DIGITAL FORENSICS & INCIDENT RESPONSE

Operating System Incident Response

& Device In-Depth & Threat Hunting

FOR308 FOR498 FOR500 FOR508 FOR572 FOR578

Digital Forensics Battlefield Forensics Windows Forensic Advanced Incident Advanced Network Forensics: Cyber Threat
Essentials & Data Acquisition Analysis Response, Threat Hunting, Threat Hunting, Analysis, and Intelligence
GBFA GCFE and Digital Forensics Incident Response GCTI
GCFA GNFA

Results in Seconds
at the Command Line
FOR518 FOR585 FOR610 SEC504
Mac and iOS Forensic Smartphone Forensic Reverse-Engineering Hacker Tools,
Analysis and Analysis In-Depth Malware: Malware Analysis Techniques, Exploits,
Incident Response GASF Tools and Techniques and Incident Handling
GREM GCIH

DFPS_Command-Line_v1.2_01-21
digital-forensics.sans.org

Forensics the EZ Way:

Common CLI Options & Switches
Short options (single letter) are prefixed with a single dash.
Long options are prefixed with two dashes.

With the wealth of data stored on Windows computers it is often difficult to know where Options Definition
-d Dir to process
to start. If you encounter a sizable hard drive, it could be hours or even days before you’re -f File to process
-q Quiet mode
ready to even start your investigation, never mind reporting the results. Using the EZ tools --dt Custom date/Time format
--mp Higher precision timestamps are displayed and will also be reflected in any exported data
provides scriptable, scalable, and repeatable results with astonishing speed and accuracy. --csv --json --html Data can be exported to several formats. You can request multiple formats at the same time.
--debug Shows debug info during tool execution (more info)
Go from one investigation a week to several per day. This type of performance is common --trace Shows trace info during tool execution (most info) can be run with debug (--debug --trace)
--sync Sync updates from GitHub for KAPE targets & module updates. For evtxecmd map updates
with the command line versions of EZ Tools. This poster will show you how. -vss Process Volume Shadow Copies – Supported in EvtxECmd, MFTECmd, PECmd,and RECmd

AppCompatCacheParser – Shimcache Parser Key Data Returned bstrings – Extract Text From Binary Files Advanced Usage
Processed Shimcache data in CSV, XML, or JSON format is available. The columns --lr Regular Expression searches bstrings and also contains over a dozen
Type of Artifact of most significance are typically the “Path” (the location and name of the Type of Artifact built-in regular expression patterns for things like credit card numbers, social
executable), “LastModifiedTimeUTC” (the last written time of the executable) security numbers, IP addresses, email addresses, and more.
Application Compatibility Cache (also known as Shimcache) is part of the Bstrings can be used to search any type of file for potentially valuable
and “Executed” (whether the executable was run). The most common mistake
Windows capability to provide backwards compatibility for programs meant to information. -p shows a list of built-in regular expressions. When using a built-in expression,
made by forensicators is that they’ll assume that the LastModifiedTimeUTC
run on older versions of Windows. When an executable is found by Windows, use the value in the Name column. For example, to look for email addresses,
value refers to the execution of the file. Don’t fall into this trap!
the operating system determines how best to run the program. As a byproduct Basic Usage use this command:
of this, the AppCompatCache stores information about those executables. bstrings.exe -f <file>
Advanced Usage bstrings.exe -f <some file> --lr email
AppCompatCache can be leveraged to assist forensic investigators in
determining what executables were run on Windows. PRO TIP: Watch for changes at the start of the “Path”. Anything that shows Option/Switch Use Example bstrings also allows searching for several strings or regular expressions at
“SYSVOL” ran from the host’s OS volume. Other volumes will be recorded by their once using the --fr and --fs switches.
--Is Search for string bstrings -f suspect.exe --Is password
Basic Usage drive letter.
--Ir Search with regular expression bstrings -f suspect.exe --Is (ntos|win32k) In addition to Unicode strings, bstrings looks for strings encoded using
AppCompatCacheParser takes the SYSTEM registry hive as input and interprets the Path Last Modified Time UTC Executed Western (1252) code page. Use the --cp switch to search in any other code page
--p List builtin regular expressions bstrings -p
data stored therein. The SYSTEM hive must be specified using the -f parameter SYSVOL\Windows\System32\notepad.exe 8/22/2019 11:00:12 Yes supported by .net.
--Ir XX The XX represents a builtin regex bstrings -f suspect.exe --Ir ipv4
to indicate that the command is to be run over that registry hive only.
E:\TACTICAL Subject\f-response-tacsub.exe 8/12/2019 19:21:00 Yes --fr Read file containing regex’s to use in search bstrings -f suspect.exe -fr DFIR_RegExs.txt
In the example command below, AppCompatCacheParser is being run against -h List all options bstrings -h
a SYSTEM registry hive stored on an evidence file mounted as a disk (E:). PRO TIP: As a file’s last written time does not change when a file is moved, A full listing of available code pages is available at
--cp Use a different ANSI code page bstrings -f Powershell.evtx --Is download --cp 1201
Output is stored on the G: drive to the “AppCompatCache” folder. The renamed or copied, it may be possible to track the same executable across https://goo.gl/ig6DxW
AppCompatCacheParser application will create an output file (CSV in this case) a single or even multiple systems, as a new entry will be created in the note: Windows Event Log require the 1201 specific code page for bstrings to find the search string
with the date and time that the AppCompatCacheParser was executed and in AppCompatCache when the file is executed from a different location or with
a different name. The table below shows the same executable being run in Interesting options and switches:
the detected version operating system, in the file name.
different scenarios. We know they are all the same executable because they bstrings.exe -f <file> --ls “password”
AppCompatCacheParser.exe -f E:\Windows\System32\config\SYSTEM
share the same last written time.
--csv G:\AppCompatCache Use the -x and -m switches to set maximum and minimum string lengths.
Path Last Modified Time UTC Executed Use --off to show the offset for each search hit.
SYSVOL\Windows\System32\spinlock.exe 10/23/2019 14:27:18 Yes
SYSVOL\Users\SRogers\AppData\Local\Temp\spinlock.exe 10/23/2019 14:27:18 Yes

