parse these binary artifacts into structured CSV, JSON, and timeline formats that you can analyze, search, filter, sort, and correlate. Without EZTools, KAPE output is a folder of opaque binary files. With EZTools, it becomes a searchable investigation dataset organized by evidence category.

Deliverable: The full EZTools suite installed and integrated with KAPE's Modules\bin\ directory, validated with a test parse against the KAPE collection from IR1.2, and understood at operational depth — what each parser extracts, what the output columns mean for the investigation, how to combine outputs into a unified timeline, and how to build automated processing pipelines.

⏱ Estimated completion: 30 minutes

Eric Zimmerman Tools — The Parsing Arsenal

The parsers that turn raw artifacts into investigation answers

KAPE collected the evidence. Now you need to read it. Prefetch files are binary. The $MFT is a binary database. Registry hives are binary structures. Event logs are XML buried in binary wrappers. You cannot open any of these in a text editor and get useful information. Eric Zimmerman's tools — EZTools — parse every one of these formats into structured, searchable, sortable output that you can analyze in Timeline Explorer.

Eric Zimmerman is a former FBI Special Agent, a Senior Director at Kroll, a SANS instructor (FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting), and a three-time winner of the SANS DFIR NetWars Tournament. He has spent over a decade building the most widely used open-source forensic parsing tools in the industry — tools that are now taught in SANS courses, used by government CERT teams and law enforcement agencies worldwide, deployed by the Big 4 consulting firms, and relied upon by thousands of independent DFIR practitioners for every investigation they conduct.

# Step 1: Download the Get-ZimmermanTools script
# Navigate to https://ericzimmerman.github.io/#!index.md
# Download Get-ZimmermanTools.zip and extract to C:\IR\Tools\EZTools\

# Step 2: Run the download script to get ALL EZTools
Set-Location "C:\IR\Tools\EZTools"
.\Get-ZimmermanTools.ps1 -Dest "C:\IR\Tools\EZTools"

# The script downloads the latest version of every tool:
# PECmd, AmcacheParser, AppCompatCacheParser, EvtxECmd,
# MFTECmd, RECmd, Registry Explorer, ShellBags Explorer,
# JLECmd, LECmd, SBECmd, RBCmd, WxTCmd, Timeline Explorer,
# MFTExplorer, EZViewer, SQLECmd, SrumECmd, SumECmd, bstrings,
# Hasher, iisGeoLocate, RLA, and more.

# Step 3: Verify the key tools are present
$criticalTools = @(
    "PECmd.exe",             # Prefetch parser
    "AmcacheParser.exe",     # Amcache parser
    "AppCompatCacheParser.exe", # ShimCache parser
    "EvtxECmd.exe",          # Event log parser (THE most important tool)
    "MFTECmd.exe",           # $MFT, $UsnJrnl, $LogFile parser
    "RECmd.exe",             # Registry batch processor
    "RegistryExplorer.exe",  # Registry GUI browser
    "ShellBagsExplorer.exe", # ShellBags GUI
    "JLECmd.exe",            # Jump List parser
    "LECmd.exe",             # LNK shortcut parser
    "SBECmd.exe",            # ShellBags command-line
    "RBCmd.exe",             # Recycle Bin parser
    "WxTCmd.exe",            # Windows Timeline parser
    "TimelineExplorer.exe",  # Interactive CSV viewer
    "SrumECmd.exe",          # SRUM parser
    "SQLECmd.exe"            # SQLite database parser
)

$found = 0; $missing = 0
foreach ($tool in $criticalTools) {
    $path = Get-ChildItem "C:\IR\Tools\EZTools" -Recurse -Filter $tool -ErrorAction SilentlyContinue | Select-Object -First 1
    if ($path) {
        Write-Host "  OK  $tool" -ForegroundColor Green
        $found++
    } else {
        Write-Host "  MISSING  $tool" -ForegroundColor Red
        $missing++
    }
}
Write-Host "`n$found tools found, $missing missing" -ForegroundColor $(if ($missing -eq 0) { 'Green' } else { 'Red' })

