Eric Zimmerman’s Tools are a collection of open-source digital forensics tools can be used in a wide variety of investigations.
Forensic tools
| Name | Purpose |
|---|---|
| AmcacheParser | Amcache.hve parser with lots of extra features. Handles locked files |
| AppCompatCacheParser | AppCompatCache aka ShimCache parser. Handles locked files |
| bstrings | Find them strings yo. Built in regex patterns. Handles locked files |
| EvtxECmd | Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more! |
| EZViewer | Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!) |
| Hasher | Hash all the things |
| JLECmd | Jump List parser |
| JumpList Explorer | GUI based Jump List viewer |
| LECmd | Parse lnk files |
| MFTECmd | Boot, SDS, LogFile (coming soon) parser. Handles locked files |
| MFTExplorer | Graphical $MFT viewer |
| PECmd | Prefetch parser |
| RBCmd | Recycle Bin artifact (INFO2/$I) parser |
| RecentFileCacheParser | RecentFileCache parser |
| RECmd | Powerful command line Registry tool searching, multi-hive support, plugins, and more |
| Registry Explorer | Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files |
| RLA | Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs |
| SDB Explorer | Shim database GUI |
| SBECmd | ShellBags Explorer, command line edition, for exporting shellbag data |
| ShellBags Explorer | GUI for browsing shellbags data. Handles locked files |
| SQLECmd | Find and process SQLite files according to your needs with maps! |
| SrumECmd | Process SRUDB.dat and (optionally) SOFTWARE hive for network, process, and energy info! |
| SumECmd | Process Microsoft User Access Logs found under ‘C:\Windows\System32\LogFiles\SUM’ |
| Timeline Explorer | View CSV and Excel files, filter, group, sort, etc. with ease |
| VSCMount | Mount all VSCs on a drive letter to a given mount point |
| WxTCmd | Windows 10 Timeline database parser |
Guidance for MacOS
I am testing this on my MacBook which runs ARM64 architect.
Requisition:
- Homebrew
- Terminal as your choice
Installation:
I used Homebrew for almost everything if possible, it keeps everything tidy and simple to manage.
# I use .net 6 because its compatible with most tools
brew install dotnet@6
# Add to path, adjust base on your shell
echo 'export PATH="/opt/homebrew/opt/dotnet@6/bin:$PATH"' >> ~/.zshrcUsage:
After added the dotnet to path, either reset your terminal or run source ~/.zshrc for new changes to apply.
dotnet ~/net6/LECmd.dll -f "templet.lnk"
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd
Command line: -f templet.lnk
Processing /temp_extract_dir 2/challenge/Users/OMEN/Downloads/project templet test/templet.lnk
Source file: /temp_extract_dir 2/challenge/Users/OMEN/Downloads/project templet test/templet.lnk
Source created: 2023-05-10 23:46:14
Source modified: 2023-05-10 23:46:14
Source accessed: 2025-06-23 11:32:37
--- Header ---
Target created: null
Target modified: null
Target accessed: null
File size (bytes): 0
Flags: HasTargetIdList, HasRelativePath, HasArguments, HasIconLocation, IsUnicode, HasExpIcon
File attributes: 0
Icon index: 67
Show window: SwShowminnoactive (Display the window as minimized without activating it.)
...