EvtxECmd – Windows Event Log Parser

SYSVOL\Windows\prune.exe 10/23/2019 14:27:18 Yes
You have extracted the Event Log to a folder named e:\evtx\logs and now you
want to process all those logs in a single command.
Type of Artifact EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf evtxecmd_
PECmd – Prefetch Parser Key Data Returned There can be hundreds of Event Logs in the evtx folder, some aimed at system-
wide events like Security.evtx, System.evtx and Application.evtx. There can be
out.csv
PECmd, in csv mode, will output two CSV files, one of which is a timeline. The Process all event logs and only include event_id specified by the --inc option
Timeline csv will have”_Timeline in the file name. The main Prefetch ouptut file many others that record information in a much more targeted fashion. All Event
Type of Artifact Logs are stored in the same format on a Windows computer but the actual EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf evtxecmd_
will contain important information such as:
Prefetch is one source of evidence of execution or evidence of a program being data elements collected varies. It is this variation of data elements that makes out.csv --inc 4624,4625,4634,4647,4672
run on a system. Prefetch files are created in the C:\Windows\Prefetch folder • Executable name and full path from which it was executed correlation of Event Logs a challenge. This is where EvtxECmd shines. All event Exclude specific event_id’s by using the -exc option
when a program is run from a specific location. If that program is run from more records are normalized across all event types and across all Event Logs file
• Volume name and serial number from which the program ran
than one location, there will a separate prefetch file created for each location types! EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf evtxecmd_
from which the program ran. Prefetch files are not automatically deleted if • Run Count – the number of time that the program was run, from that location out.csv --exc 4656,4660,4663
the related program is deleted and therefore can be a source of historical The EvtxECmd parser has standardized CSV, XML, and JSON output. It also has
• Timestamps (UTC) for the last eight executions custom maps and locked file support, and it’s unbelievably fast. EvtxECmd has a
information. Key Data Returned
• Volumes,Files and directories accessed during execution. unique feature, “Maps,” that allows for the normalized output format.
The creation date of the prefetch files is generally the first time that the Processed Event Logs are in a standardized CSV, XML, or JSON format. Output
program was attempted to be run from a particular location. This statement Console Output Color: Event Log Location: Event Logs for Windows Vista or later are found in normalization is accomplished through the use of Event Log “maps”. Maps
is intentionally vague because 1. Programs that do not successfully run can %systemroot%\System32\winevt\logs provide specific handling of a single combination of Event Log and Event ID.
Items in Red: Any path that has the strings “temp” or ”tmp” in them. Also, any Events without maps are still processed, but output format will vary. The
still create a prefetch file and 2. The prefetch directory is limited to 128 files key word that you included on the command line using the “-k” option and Although you may preserve all the logs, you probably would not parse and
so files are overwritten. A prefetch file can be created for a program that has analyze them all. The same statement can be made for all the Event _ IDs in the normalized Event Log output makes it possible to analyze many different types
appears in the path, will be shown in red. of Event Logs in a single view. Timeline Explorer is perfect for this analysis.
previously run and it’s prefetch file overwritten. This time can be off or delayed Event Logs files. EvtxECmd makes the selective processing of Event Logs easier
by approximately 10 seconds. Items in Yellow: Executables that are referenced in the files section are and scriptable.
highlighted in yellow. Advanced Usage
Basic Usage Basic Usage PRO TIP: Process only the Event Logs and Event IDs that are relevant to your
Process a single Prefetch files and send results to screen Advanced Usage Recursively parsing a directory of event logs is probably the most efficient way case.
KEYWORDS: You can provide a comma separated list of keywords on the to use EvtxECmd. To parse a directory, copy Event Logs to a temporary directory
PECmd.exe -f C:\Windows\Prefetch\CMD.EXE-8E75B5BB.pf command line. Volumes, directories, and files accessed by the program, that are and use the -d option. Additionally, use the --inc option to only include specific Check out this PowerShell script that copies out the
Process a directory of Prefetch files and send results to a CSV file named responsive to these keywords, will be shown in red on the display. Event _ IDs in the processing. relevant Event Logs and processes only specific Event IDs
prefetch.csv. The --csvf allows you to provide the name of the prefetch PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf
output csv.
(your list of relevant logs and Event IDs may vary).
prefetch.csv -k “system32, downloads, fonts”
https://for500.com/evtx2process
PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf PRO TIP: PECmd can extract and process Prefetch files from Volume Shadow
prefetch.csv Copies by using the “--vss” option. This will process Prefetch from ALL Volume
Process a directory of Prefetch files, including VSS, and send the results to a CSV Shadow Copies. The output files will be separated by individual VSS numbers.
file named prefetch.csv and higher precision timestamps
PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf
PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf
prefetch.csv --vss
SBECmd – Shellbags Explorer PRO TIP: If you need to process several users ShellBags data, you might
