EZTools - Complete Guide for DFIR Analysis

Guide for using EZTools (Eric Zimmerman Tools) in your DFIR labs.

Introduction

EZTools (Eric Zimmerman Tools) is a collection of command-line utilities designed for digital forensics and incident response. These tools parse Windows artifacts and produce standardized CSV outputs that can be analyzed using Timeline Explorer or imported into other analysis platforms. Official Doccumentation

Key Features:

• Fast, efficient parsing of Windows artifacts

• Standardized CSV output format

• Command-line interface for automation

• Regular updates to support new Windows versions

• Free and open-source

Quick Start

Prerequisites:

• Download EZTools from https://ericzimmerman.github.io/#!index.md

• Extract to C:\Tools (or add to PATH)

• Open CMD or PowerShell as Administrator

Test if tools are working:

# Navigate to tools directory
cd C:\Tools\Zimmerman\net9

# Check version
JLECmd.exe --version
PECmd.exe --version

Your First Forensic Collection (Current User):

# 1. Create output directory on Desktop
mkdir "\Desktop\ForensicOutput"

# 2. Parse Jump Lists (recent files)
JLECmd.exe -d "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "%USERPROFILE%\Desktop\ForensicOutput" --csvf jumplists.csv -q

# 3. Parse LNK files (shortcuts)
LECmd.exe -d "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent" --csv "%USERPROFILE%\Desktop\ForensicOutput" --csvf lnk_files.csv -q

# 4. Parse Prefetch (requires admin - shows program execution)
PECmd.exe -d "C:\Windows\Prefetch" --csv "%USERPROFILE%\Desktop\ForensicOutput" --csvf prefetch.csv -q

# 5. View results
cd "%USERPROFILE%\Desktop\ForensicOutput"
dir

Results: You'll have 3 CSV files ready to analyze in Timeline Explorer (part of EZTools) or Excel.

Common EZTools Locations

Here are the common locations on a Windows system where you can find valuable forensic artifacts. Understanding what each one contains is key to a successful investigation.

For Live System Analysis:

• Jump Lists: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

  • What it is: These files track the applications and files you have recently accessed.

  • Why it's important: It shows what the user has been working on and can provide evidence of access to specific files, even if they have been deleted.

• LNK files: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent

  • What it is: These are shortcut files that point to other files or programs. Windows automatically creates them when you open something.

  • Why it's important: LNK files can reveal the location of original files (including on removable drives), timestamps of when they were accessed, and information about the system where the file was created.

• Prefetch: C:\Windows\Prefetch (requires admin rights)

  • What it is: To speed up application startup, Windows creates Prefetch files that log which programs have been run.

  • Why it's important: This is direct evidence of program execution. It tells you which programs were run, how many times, and when they were last executed.

• MFT: \\.\C: (raw disk access, requires admin)

  • What it is: The Master File Table (MFT) is the index for the entire NTFS file system. It contains a record for every file and folder on the disk.

  • Why it's important: It provides a complete timeline of all file activity, including creation and modification dates, and can be used to recover information about deleted files.

• Amcache: C:\Windows\AppCompat\Programs\Amcache.hve

  • What it is: A registry hive that acts as a log of applications that have been installed and executed on the system.

  • Why it's important: It provides strong evidence of program execution, including file paths and SHA1 hashes, even if the program has been uninstalled.

• SRUM: C:\Windows\System32\sru\SRUDB.dat

  • What it is: The System Resource Usage Monitor (SRUM) database tracks application resource usage, including network activity (bytes sent and received).

  • Why it's important: It helps you understand which programs were connecting to the network and can be crucial for identifying data exfiltration or malware communication.

• Registry: C:\Windows\System32\config\ (SAM, SYSTEM, SOFTWARE, SECURITY)

  • What it is: The core database of the Windows operating system, containing settings for hardware, software, and system configuration.

  • Why it's important: It holds a vast amount of information, such as startup programs (persistence), connected USB devices, and network history.

• User Registry: C:\Users\%USERNAME%\NTUSER.DAT

  • What it is: This is the part of the registry that stores settings and preferences for a specific user account.

  • Why it's important: It contains evidence of user-specific activity, such as recently opened documents, typed commands (in the Run box), and internet browsing history.