# Copy EZTools parser executables to KAPE's Modules\bin\ directory
# This enables KAPE's !EZParser module to find and execute the parsers

$kapeBin = "C:\IR\Tools\KAPE\Modules\bin"
$ezDir = "C:\IR\Tools\EZTools"

# Create bin directory if it doesn't exist
New-Item -ItemType Directory -Path $kapeBin -Force | Out-Null

# Copy all EXE files from EZTools to KAPE bin
# The recursive search handles the nested directory structure
Get-ChildItem $ezDir -Recurse -Filter "*.exe" | ForEach-Object {
    Copy-Item $_.FullName -Destination $kapeBin -Force
}

# Also copy the EvtxECmd Maps directory — CRITICAL for event log enrichment
$mapsSource = Get-ChildItem $ezDir -Recurse -Directory -Filter "Maps" | Select-Object -First 1
if ($mapsSource) {
    Copy-Item $mapsSource.FullName -Destination "$kapeBin\Maps" -Recurse -Force
    Write-Host "EvtxECmd Maps copied: $(
        (Get-ChildItem "$kapeBin\Maps" -Recurse -Filter "*.map").Count
    ) map files" -ForegroundColor Cyan
}

# Verify the integration
$binCount = (Get-ChildItem $kapeBin -Filter "*.exe").Count
Write-Host "KAPE bin directory: $binCount executables ready" -ForegroundColor Green

# PECmd: Parse all Prefetch files from a KAPE collection
# Produces CSV with one row per .pf file

PECmd.exe -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\Windows\Prefetch" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Prefetch" --csvf prefetch.csv -q

# Key output columns and their investigation significance:
#
# ExecutableName    — program that ran (e.g., POWERSHELL.EXE-[hash].pf)
#   Investigation: what executed? Is this expected on this system?
#
# RunCount          — number of times the program has executed
#   Investigation: run count of 1 = first execution ever on this system
#   A run count of 1 for powershell.exe on a workstation that has been
#   in service for months is suspicious — PowerShell should have run
#   hundreds of times through normal system operations
#
# LastRun           — most recent execution timestamp (UTC)
#   Investigation: correlate with sign-in logs and event logs
#   to determine who was active when the program ran
#
# PreviousRun0-6   — up to 7 previous execution timestamps
#   Investigation: execution pattern — was this a one-time event
#   or repeated activity? A hacking tool with 7 run times over
#   3 days suggests persistent attacker activity
#
# SourceFilename   — the original .pf filename (includes hash)
#   The hash in the filename is based on the full path of the
#   executable, meaning the same program from different paths
#   produces different Prefetch files
#
# FilesLoaded       — DLLs and files referenced during execution
#   Investigation: reveals the working directory and any unusual
#   DLL loads (side-loading, DLL hijacking)

# Open the output in Timeline Explorer for analysis
TimelineExplorer.exe "C:\IR\Cases\INC-NE-2026-0315-001\Output\Prefetch\prefetch.csv"

# EvtxECmd: Parse all event logs from a KAPE collection
# Uses maps to extract and normalize forensically relevant fields

EvtxECmd.exe -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\Windows\System32\winevt\Logs" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\EventLogs" --csvf events.csv -q

# To sync maps to the latest community versions:
EvtxECmd.exe --sync
# This downloads updated map files from the EricZimmerman/evtx GitHub repo

# Key output columns:
#
# TimeCreated       — when the event occurred (UTC)
# EventId           — the event ID (4624, 4688, 7045, 4104, etc.)
# Provider          — which log source (Security, System, PowerShell, etc.)
# Channel           — the log file name
# Computer          — hostname that generated the event
# MapDescription    — human-readable description from the map
#   e.g., "Logon - successful" or "Service installed"
#
# PayloadData1-6    — extracted fields specific to each event type
#   The map defines what goes into each PayloadData column
#   For 4624 logon events: PayloadData1 = TargetUserName,
#   PayloadData2 = LogonType, PayloadData3 = IpAddress
#   For 7045 service events: PayloadData1 = ServiceName,
#   PayloadData2 = ImagePath
#
# UserName          — account associated with the event
# RemoteHost        — source system (for network logons)

