Want fast DFIR results? Learn how with the EZ Tools command-line poster

Forensics investigators and incident responders may lean toward graphical user interface (GUI) tools that present interactive and graphical representations of data, especially if they don’t have years of experience under their belts. But don’t rule out command line interface (CLI) tools, just because they seem more complex and require some knowledge of commands.

Truth be told, CLI tools are the optimal choice for digital forensics and incident response (DFIR) today, because DFIR pros have to sift through colossal amounts of data culled from a variety of devices. GUI tools work well when you’re working with a just few pieces of evidence on some servers, but when it comes to hundreds, thousands of even tens of thousands of pieces of evidence scattered across networks of desktops, laptops, mobile phones and servers, a GUI tool is simply not efficient.

And it’s not just CLI tools’ ability to scale. They can be faster than GUI tools and are more adept at investigations of vulnerability exploits which are typically done from command lines. This isn’t to say that GUI tools don’t have a place in your DRIF toolset. They are especially useful for monitoring activity and watching, in real time, a dashboard as it changes. But to process millions of rows of data, graphically you can’t see that. For that kind of scale, all a GUI tool will do is slow things down.

The EZ Tools Command-Line Poster

SANS certified instructor and former FBI agent Eric Zimmerman provides several open source command line tools free to the DFIR Community. These tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. The command-line versions of EZ Tools enable you to provide scriptable, scalable, and repeatable results with astonishing speed and accuracy. And to help you get started, SANS has just released the new EZ Tools Command-Line Poster!

Get a copy by registering here

Tune in to our “Fast, Scalable Results with EZ Tools and the New Command-line poster” webinar on March 11th at 3:30 pm ET, where we will do a deep dive into all the tools featured on the poster.
Download EZ Tools

Here’s a sampling of the CLI tools featured on the EZ Tools Command-Line Poster:

EvtxECmd – Windows Event Log Parser

There can be hundreds of Event Log files on a system, some aimed at systemwide events and many others that record information in a much more targeted fashion. All Event Logs are stored in the same format on a Windows computer, but the actual data elements collected varies, and it is this variation of data elements that makes correlation of Event Logs a challenge. This is where EvtxECmd shines. All event records are normalized across all event types and across all Event Logs file types, giving you a consolidated, big picture of the all the Windows events happening in your environment. The EvtxECmd parser has standardized CSV, XML, and JSON output. It also has a unique Maps feature that allows for the normalized output format. And it helps alleviate the pivot point scenarios that sometimes take you off track by aggregating events so you can see patterns and better understand what is happening.

RECMD – Registry Explorer Command-line Edition

This command-line tool is used to access, search and recover, and export any data found in the Windows registry. It’s an extremely powerful tool that takes a while to get used to. But to understand just how powerful this took is, think about searching and exporting a registry in a consistent output format. No big deal, until you have to search and export a consistent format when working across tens, hundreds, or thousands of machines.

MFTECmd – MFT Explorer

This tool parses a number of different files from Windows NT File System (NTFS) formatted drives. At a high level, MFTECmd parses each of these internal NTFS System files, but it also  dives deep into NTFS and helps uncover much data of interest. MFTECmd takes a $MFT, $J, $SDS, $Logfile or $Boot as input that can be in the form of an exported copy of the file(s) or can be referenced from within a mounted image.

PECmd – Prefetch Parser

The Prefetch Parser is a simple to use tool that provides one source of evidence of a program being run on a system, otherwise known as evidence of execution. It also takes all the data and puts it into a timeline, in the order of events as they happen. Prefetch files are created in the C:WindowsPrefetch folder when a program is run from a specific location. The creation date of the Prefetch files is generally the first time that the program was attempted to be run from a particular location. 

JLECmd – Jumplist Explorer Command-line Edition

JLECmd takes Jumplists – which store critical information about files and folders that have been interacted with using various GUI applications in Windows – to indicate what applications were used to open target files and folders and store metadata specific to those target items. Those metadata contain details such as file name and location, dates and times, etc. Parsing the Jumplist data can be difficult and time-consuming because they are stored in a format known as MS OLE Structured Storage files. JLECmd makes parsing these data simple and quick.

LECmd – LNK File Explorer

The LNK File Explorer is simple to use and takes unreadable shortcut files or *.lnk – typically created when a user opens a non-executable file by double-clicking – and presents them in a human-readable format. These shortcut files are stored under the user profile that opened the file and contain information relating to the opened target file. This includes information such as the target file dates and times (at the time when the file was opened), file name and path, the drive type, volume serial number, volume label and more.

The EZ Tools Command-Line Poster details several easier-to-use yet powerful command-line tools and is designed to make your job easier and more successful as you investigate and respond to security and cyber events. Register to get your copy, and be sure to join our webinar on March 11.