For Forensic Image Analysis:

E:\ForensicImage\Users\username\...
E:\ForensicImage\Windows\Prefetch\...
E:\ForensicImage\$MFT

Best Practice for Viewing CSV Files

Use Timeline Explorer (part of EZTools suite) - it's specifically designed to handle large CSV files from EZTools and provides:

• Column filtering and sorting

• Color coding

• Timeline visualization

• Quick searching

Most Popular EZTools

1. JLECmd.exe - Jump List Explorer Command Line

Windows Jump Lists are a feature you see when you right-click an application on the taskbar, showing you a list of recently opened files for that program. JLECmd.exe is a tool that analyzes these Jump Lists. By looking at them, you can discover which files a user has recently accessed and which applications they've been using, even if the files have been deleted. It's like finding a history of user activity on the computer.

Forensic Value:

• User activity timeline

• Evidence of file access

• Application usage patterns

• Can show files even after deletion

Basic Usage:

IMPORTANT: Replace Username with actual Windows username or use environment variable %USERNAME%

# First, check your username
echo %USERNAME%
# Or in PowerShell:
$env:USERNAME

# Example 1: Parse single jump list file (use actual filename, wildcards don't work with -f)
JLECmd.exe -f "C:\Users\YourActualUsername\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms" --csv "C:\Output"

# Example 2: Parse all jump lists from user profile (RECOMMENDED)
JLECmd.exe -d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "C:\Output" --csvf jumplists.csv

# Example 3: Parse all Recent folders (AutomaticDestinations and CustomDestinations)
JLECmd.exe -d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent" --csv "C:\Output" -q

# Example 4: Process multiple user profiles from forensic image
JLECmd.exe -d "E:\ForensicImage\Users" --csv "C:\Output" -q

PowerShell Examples (more flexible):

# Current user
$user = $env:USERNAME
JLECmd.exe -d "C:\Users\$user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "C:\Output"

# All users on system
Get-ChildItem "C:\Users" -Directory | ForEach-Object {
    $jumpListPath = Join-Path $_.FullName "AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations"
    if (Test-Path $jumpListPath) {
        Write-Host "Processing: $($_.Name)"
        JLECmd.exe -d $jumpListPath --csv "C:\Output\$($_.Name)" -q
    }
}

Important Options:

• -f : Single file to process

• -d : Directory to recursively process

• --csv : Directory for CSV output

• --csvf : Custom CSV filename

• -q : Quiet mode (no output to console)

• --all : Process all files (including without proper extension)

CSV Output - Important Columns:

Column	Description	Example
SourceFile	Path to the jump list file	5f7b5f1e01b83767.automaticDestinations-ms
AppId	Application identifier	5f7b5f1e01b83767 (Office Word)
AppIdDescription	Human-readable application name	Microsoft Office Word
EntryNumber	Entry sequence in the jump list	1, 2, 3...
CreationTime	When file was created	2024-11-10 14:23:45
LastModified	When file was last modified	2024-11-10 15:30:12
LastAccessed	When file was last accessed	2024-11-10 15:30:12
TargetCreated	When target file was created	2024-10-15 09:12:33
TargetModified	When target file was modified	2024-11-09 16:45:21
TargetAccessed	When target file was accessed	2024-11-10 15:30:12
FilePath	Full path to accessed file	C:\Users\John\Documents\Report.docx
LocalPath	Local file path	C:\Users\John\Documents\Report.docx
CommonPath	Network path if applicable	\\server\share\file.docx
MachineName	Computer name	DESKTOP-ABC123
VolumeLabel	Drive label	Local Disk
VolumeSerialNumber	Unique volume identifier	A4BC-D123

Analysis Tips:

• Look for TargetCreated vs TargetModified - if Modified is much later, file was actively worked on

• Check LocalPath vs CommonPath to identify network file access

• Compare different AppIds to build user activity timeline

• Look for suspicious file paths or extensions

2. LECmd.exe - LNK Explorer Command Line

LNK files are the shortcuts you see on your desktop or in folders, usually marked with a little arrow. Whenever you open a file or program, Windows often creates a shortcut in the 'Recent' items folder. LECmd.exe analyzes these LNK files. This can tell you a lot, such as where the original file was located (even on a USB drive or network share), when it was first and last opened, and even information about the computer where the file was originally created. It's a great way to trace a file's history and see how it was used.