# MFTECmd: Parse the $MFT from a KAPE collection
# The backtick (`) escapes the $ in PowerShell

MFTECmd.exe -f "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\`$MFT" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Filesystem" --csvf mft.csv -q

# Parse the $UsnJrnl change journal
MFTECmd.exe -f "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\`$Extend\`$UsnJrnl:`$J" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Filesystem" --csvf usnjrnl.csv -q

# Key $MFT output columns:
#
# EntryNumber       — MFT record number (unique file identifier)
# FileName          — file or directory name
# ParentPath        — full directory path
# Extension         — file extension
# FileSize          — size in bytes
# IsDirectory       — true/false
#
# TIMESTAMPS (the investigation core):
# Created0x10       — $STANDARD_INFORMATION creation time
# Created0x30       — $FILE_NAME creation time
# LastModified0x10  — last content modification
# LastAccess0x10    — last access time
# LastRecordChange0x10 — last MFT record modification
#
# If Created0x10 ≠ Created0x30, possible timestomping detected
# The $FN (0x30) timestamp is harder to modify than $SI (0x10)
#
# InUse             — true = active file, false = deleted (record free)
#   Even "false" entries retain the file's metadata — name, path,
#   size, timestamps — evidence of what was deleted and when

# Open Timeline Explorer with parsed event logs
TimelineExplorer.exe "C:\IR\Cases\INC-NE-2026-0315-001\Output\EventLogs\events.csv"

# Timeline Explorer capabilities for investigation:
#
# Column filtering — click any column header to filter
#   Filter EventId to 4624 → shows only logon events
#   Filter EventId to 4688 → shows only process creation events
#   Filter UserName to "jmorrison" → shows only events for that user
#   Combine filters: EventId=4624 AND TimeCreated > 14:00 → logons
#   after the suspected compromise time
#
# Date range selection — filter TimeCreated to investigation window
#   "Show me everything between 14:00 and 16:00 on March 15"
#
# Text search — search any column for specific values
#   Search "powershell" across all columns → finds every event
#   mentioning PowerShell regardless of event type
#
# Color coding — highlight rows matching specific criteria
#   Red for Event ID 4625 (failed logon) → spot brute force patterns
#   Orange for Event ID 7045 (service installed) → spot persistence
#   Yellow for Event ID 1102 (log cleared) → spot anti-forensics
#
# Multi-file loading — load multiple CSVs simultaneously
#   Load Prefetch + event logs + MFT in one session
#   Sort all by timestamp → unified chronological timeline
#   across all artifact types
#
# Export — save filtered views to new CSV files
#   Export the investigation timeline for the IR report
#   Export specific findings for colleague review

# RECmd: batch process all registry hives
RECmd.exe --bn "C:\IR\Tools\EZTools\BatchExamples\RECmd_Batch_MC.reb" -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Registry" --csvf registry.csv -q

# Automated EZTools processing pipeline
# Save as: C:\IR\Tools\Scripts\Parse-All.ps1
# Usage: .\Parse-All.ps1 -CasePath "C:\IR\Cases\INC-NE-2026-0315-001"

param(
    [Parameter(Mandatory)][string]$CasePath
)

$ez = "C:\IR\Tools\EZTools"
$evidence = "$CasePath\Evidence"
$output = "$CasePath\Output"
New-Item -ItemType Directory -Path $output -Force | Out-Null

Write-Host "=== EZTools Processing Pipeline ===" -ForegroundColor Cyan
Write-Host "Case: $CasePath" -ForegroundColor White
$startTime = Get-Date