consider exporting their data first and then processing just folder containing the
prefetch.csv --vss --mp Note: To decompress the new compressed prefetch files created with Windows Type of Artifact exported data. This is a performance decision. Recursively processing many user
10, you must run PECmd on Windows 8 or later. The Shellbags artifact is truly amazing. Every time Windows Explorer interacts with folder and be very slow.
a folder, an entry is created in the computer’s Shellbags. Folders also include To process all Users in the Users folder, use the following command.
other “Explorer Like” items like the Control Panel, zip files, ISOs, and mounted
encrypted containers. Shellbags entries are not prepopulated based upon SSBECmd.exe -d E:\Users --csv G:\tmp\sbe_out
VSCMount – Volume Shadow Copy Mounter mounted evidence. In this instance, the volume shadow copies will be mapped the systems folder structure, they are only created with the user interaction
to “C:\VSCs”. occurs. The simple existence of a directory in Shellbags is evidence the specific Key Data Returned
.\VSCMount.exe --dl E --mp C:\VSCs user account once interacted with that folder. Shellbags entries are likely to CSV with the full path of folder, MACB times for target folders and first and last
Type of Artifact
persist even when the original directories, files, and physical devices have been folder interaction times. The Bag Path, Slot, Node Slot, and MRU position for
Volume Shadow Copies are created periodically to capture the previous state
removed from the system and due to this, can serve as a “history” of sorts of each entry are also shown. These can initially be confusing to decipher in table
of a system. This means that deleted and wiped files, or even older versions Key Data Returned data that was previously on a system but may have since been removed. form. Using the GUI verion of ShellBags Explorer to see the table view translated
of a file or folder, can be recovered from volume shadow copies. In order to When run, VSCMount counts the number of in a hierarchal tree format can be very useful.
recover such data a volume shadow copy must be mounted. VSCMount allows Volume Shadow Copies on the mounted image ShellBags are a set of Windows Registry keys located in NTUser.dat and USRClass.
an investigator to mount each volume shadow copy. and maps each one to the target directory. dat Registry hives (primarily USRClass.dat) that maintain view, icon, position, Timestamps Shown in SBECmd output:
From the example command given above, size (and other attributes) of folders when using Windows Explorer. We used to
Because of the nature of how registry key timestamps have only a single last
Basic Usage VSCMount found and mapped three volume say the Shellbags tracked folders that a user opened. Our understanding of the
update value for each key, the hierarchal data in the BagMRU registry key can
Before running the VSCMount tool, an evidence file must itself be mounted as shadow copies. artifact has subsequently grown, and we now know that simply bringing a folder
become stale. This means that there may be a value in the key but it could be
into “focus” in Windows Explorer can create and populate the Shellbags registry
a physical drive. Arsenal Image Mounter is the ideal tool for this task. Open Note that VSCMount has appended the “map outdated. Therefore if SBECmd is not positive that a date is current and accurate,
Arsenal Imager Mounter and click on “Mount disk image”. Then select the key. Moreover, different levels of interaction can populate more or less of the
point” with the drive letter. that date will not be shown in the output. This why you will often see that an
Shellbags fields. At a high level, opened == accessed == interacted.
evidence file to mount. Ensure that the option to “Write temporary disk device” entry has a Last Interacted Timestamp an no First Interacted Timestamp. The
is enabled and click “OK”. Inside the map point, there are three mapped volume Surely Shellbags was not created for the purpose of tracking use folder access. First Interacted Timestamp is stale and can’t be relied upon.
shadow copies from the mounted E drive. Each of these The official statement is that they were created to enhance the user experience
Once mounted, note the drive letter. In the example below it is drive letter E. can be expanded and viewed as needed. You will also notice that SBECmd will only show Last Interacted Timestamps for
by “remembering” the Windows Explorer view settings, on a folder by folder
MRU values.
basis. When a user returns to a folder, they see that layout, like medium icons
Advanced Usage sorted by most recently modified.
Advanced Usage
PRO TIP: Looking at the mapped Volume
Basic Usage PRO TIP: SBECmd can pull data from a live system. This make for a great learning
Shadow Copies, it isn’t immediately clear as
SBECmd uses -d for a directory to recursively process user registry hives. There is and testing feature. Pull some baseline Shellbags data, run a test like navigating
to when they were created. Adding the “--ud”
no -f option for SBECmd. into a folder, pull the data again and compare. See what you own activity does
switch to the command adds the creation
Open an Administrator PowerShell window and run VSCMount. In the example to the Shellbags data.
date of each mapped Volume Shadow Copy, To process a single user’s ShellBags data, use the following command:
command below, the “--dl” switch stands for “drive letter”. This is the drive
as shown in the example below:
letter from the evidence file mounted above. The “--mp” switch stands for SBECmd.exe -d E:\Users\nromanoff --csv G:\temp\sbe_out
“map point”. In this example, the drive letter is “E”. This is the location where .\VSCMount.exe --dl E --mp C:\VSCs --ud
VSCMount will create the links to all of the volume shadow copies found on the

