Authorized Use Only: These tools parse evidence acquired from systems. Only analyze data you are authorized to handle, maintain chain of custody, and work from forensic copies rather than originals.
Overview
Eric Zimmerman's Tools (EZ Tools) are a free, open-source suite of high-fidelity Windows forensic parsers, each focused on a specific artifact class and each producing analyst-ready CSV/JSON output. They are the de facto standard for Windows artifact analysis and are what KAPE's !EZParser module invokes under the hood. Key tools include:
MFTECmd — parses $MFT, $J ($UsnJrnl), $Boot, $SDS, and $LogFile from NTFS volumes.
PECmd — parses Windows Prefetch (.pf) for evidence of program execution.
Output is designed to load into Timeline Explorer (also by Eric Zimmerman), a fast CSV/Excel viewer purpose-built for filtering, tagging, and pivoting across forensic CSVs. The 2025+ releases run on .NET and also work natively on Linux.
When to Use
After triage collection (e.g. with KAPE) when you need to parse raw artifacts into structured, searchable evidence.
To establish program execution, file/folder access, and persistence during incident response.
To build artifact-specific CSVs that feed timelines, Timesketch, or SIEM ingestion.
Prerequisites
Download EZ Tools via the official downloader (keeps tools current):
# Download/update all .NET 6 tools into C:\Tools\EZ.\Get-ZimmermanTools.ps1 -Dest C:\Tools\EZ
Forensic copies of the artifacts (mounted image, KAPE collection, or extracted hives).
Objectives
Parse the MFT, prefetch, shellbags, registry, and amcache from a collection.
Produce normalized CSV/JSON per artifact.
Load results into Timeline Explorer for analysis.
Establish execution and access evidence supporting the investigation.
MITRE ATT&CK Mapping
ID
Official Technique Name
Relevance to this skill
T1112
Modify Registry
RECmd, AmcacheParser, and AppCompatCacheParser parse registry-resident artifacts; analysts use them to detect adversary registry modification (persistence, defense evasion) recorded in hives.
These are defensive parsers; the mapping reflects the artifact (registry) most relevant to the adversary behavior they help uncover.
Workflow
1. Download/update the tools
Keep parsers current so they handle the latest artifact formats.
.\Get-ZimmermanTools.ps1 -Dest C:\Tools\EZ
2. Parse the MFT for file-system activity
-f points at a single $MFT; --csv sets the output directory and --csvf the filename. Add --csvf for $J/UsnJrnl with -f $J.
Open the resulting CSVs in Timeline Explorer (TimelineExplorer.exe). Use column filters, conditional formatting, and tagging to pivot on time, file path, and user. CSVs from all EZ Tools share consistent timestamp columns for cross-artifact correlation.
9. Cross-correlate
Build a working theory by correlating PECmd (execution time) with MFTECmd (file creation), Amcache/ShimCache (program presence), and ShellBags/LNK (access), all anchored on UTC timestamps.
GUI CSV viewer: TimelineExplorer.exe. Loads EZ Tools CSVs; supports column filters, conditional formatting, and tagging for cross-artifact correlation on UTC timestamps.
standards.md1.2 KB
Standards and Framework Mapping — Parsing Artifacts with Eric Zimmerman Tools
NIST Cybersecurity Framework 2.0
ID
Name
Rationale
RS.AN-03
Analysis is performed to establish what has taken place during an incident and the root cause of the incident
EZ Tools parse Windows artifacts (MFT, prefetch, registry, shellbags, amcache) into structured evidence that establishes attacker execution, access, and persistence during incident analysis.
MITRE ATT&CK
ID
Name
Rationale
T1112
Modify Registry
RECmd, AmcacheParser, and AppCompatCacheParser parse registry artifacts where adversary registry modifications (persistence, evasion) are recorded and recovered.