# 1. Prefetch → Evidence of Execution
$pfPath = Get-ChildItem $evidence -Recurse -Directory -Filter "Prefetch" | Select-Object -First 1
if ($pfPath) {
    & "$ez\PECmd.exe" -d $pfPath.FullName --csv "$output\Prefetch" --csvf prefetch.csv -q
    Write-Host "  Prefetch: $(
        (Import-Csv "$output\Prefetch\prefetch.csv" -ErrorAction SilentlyContinue).Count
    ) entries" -ForegroundColor Green
}

# 2. Event Logs → Chronological Activity
$evtxPath = Get-ChildItem $evidence -Recurse -Directory -Filter "Logs" |
    Where-Object { $_.FullName -like "*winevt*" } | Select-Object -First 1
if ($evtxPath) {
    & "$ez\EvtxECmd.exe" -d $evtxPath.FullName --csv "$output\EventLogs" --csvf events.csv -q
    Write-Host "  Event Logs: $(
        (Import-Csv "$output\EventLogs\events.csv" -ErrorAction SilentlyContinue).Count
    ) entries" -ForegroundColor Green
}

# 3. Amcache → Execution with Hashes
$amcache = Get-ChildItem $evidence -Recurse -Filter "Amcache.hve" | Select-Object -First 1
if ($amcache) {
    & "$ez\AmcacheParser.exe" -f $amcache.FullName --csv "$output\Amcache" --csvf amcache.csv -q
    Write-Host "  Amcache: DONE" -ForegroundColor Green
}

# 4. $MFT → Filesystem Timeline
$mft = Get-ChildItem $evidence -Recurse -Filter '$MFT' -ErrorAction SilentlyContinue | Select-Object -First 1
if ($mft) {
    & "$ez\MFTECmd.exe" -f $mft.FullName --csv "$output\Filesystem" --csvf mft.csv -q
    Write-Host "  MFT: $(
        (Import-Csv "$output\Filesystem\mft.csv" -ErrorAction SilentlyContinue).Count
    ) entries" -ForegroundColor Green
}

# 5. Registry Batch → Persistence, User Activity, System Config
& "$ez\RECmd.exe" --bn "$ez\BatchExamples\RECmd_Batch_MC.reb" -d $evidence --csv "$output\Registry" --csvf registry.csv -q 2>$null
Write-Host "  Registry: DONE" -ForegroundColor Green

# 6. ShellBags → Folder Navigation
$usrclass = Get-ChildItem $evidence -Recurse -Filter "UsrClass.dat" -ErrorAction SilentlyContinue
foreach ($uc in $usrclass) {
    $user = $uc.Directory.Parent.Name
    & "$ez\SBECmd.exe" -d $uc.DirectoryName --csv "$output\ShellBags" --csvf "shellbags_$user.csv" -q 2>$null
}
Write-Host "  ShellBags: DONE" -ForegroundColor Green

$elapsed = (Get-Date) - $startTime
Write-Host "`n=== Pipeline complete in $([math]::Round($elapsed.TotalMinutes, 1)) minutes ===" -ForegroundColor Cyan
Write-Host "Output: $output" -ForegroundColor White
Write-Host "Next: Open CSV files in Timeline Explorer for analysis" -ForegroundColor White

Expand for Deeper Context

The EZTools suite is not one tool — it is a collection of specialized parsers, each dedicated to a single Windows forensic artifact type. This specialization is deliberate. A general-purpose forensic tool attempts to parse everything and inevitably compromises on depth. A specialized parser does one thing and does it comprehensively — extracting every forensically relevant field from the artifact, handling every known format variation across Windows versions, and producing output that is immediately ready for investigation without further transformation.

The tools share a common design philosophy: command-line first (for scripting and automation), CSV/JSON output (for analysis in Timeline Explorer, Excel, Splunk, or any data analysis platform), consistent switch naming across tools (learn one, know them all), and aggressive artifact recovery (parsing artifacts that are partially corrupted, recovering data from slack space, handling artifacts from all Windows versions from XP through Windows 11). Each tool is a standalone executable with no dependencies beyond .NET — portable, deployable from USB, and runnable on any Windows system without installation.