The most trusted source for EZ Tools are free resources for
cybersecurity training, certifications, the DFIR community. Development
degrees, and research @sansforensics sansforensics dfir.to/MAIL-LIST
is funded in part by the SANS Institute. sans.org/eztools
RBCmd – Recycle Bin Artifact Parser In the next example, RBCmd is being run against a single $I (information) file on a JLECmd – JumpList Explorer Command Line Key Data Returned
mounted drive (E:). The output is displayed in the window where the command The JLECmd output contains two important categories of data, evidence of
was run. Edition execution and evidence of file knowledge. The table below shows some of the
Type of Artifact
RBCmd.exe -f E:\$Recycle.Bin\S-1-5-21-718126207-1171771683- more significant columns to include in your review.
Windows stores information relating to user deletions on a per user basis in the Type of Artifact
Recycle Bin. Windows XP used a file named “INFO2” to track the deletions. This file 1750804747-1001\$I7YQ28P.jpg Column Name Forensic Value
Jumplists store critical information about files and folders that have been
included the original location and time that each file was deleted. That behavior Source file: .\$IG1VEXX.xls interacted with using various GUI applications in Windows. Among other things, AppIdDescription Human readable name for AppID
changed in Windows Vista when each deleted file was tracked on its own. Now, Jumplists contain information about the application used to open target files
when a file is deleted, it is renamed. For example, if cat.jpg was deleted, the Version: 1 (Pre-Windows 10) DestListVersion Used with MRU to detemine most recentely opened file in the Jump List
File size: 16384 (16KB) and folders and store metadata specific to those target items. Those metadata
deleted file would have a name such as $R7YQ28P.jpg. The $R prefix means that File name: C:\Users\Donald\SkyDrive\Documents\WACC Calc Spreadsheet -SECRET.xls contain details such as file name and location, dates and times, etc. Parsing the
MRU Used with DestListVersion to detemine most recentely opened file in the Jump List
it contains the content (Resource) of the original file. In addition to the $R file, a Deleted on: 2013-10-21 18:32:52.5320000 Jumplist data can be difficult and time-consuming as they are stored in a format
Path Location and name of file opened
new corresponding $I (Information) file is created in the Recycle Bin. So every known as MS OLE Structured Storage files. JLECmd makes parsing this data TargetCreated Creation Timestamp of file referenced in JL
deleted file has both a $R and $I file with a matching random string for the rest In the final example, RBCmd is being run against the parent folder of the $I file
simple and quick. TargetModified Modification Timestamp of file referenced in JL
of the file name. The $I file contains the information about the original location above, thereby parsing all of the $I files. This time, the output is stored in a CSV
of the file and the date and time of deletion. RBCmd takes this data and presents stored in G:\RBFiles with the date and time in the file name. Use of the -q switch
prevents all of the output from being sent to the window, making processing Basic Usage Advanced Usage
it in a human-readable format. PRO TIP: Watch for changes in the “DriveType”, “VolumeSerialNumber” and
faster. JLECmd takes either a single Jumplist file (relating to a specific application) or
a directory of Jumplists as input. If parsing a single Jumplist, use the -f option. “VolumeLabel” columns as the data in these columns can indicate whether files
Basic Usage RBCmd.exe -d F:\$Recycle.Bin\S-1-5-21-718126207-1171771683-
If parsing a directory of Jumplists, use the -d option. It is also suggested that have been opened from external devices. In the example below, the change in