Forensic Value:

• Track file locations (even after file deletion)

• Identify external devices (USB drives) via Volume Serial Number

• Network share access history

• Program execution evidence

Basic Usage:

# Example 1: Parse single LNK file (must be actual file, not wildcard)
LECmd.exe -f "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\document.lnk" --csv "C:\Output"

# Example 2: Parse Recent directory (MOST COMMON)
LECmd.exe -d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent" --csv "C:\Output" --csvf lnk_files.csv

# Example 3: Parse entire user profile recursively (finds all LNK files)
LECmd.exe -d "C:\Users\%USERNAME%" --csv "C:\Output" -q

# Example 4: Parse Desktop shortcuts
LECmd.exe -d "C:\Users\%USERNAME%\Desktop" --csv "C:\Output" -q

PowerShell Examples:

# Current user with output to Desktop
LECmd.exe -d "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Windows\Recent" --csv "$env:USERPROFILE\Desktop\ForensicOutput"

# All users
Get-ChildItem "C:\Users" -Directory | ForEach-Object {
    $recentPath = Join-Path $_.FullName "AppData\Roaming\Microsoft\Windows\Recent"
    if (Test-Path $recentPath) {
        Write-Host "Processing LNK files for: $($_.Name)"
        LECmd.exe -d $recentPath --csv "C:\Output\LNK_$($_.Name)" -q
    }
}

Important Options:

• -f : Single LNK file

• -d : Directory to recursively process

• --csv : Output directory for CSV

• --csvf : Custom CSV filename

• -q : Quiet mode

CSV Output - Important Columns:

Column	Description	Forensic Significance
SourceFile	Path to LNK file	Where shortcut was found
SourceCreated	When LNK was created	When user first accessed file
SourceModified	When LNK was modified	Last time file was accessed via this shortcut
TargetCreated	When target file was created	Original file creation
TargetModified	When target was modified	When file content changed
TargetAccessed	When target was accessed	Last access time (if enabled)
LocalPath	Full path to target file	Where file is/was located
CommonPath	Network path	Shows UNC paths to network resources
RelativePath	Relative path	Path relative to LNK location
WorkingDirectory	Working directory	Application startup directory
Arguments	Command line arguments	Can reveal how program was executed
FileSize	Target file size	Helps identify file
VolumeLabel	Drive label	e.g., "USB DRIVE", "BACKUP"
VolumeSerialNumber	Unique volume ID	Critical: Identifies specific USB devices
DriveType	Type of drive	Fixed, Removable, Network
MachineName	Computer name	Where LNK was created
MachineMAC	MAC address	Network interface of creation machine

Analysis Tips:

• VolumeSerialNumber is crucial for tracking USB devices - same number = same physical device

• Compare SourceModified with TargetModified to establish timeline

• Look for LNK files pointing to non-existent paths (deleted files)

• Network paths in CommonPath reveal lateral movement or data exfiltration routes

3. PECmd.exe - Prefetch Explorer Command Line

To help programs start faster, Windows creates Prefetch files. These files act like a cache, storing information about the applications you run. PECmd.exe is a tool designed to read these .pf files. By analyzing them, you can see which programs were executed on a system, how many times they were run, and exactly when they were last run. This is incredibly useful for finding evidence of program execution, including malware that a user might have run.

Forensic Value:

• Program execution evidence (including malware)

• Number of times executed

• Last 8 execution timestamps (Windows 10+)

• Files and directories accessed by the program

• Volume information where program was executed from

Basic Usage:

# Parse single prefetch file
PECmd.exe -f "C:\Windows\Prefetch\CHROME.EXE-A1B2C3D4.pf" --csv "C:\Output"

# Parse all prefetch files
PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Output" --csvf prefetch.csv

# Include all timestamps
PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Output" -q

Important Options:

• -f : Single prefetch file

• -d : Directory to process

• --csv : CSV output directory

• --csvf : Custom CSV filename

• -q : Quiet mode

• --mp : When true, show all timestamps for LastRun (default is true)

CSV Output - Important Columns:

Column	Description	Forensic Value
SourceFilename	Prefetch filename	MALWARE.EXE-12345678.pf
Executable	Name of executed program	MALWARE.EXE
Hash	Prefetch hash	Unique identifier for that executable path
FileSize	Size of prefetch file	Larger files = more resources accessed
Version	Prefetch format version	Indicates Windows version
RunCount	Number of executions	Critical: How many times program ran
LastRun	Last execution time	Most recent execution (UTC)
PreviousRun0-7	Previous 7 execution times	Windows 10/11 stores last 8 runs
Volume0-X	Volume information	Drives accessed during execution
Directories	Directories accessed	Shows file system interaction
FilesLoaded	Files loaded during execution	DLLs, config files, data files
Created	Prefetch file creation	Usually first execution time

CSV Output - Important Secondary Files:

PECmd creates additional CSV files:

• *_Timeline.csv - All timestamps in timeline format

• *_FilesLoaded.csv - Detailed list of loaded files

Analysis Tips:

• RunCount = 1 might indicate single-run malware

• Compare LastRun with PreviousRun times to determine execution frequency

• FilesLoaded can reveal DLL hijacking or malicious dependencies

• Volume information can show execution from external media

• Large RunCount for suspicious executables requires investigation

4. MFTECmd.exe - MFT Explorer Command Line

The Master File Table (MFT) is the most important file on an NTFS file system (the standard for Windows). Think of it as a detailed index or table of contents for the entire hard drive. It contains information about every single file and directory: its name, size, location, and timestamps (when it was created, modified, and accessed). MFTECmd.exe parses this MFT file, allowing you to see a complete history of all files, including those that have been deleted. It's one of the most powerful sources of evidence in digital forensics.

Forensic Value:

• Complete file system timeline

• Deleted file recovery

• File creation, modification, access times

• Identifies timestomping attempts

• File system structure analysis

Basic Usage:

# Parse MFT file
MFTECmd.exe -f "C:\Evidence\$MFT" --csv "C:\Output" --csvf mft_output.csv

# Parse with body file output (for timeline analysis)
MFTECmd.exe -f "C:\Evidence\$MFT" --csv "C:\Output" --body "C:\Output" --bodyf bodyfile.txt

# Include all details
MFTECmd.exe -f "C:\Evidence\$MFT" --csv "C:\Output" --de 5

Important Options:

• -f : MFT file to parse

• --csv : CSV output directory

• --csvf : CSV filename

• --body : Body file output directory (mactime format)

• --bodyf : Body file name

• --de : Dedupe entries (5 = medium deduplication)

• -q : Quiet mode

CSV Output - Important Columns:

Column	Description	Forensic Significance
EntryNumber	MFT entry number	Unique file record number
SequenceNumber	Reuse counter	Detects MFT entry reuse
InUse	File is allocated	TRUE = active, FALSE = deleted
ParentEntryNumber	Parent directory entry	Rebuilds directory structure
ParentPath	Full directory path	Complete file location
FileName	File name	Name of file/directory
Extension	File extension	.exe, .docx, etc.
FileSize	File size in bytes	Actual file size
Created0x10	$STANDARD_INFO Creation	Can be modified (timestomping)
Created0x30	$FILE_NAME Creation	Cannot be easily modified
Modified0x10	$STANDARD_INFO Modified	User-visible modification time
Modified0x30	$FILE_NAME Modified	Filesystem modification time
LastRecordChange0x10	$SI MFT record change	When MFT record changed
LastRecordChange0x30	$FN MFT record change	When filename record changed
LastAccess0x10	$SI Last access time	When file was accessed (if enabled)
ZoneIdContents	Zone Identifier (ADS)	Shows file download source

Understanding 0x10 vs 0x30 Timestamps:

• 0x10 ($STANDARD_INFO): Can be modified by user/malware - less reliable

• 0x30 ($FILE_NAME): Modified only by filesystem - more reliable for detecting timestomping

Analysis Tips:

• Compare Created0x10 vs Created0x30 - if different, possible timestomping

• InUse=FALSE shows deleted files (can be recovered)

• ZoneIdContents reveals downloaded files and their source URL

• Large files with recent timestamps might indicate data staging

• Look for suspicious extensions in system directories

5. RECmd.exe - Registry Explorer Command Line

The Windows Registry is a massive database that stores all the configuration settings for the operating system, hardware, software, and user preferences. It's like the central brain of Windows. RECmd.exe is a powerful tool for searching and extracting information from the Registry. By examining the Registry, you can find out which programs are set to run at startup, which USB devices have been connected to the system, what files a user recently opened, and much more. It's a treasure trove of information about user activity and system configuration.