The tools are free and open source. The official EZ Tools Manual (available on Leanpub as a free download) provides comprehensive documentation for every switch and output column. Andrew Rathbun, who co-authored the manual with Zimmerman, maintains additional documentation and examples on the KapeFiles GitHub repository.

Figure IR1.3a: The EZTools suite organized by investigation question. Six evidence categories, each answered by one or more specialized parsers. All produce CSV output that loads into Timeline Explorer for unified chronological analysis. The investigator does not need to know which parser to use — they ask the question, and the category provides the answer.

---

Installation

EZTools are distributed as individual zip archives. Eric Zimmerman provides an automated download script that retrieves the latest version of every tool in one pass. The tools are portable executables — no installer, no system modifications, no dependencies beyond .NET Framework 4.6.2 (for legacy .NET Framework builds) or .NET 6+ (for newer cross-platform builds).

Step 4: Copy parser binaries to KAPE's Modules\bin\ directory. This is the integration step that connects KAPE's Module phase to EZTools. Without this step, KAPE can collect artifacts but cannot process them.

The EvtxECmd Maps directory is frequently overlooked during installation and is critically important. Maps are YAML files that define how to extract meaningful fields from specific event log types. Without maps, EvtxECmd produces raw event data with generic column names. With maps, it produces enriched output with named columns specific to each event type — for example, a Security Event ID 4624 (logon) map extracts the target username, logon type, source IP, and authentication package into named columns, rather than leaving them buried in the raw XML payload. The community maintains over 700 maps covering every forensically significant event log type. Always copy the Maps directory alongside the EvtxECmd binary.

---

Tool-by-tool deep dive: what each parser extracts and what the output means

Each EZTools parser serves a specific investigation purpose. This section covers the four most critical parsers in depth — the tools you will use in every investigation. IR3-IR5 teach these tools in the context of specific artifact analysis; this section provides the operational foundation.

---

PECmd — Prefetch Parser (IR3: Execution and Persistence)

Prefetch is a Windows performance optimization feature that pre-loads frequently used applications. As a side effect, it creates forensic artifacts: one .pf file per executed program, containing the executable name, the last 8 execution timestamps (Windows 10/11), a run count, and a list of files and directories loaded during execution. PECmd parses these .pf files into structured CSV output.

What the investigation learns from PECmd output:

The ExecutableName column tells you what program ran. The LastRun column tells you when it most recently ran. The RunCount column tells you how many times it has run on this system. The PreviousRun0 through PreviousRun6 columns (Windows 10/11 only) provide timestamps for the 7 previous executions before LastRun. The FilesLoaded column lists every DLL and file referenced during execution — which can reveal the working directory, the files the program accessed, and any DLLs it loaded (including suspicious side-loaded DLLs).

Worked investigation note — adapt for your IR reports:

Finding: PECmd analysis of Prefetch artifacts from DESKTOP-NGE042 identified execution of POWERSHELL.EXE with a run count of 1 and last execution at 2026-03-15 14:32:07 UTC. A run count of 1 on a workstation deployed 8 months ago is anomalous — this indicates the first-ever PowerShell execution on this system, suggesting the executable was invoked through an unusual mechanism (not through normal administrative activity or Windows Update, both of which would have incremented the run count over 8 months of operation).

Proves: PowerShell was executed on this endpoint at 14:32:07 UTC. Does not prove: Who executed it, what commands were run, or whether it was malicious. Next step: Correlate timestamp with Event ID 4624 (logon events) to identify the active user session at 14:32. Examine Event ID 4104 (PowerShell ScriptBlock logging) to determine what commands were executed.

---

EvtxECmd — Event Log Parser (IR5: Event Log Analysis)

EvtxECmd is arguably the single most important tool in the EZTools suite for incident response. Windows event logs are the richest chronological record of system activity — every logon, every process creation (if 4688 auditing is enabled), every service installation, every PowerShell command (if ScriptBlock logging is enabled), every scheduled task creation, every RDP connection. EvtxECmd parses all .evtx files from a KAPE collection into a single normalized CSV that can contain hundreds of thousands of rows spanning months of activity.

The critical capability that distinguishes EvtxECmd from other event log parsers is its Maps system. Windows event logs store data in XML payloads where the structure varies by event type — a Security Event ID 4624 (logon) has completely different XML fields than a System Event ID 7045 (service installation). Without maps, the parser outputs raw XML, and the investigator must manually parse each event type. With maps, EvtxECmd extracts the specific forensically relevant fields from each event type into named columns — TargetUserName, LogonType, IpAddress for logon events; ServiceName, ImagePath, ServiceType for service events; ScriptBlockText for PowerShell events. The community maintains over 700 maps covering every event type that matters for IR.

A typical workstation collection produces 50,000-500,000 event log entries. A domain controller can produce millions. Timeline Explorer handles these volumes efficiently with column filtering, date range selection, and text search. The investigation workflow: load the CSV in Timeline Explorer, sort by TimeCreated, filter to the investigation timeframe, and filter by EventId to focus on specific event types (4624 for logons, 4688 for process creation, 7045 for service installation, 4104 for PowerShell execution).

---

MFTECmd — NTFS Metadata Parser (IR4: Filesystem and Registry)

The $MFT (Master File Table) is the index of every file and directory that has ever existed on an NTFS volume. Every file creation, modification, and deletion is recorded in the $MFT. Even after a file is deleted, its $MFT entry persists (marked as free but not overwritten until the space is needed) — meaning the investigator can see deleted files, their original paths, their sizes, and their timestamps even after the attacker has attempted to clean up.

MFTECmd parses the raw $MFT binary into a CSV with one row per file/directory. For a typical workstation, this is 500,000 to 2,000,000 rows — every file the system has ever contained. The investigation value is in the timestamps: each $MFT entry contains four timestamps from the $STANDARD_INFORMATION attribute (Created, Modified, Accessed, Entry Modified) and four more from the $FILE_NAME attribute. Discrepancies between the $SI and $FN timestamps can indicate timestomping — an anti-forensic technique where the attacker modifies the $SI timestamps to make a malicious file appear old, but the $FN timestamps (which are harder to modify) retain the true creation time.

MFTECmd also parses the $UsnJrnl (USN Change Journal) — a sequential log of every file system operation. Where the $MFT shows the current state of each file (or the state at deletion), the $UsnJrnl shows the history of operations: file created, file renamed, file modified, file deleted, attributes changed. The $UsnJrnl is particularly valuable for tracking file manipulation sequences — "update.exe was created, then renamed to svchost.exe, then moved to C:\Windows\, then the original file was deleted."

Worked investigation note — adapt for your IR reports:

Finding: MFTECmd analysis of the $MFT from DESKTOP-NGE042 identified file update.exe (EntryNumber 847291) created at 2026-03-15 14:36:07 UTC in C:\Users\jmorrison\AppData\Local\Temp\. The $STANDARD_INFORMATION creation time (0x10) matches the $FILE_NAME creation time (0x30), indicating no timestomping. File size: 287,744 bytes. The $MFT entry is marked InUse=false (deleted) with a $UsnJrnl deletion record at 14:52:33 UTC — the attacker deleted the file 16 minutes after creation, consistent with a payload that was executed and then removed to cover tracks.

Proves: A file named update.exe was created at the specified time and path, existed for 16 minutes, and was then deleted. Does not prove: What the file contained, whether it was executed, or who created it. Next step: Correlate the creation timestamp with PECmd (Prefetch) to determine if update.exe was executed. Check AmcacheParser for a SHA1 hash of the file. Query the hash against VirusTotal or internal threat intelligence.