Forensic Value:

• User activity evidence

• System configuration analysis

• Malware persistence mechanisms

• USB device history

• UserAssist, ShimCache, BAM/DAM analysis

Basic Usage:

# Search for specific key
RECmd.exe --hive "C:\Evidence\NTUSER.DAT" --sk "Software\Microsoft\Windows\CurrentVersion\Run" --csv "C:\Output"

# Batch processing with pre-defined plugins
RECmd.exe --bn "BatchExample.reb" -d "C:\Evidence\RegistryHives" --csv "C:\Output"

# Search for value name
RECmd.exe --hive "C:\Evidence\SYSTEM" --vn "ControlSet001\Services"

Important Options:

• --hive : Single registry hive file

• -d : Directory with registry hives

• --bn : Batch file with multiple searches

• --sk : Search for key name

• --sv : Search for value name

• --vn : Value name to search

• --csv : CSV output directory

• -q : Quiet mode

Common Batch Files (included with RECmd):

• BatchExamples\Kroll_Batch.reb - Comprehensive artifact collection

• BatchExamples\RECmd_Batch_MC.reb - Malware-focused searches

CSV Output Structure: Output varies based on batch file, but typically includes:

• HiveFilePath

• KeyPath

• ValueName

• ValueType

• ValueData

• Comment (what artifact means)

Key Registry Artifacts:

Artifact	Location	Forensic Value
UserAssist	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist	GUI program execution with timestamps and run count
Run Keys	SOFTWARE/NTUSER.DAT...\Run	Persistence mechanisms
USBStor	SYSTEM\ControlSet\Enum\USBSTOR	USB device history
ShimCache	SYSTEM\ControlSet\Control\Session Manager\AppCompatCache	Program execution evidence
BAM/DAM	SYSTEM\ControlSet\Services\bam\State\UserSettings	Recent program execution with timestamps
RecentDocs	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recently opened documents

6. AmcacheParser.exe

The Amcache.hve is a special registry file that acts like a logbook for programs that have been run on a system. It keeps track of applications that were recently executed, including their file paths, installation dates, and even their SHA-1 hash. AmcacheParser.exe is the tool used to analyze this file. It can provide solid evidence that a program was executed, even if it has been uninstalled or deleted. This is particularly useful for identifying malware and understanding what software has been on a computer.

Forensic Value:

• Program execution evidence (even after uninstallation)

• SHA-1 hashes of executables

• Installation timestamps

• File compilation times

• Driver installation history

Basic Usage:

# Parse Amcache.hve
AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "C:\Output"

# Include all entries
AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "C:\Output" -i

Important Options:

• -f : Amcache.hve file path

• --csv : Output directory

• -i : Include associated file entries

• -w : Whitelist file (exclude known good)

CSV Outputs: Creates multiple CSV files:

• *_UnassociatedFileEntries.csv - Files without program association

• *_AssociatedFileEntries.csv - Files linked to programs

• *_DevicePnps.csv - Device Plug and Play information

• *_DriveBinaries.csv - Driver binaries

• *_DriverPackages.csv - Driver packages

• *_ShortCuts.csv - Application shortcuts

Important Columns (UnassociatedFileEntries):

Column	Description	Value
ProgramName	Application name	malware.exe
ProgramVersion	Version number	1.0.0.1
VendorName	Publisher	Unknown or company name
LanguageCode	Language	1033 (English)
FileDescription	File description	From PE metadata
FileVersion	File version	From PE header
SHA1	SHA-1 hash	Critical for malware identification
Created	First seen time	When first executed/installed
Modified	Modification time	When file changed
BornOn	Compilation time	From PE header LinkerTimestamp
FullPath	Complete file path	Where file was located

Analysis Tips:

• SHA-1 hashes allow quick VirusTotal lookups

• BornOn (compilation time) in the future = timestomping

• Compare Created vs BornOn - huge difference might indicate old malware

• Unknown vendors with system-level paths = suspicious

• Look for executables in temp directories or user profiles

7. SrumECmd.exe

The System Resource Usage Monitor (SRUM) is a feature in Windows that keeps a detailed record of system activity. It tracks which applications were running, which user ran them, and how much network data (uploads and downloads) they used. The SRUDB.dat file stores all this information. SrumECmd.exe is the tool you use to parse this database. It's extremely useful for creating a timeline of application and network activity, helping you understand what a user was doing and identifying any suspicious network connections.

Forensic Value:

• Application runtime duration

• Network data usage per application

• Bytes sent/received

• Background vs foreground execution

• Energy usage (battery-powered devices)

Basic Usage:

# Parse SRUM database
SrumECmd.exe -f "C:\Windows\System32\sru\SRUDB.dat" --csv "C:\Output"

# Include registry data for better user/app resolution
SrumECmd.exe -f "C:\Windows\System32\sru\SRUDB.dat" -r "C:\Windows\System32\config\SOFTWARE" --csv "C:\Output"

Important Options:

• -f : SRUDB.dat file

• -r : SOFTWARE registry hive (for better SID/App ID resolution)

• --csv : Output directory

• -q : Quiet mode

CSV Outputs: Multiple CSV files for different data types:

• *_NetworkUsage_*.csv - Network data per application

• *_AppResourceUseInfo_*.csv - Application runtime and resource usage

• *_NetworkConnections_*.csv - Network connection tracking

• *_EnergyUsage_*.csv - Power consumption data

Important Columns (NetworkUsage):

Column	Description	Forensic Value
Timestamp	When data was recorded	Activity timeline
AppId	Application identifier	Which program
Application	Application name	Resolved from AppId
UserId	User SID	Which user ran the app
BytesSent	Data sent	Upload activity
BytesReceived	Data received	Download activity
InterfaceLuid	Network interface	Which network connection
L2ProfileId	WiFi profile ID	Which WiFi network

Important Columns (AppResourceUseInfo):

Column	Description	Forensic Value
Timestamp	Recording time	When app ran
AppId	Application	Which program
UserId	User SID	Who ran it
ForegroundCycleTime	CPU time in foreground	Active use indication
BackgroundCycleTime	CPU time in background	Background process activity
FaceTime	Time in foreground	How long user interacted

Analysis Tips:

• High BytesSent to external IPs = potential data exfiltration

• Unusual applications with network activity = investigate

• BackgroundCycleTime without FaceTime = background malware activity

• Compare network usage patterns across users

• Sudden spikes in network activity = indicator of compromise

CSV Analysis Best Practices

1. Timeline Creation

Combining the timestamps from all the different CSV files is one of the most powerful analysis techniques. By sorting all events by date and time, you can build a chronological story of what happened on the system.

• Sort by timestamps: Merge the relevant columns from different CSVs (e.g., Prefetch LastRun, MFT Created0x30, LNK SourceCreated) into one master timeline.

• Correlate activities: Look for cause and effect. A file download followed by a program execution and then network traffic can reveal the stages of an attack.

• Look for temporal patterns: Identify unusual activity based on when it happened, such as a script running every hour or a login outside of normal business hours.

Example: You sort your timeline and see the following sequence of events:

1. 10:05 AM (MFT): A file named invoice.zip is created in the Downloads folder. The Zone.Identifier shows it was downloaded from the internet.

2. 10:06 AM (Prefetch): 7z.exe (a file archiver) is executed for the first time.

3. 10:07 AM (MFT): A new executable, update.exe, is created in the user's Temp folder.

4. 10:08 AM (Prefetch): update.exe is executed.

5. 10:09 AM (SRUM): update.exe begins sending a large amount of data to a suspicious IP address.

This timeline clearly tells the story: the user downloaded a zip file, extracted an executable, and that executable started exfiltrating data.

2. Filtering Techniques

Your CSV files will contain thousands of entries. Filtering is essential to narrow down the data to what is relevant to your investigation.

• Time-based: Focus on the specific timeframe when the incident occurred.

  • Example: If a user reported a strange pop-up at around 3:15 PM, you would filter all your CSV files in Timeline Explorer to only show events between 3:00 PM and 3:30 PM.

• User-based: Filter by a specific username or SID to isolate that user's activity.

  • Example: If you suspect the j.smith account was compromised, you would apply a filter to the UserId or Username column to see only the files they accessed and the programs they ran.

• Application-based: Track the activity of a specific executable.

  • Example: To investigate potential malware, you could filter for svchost.exe in the ExecutableName column of your Prefetch and Amcache results to see if a malicious program was masquerading as a legitimate Windows process.

• Path-based: Investigate activity within specific directories of interest.

  • Example: If you're concerned about data theft, you might filter for file access in sensitive directories like C:\Users\CEO\My Documents or C:\Projects\SecretData.

3. Correlation Strategies

No single artifact tells the whole story. The key to a good investigation is to correlate findings between different tools to validate your theories.

• USB Analysis: Combine LECmd (VolumeSerialNumber) + RECmd (USBStor).

  • Example: You find a suspicious LNK file on a USB drive using LECmd and note its VolumeSerialNumber is 1234-ABCD. You then search for 1234-ABCD in your registry results from RECmd to find the USBStor key, which can tell you the make and model of the exact USB device used (e.g., "SanDisk Cruzer Blade").

• Program Execution: Cross-reference Prefetch + Amcache + Registry (ShimCache, UserAssist).

  • Example: Prefetch shows that malware.exe was run. You can then look in the Amcache output to find the SHA-1 hash of malware.exe and check it on VirusTotal. Finally, you can check the UserAssist key in the user's registry to see a timestamp and a run count for the program.

• File Access: Correlate Jump Lists + LNK files + MFT timestamps.

  • Example: A Jump List shows that secret_plans.docx was recently opened by Microsoft Word. You can then find the LNK file for secret_plans.docx to see when it was last accessed. To get the most reliable timestamps, you check the MFT record for the file and compare the 0x10 and 0x30 timestamps to check for tampering.

• Network Activity: SRUM + Registry (NetworkList) + Firewall logs.

  • Example: SRUM shows that an unknown application, data_updater.exe, sent 500 MB of data to a foreign IP address. You can correlate this with Windows Firewall logs to see if the connection was allowed, and check the registry's network profiles to see which network (e.g., "Corporate WiFi" or "Public Coffee Shop WiFi") was used at the time of the transfer.

4. Red Flags to Look For

During your analysis, certain patterns should immediately raise a red flag. Here are some common examples:

• Executables in unusual locations: A common malware tactic is to hide in plain sight.

  • Example: Look for common Windows process names like svchost.exe or lsass.exe running from an unexpected directory like C:\Users\John\AppData\Local\Temp instead of their legitimate home in C:\Windows\System32.

• High RunCount for suspicious programs: This can indicate repeated malicious activity.

  • Example: If you see a known hacking tool like mimikatz.exe with a RunCount of 25 in your Prefetch data, it's a strong sign that an attacker has been persistently trying to steal credentials.

• Suspicious login times or device usage: Activity outside of normal behavior is a major concern.

  • Example: Finding evidence from LECmd and the Registry that a USB drive was connected and used at 3:00 AM on a Sunday is a major red flag if no one should have been working at that time.

• Network activity from unexpected applications: Programs that shouldn't be using the network suddenly are.

  • Example: If you see notepad.exe or calc.exe sending or receiving a large amount of network data in your SRUM results, it's highly suspicious and could indicate that malware has injected itself into a legitimate process.

• Timestamp anomalies (Timestomping): Attackers will often change file timestamps to hide their activity.

  • Example: In your MFT data, a file's user-visible creation time (Created0x10) is 2024-11-10, but its filesystem creation time (Created0x30) is 2021-03-05. This discrepancy is a strong indication that an attacker has used a tool to "timestomp" the file to make it look recent.

• Files downloaded from the internet: Executables from the web are a common infection vector.

  • Example: The MFT's Zone.Identifier stream can tell you if a file was downloaded from the internet. Finding a malicious PowerShell script with a ZoneId that indicates it was downloaded from an untrusted source is a key piece of evidence.