---

Timeline Explorer — The Investigation Workbench (IR3-IR7, IR13-IR16)

Timeline Explorer is where the investigation actually happens. It is a purpose-built CSV viewer designed for forensic data — optimized for loading millions of rows, filtering by any column, sorting by timestamp, color-coding rows by criteria, and exporting filtered subsets. Where Excel struggles with large datasets and crashes on 500,000+ row CSVs, Timeline Explorer handles them efficiently.

The workflow for every investigation in this course: parse the KAPE collection with EZTools (manually or via KAPE's !EZParser module), load the resulting CSV files into Timeline Explorer, and build the investigation timeline by filtering and sorting.

The multi-file capability is critical for cross-artifact correlation. The investigation question "what happened at 14:32 on March 15?" requires data from multiple sources: Prefetch (what executed), event logs (who was logged in, what processes were created), MFT (what files were created or modified), and registry (what persistence was installed). Loading all of these in Timeline Explorer and sorting by timestamp produces a unified timeline that tells the complete story of that moment — across all artifact types simultaneously.

---

Additional parsers: the complete reference

Beyond the four core parsers, EZTools includes specialized tools for additional artifact types. Each is used in specific investigation contexts:

RECmd — Registry Batch Processor (IR4). Command-line tool that processes multiple registry hives against predefined "batch" files containing forensic extraction rules. Where Registry Explorer is interactive (one hive at a time, manual navigation), RECmd automates extraction across all hives. The community-maintained batch file RECmd_Batch_MC.reb extracts the most forensically significant keys from all hive types: Run/RunOnce persistence, UserAssist execution history, TypedPaths, RecentDocs, USB device history, network profiles, installed software, service configurations, and more.

Registry Explorer — Interactive Registry Browser (IR4). GUI tool for loading and browsing individual registry hives. Includes bookmarks that highlight forensically significant keys — the investigator loads a NTUSER.DAT hive and immediately sees bookmarks for Run persistence, UserAssist, TypedPaths, RecentDocs, and other high-value locations. Essential for targeted analysis of specific keys rather than batch processing.

ShellBags Explorer / SBECmd — Folder Navigation History (IR4). Parses ShellBags data from UsrClass.dat to reconstruct every folder the user opened in Windows Explorer. ShellBags persist even after folders are deleted — meaning the investigator can prove the user navigated to a specific path (including paths on USB drives and network shares) even if the folder no longer exists. SBECmd is the command-line version for scripted processing.

JLECmd — Jump List Parser (IR3-IR4). Jump Lists record which files were recently accessed through each taskbar-pinned application. Each Jump List entry includes the target file path, timestamps, and the application used to open it. This provides evidence of user interaction with specific documents — "the user opened invoice_modified.xlsx through Excel at 15:23."

LECmd — LNK Shortcut Parser (IR3-IR4). Windows creates .lnk shortcut files when files are opened, and these shortcuts persist after the original file is deleted or the USB drive is disconnected. Each LNK file records the target file's original path, MAC timestamps, file size, and — critically — the volume serial number of the drive where the file resided. This can prove that a specific USB drive (identifiable by serial number) contained a specific file at a specific time.

RBCmd — Recycle Bin Parser (IR4). Parses Recycle Bin metadata ($I and $R files) to determine what was deleted, when it was deleted, and the original file path before deletion. Even after the Recycle Bin is emptied, the $I metadata files may persist and the $MFT entries for the deleted files still exist.

SrumECmd — SRUM Parser. Parses the System Resource Usage Monitor database (SRUDB.dat), which records per-application network usage (bytes sent/received per hour), application execution time, and energy usage. SRUM data covers the last 30-60 days of activity. The network usage data is particularly valuable for identifying data exfiltration — an application that sent 2 GB of data between 02:00 and 04:00 is suspicious even if the application name is a legitimate Windows binary (living-off-the-land exfiltration).

SQLECmd — SQLite Database Parser. Parses SQLite databases used by Chrome, Firefox, Edge, and numerous applications for storing user data. Browser history, bookmarks, downloads, cookies, autofill data, and search terms are stored in SQLite databases that SQLECmd extracts into CSV format.

---

Building the automated processing pipeline

For production investigations, automate the entire parsing pass so that every artifact is processed in a single script execution. This eliminates the manual step of running each parser individually.

This pipeline runs in 2-10 minutes depending on the collection size. The output is a set of CSV files organized by evidence category, ready for Timeline Explorer analysis. Save this script to C:\IR\Tools\Scripts\Parse-All.ps1 and include it in the jump bag — it automates the parsing step that follows every KAPE collection.

Compliance Myth

"You need EnCase or FTK to do real forensics."

Production reality: EnCase and FTK are comprehensive commercial forensic platforms with integrated case management, built-in reporting, and workflow automation. They are excellent tools for law enforcement labs that manage hundreds of cases and need chain-of-custody tracking integrated into the analysis platform. But the underlying forensic analysis — parsing Prefetch, reading event logs, analyzing registry hives, building MFT timelines — is identical whether performed by EnCase at $3,000/license or EZTools at $0. Eric Zimmerman's tools are taught in SANS FOR500 and FOR508 — the gold-standard DFIR courses. They are used by the FBI, by Kroll's own IR teams, and by government CERTs that have access to any commercial tool they want and choose EZTools for their depth, accuracy, and speed. The difference between EZTools and commercial suites is the workflow wrapper (case management, integrated reporting) — not the forensic capability. This course teaches the forensic capability.

Build it: Parse your KAPE collection and explore the output

Run the Parse-All

Run the Parse-All.ps1 script against your KAPE test collection from IR1.2. Open the Prefetch CSV in Timeline Explorer and find powershell.exe — note its run count and last execution time. Open the event logs CSV and filter to EventId 4624 — find your most recent logon. Open the MFT CSV and filter to the last 24 hours — find files you recently created or downloaded. Each of these is a finding you would document in an IR report. The data is from your own clean system, but the analysis workflow is identical to what you will use on a compromised system in IR3-IR5.

Investigate: What do EvtxECmd Maps add?

Run EvtxECmd twice against the same event log file: once with maps (the default, using the Maps directory) and once without (rename the Maps directory temporarily). Compare the output. Without maps, the PayloadData columns contain raw XML fragments. With maps, they contain extracted, named fields — TargetUserName, LogonType, IpAddress. The maps transform raw data into investigation-ready evidence. This is why syncing maps (EvtxECmd.exe --sync) before every investigation matters — new maps are added for newly discovered event types and forensic artifacts.

Beyond this investigation

The techniques taught in this subsection apply beyond the specific scenario presented here. The same evidence sources, tools, and analytical methods are used across ransomware, BEC, insider threat, and APT investigations — the context changes but the methodology is consistent.

Artifact Output

EZTools operational at depth: The full EZTools suite is installed, integrated with KAPE's Modules\bin\ directory (including the critical EvtxECmd Maps), and validated with a test parse. You understand what each parser extracts, what the output columns mean for the investigation, how to combine outputs in Timeline Explorer for unified timeline analysis, and how to automate the entire parsing pass with the Parse-All.ps1 pipeline script. EZTools are ready for artifact analysis in IR3-IR7 and every investigation scenario in Phase 4.

Next objective → IR1.4 Velociraptor — Remote Response at Scale

Decision point

You discover evidence that the attacker has been in the environment for 90 days. The CISO asks: 'Why did our SOC not detect this sooner?' How do you answer constructively?

Answer with facts, not defensiveness. 'The attacker used [specific techniques] that our current detection rules do not cover. The investigation identified [N] detection gaps — [list the specific ATT&CK techniques that were not detected]. The IR-to-DE handoff includes these gaps as detection engineering sprint items. Estimated time to close: [N weeks].' This answer is honest (we missed it), specific (here is what we missed and why), and forward-looking (here is how we fix it). The PIR action items transform the detection failure into a measurable improvement program.

← Previous Next →