In the example command below, RBCmd is being run against an INFO2 file stored 1750804747-1001 --csv G:\RBFiles -q these columns shows that a file was opened from the USB device named “FILES”.
the -q switch be used to avoid dumping all results to the screen (which can
on an evidence file mounted as a disk (E:). When running this command the dramatically slow down JLECmd’s execution time). Additionally, the local path may show the same drive letter for multiple
output is shown in the window running the command (command line window
In the example command below, JLECmd is being run against a single Jumplist removable devices (e.g., F:\) but you should also review the volume serial
or PowerShell). Note that because the INFO2 file may contain information about
stored on an evidence file mounted as a disk (E:) Output is stored on the G: number and the volume label to determine if the drive letter is associated with
several deleted items, it may be best served to output to a CSV for review (see
drive to the “Jumplists” folder. JLECmd will create an output file (CSV in this case) the same or different devices.
third example below). Key Data Returned
with the date and time in the file name.
RBCmd.exe -f E:\RECYCLE\S-1-5-21-3001495921- Processed Recycle Bin data is either output to the screen (if no output file is Target Drive Type Volume Serial Volume Label Local Path
Modified Number
1769015868-3887507880-1001\INFO2 specified) or in a standardized CSV, XML, or JSON. The screenshot below shows JLECmd.exe -f E:\Users\Donald\AppData\Microsoft\Windows\Recent\
an example of the output when run against a single file. The source file is AutomaticDestinations\ff103e2cc310d0d.automaticDestinations-ms 9/1/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\NETFLIX SEC
16:53 (Hard drive) Filings\SEC-NFLX-1193125-12-53009.pdf
shown, as is the file size, original file name and location and date of deletion. --csv G:\Jumplists -q
9/27/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\Netflix 3Q13
In the example command below, JLECmd is being run against all automatic 17:42 (Hard drive) Conference Call Announcement 09 30 13.pdf
Advanced Usage jumplist files stored for the user “Donald”. Output is stored in the same folder as 9/3/2018 Removable storage B0A9FE90 FILES F:\Forms\fy08-form-10k.pdf
before. JLECmd will create an output file (CSV in this case) with the date and time 14:13 media (Floppy, USB)
PRO TIP: Running RBCmd on a mounted drive will work, but remember that when
in the file name. 9/1/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\NETFLIX SEC
doing so, Windows does not see deleted files, so RBCmd won’t pick them up. It 16:43 (Hard drive) Filings\SEC-NFLX-1065280-13-8.pdf
is often worth extracting deleted $I files using another tool and then running JLECmd.exe -d E:\Users\Donald\AppData\Microsoft\Windows\Recent\
RBCmd over those recovered files. AutomaticDestinations --csv G:\Jumplists -q
A mapping of app_ids to app name can be found at
https://for500.com/appid.

AmcacheParser – Amcache Parser volume the executable was run), MFT Entry number and Sequence numbers (used
to determine if the executable was run from an NTFS volume) and information
about the internal metadata of the executable itself.
Type of Artifact
Amcache is part of the Application Experience Service in Windows. The
RECmd – Registry Explorer Command Line Edition Keys collection – Each entry consists of:

Application Experience Service monitors executables and determines if those

Advanced Usage • Description: A user-friendly description of what this key will find. Can be
programs require updating when run. As a byproduct of this, the Amcache PRO TIP: Watch for changes in the VolumeID, as these can be indicative of Type of Artifact anything from the key name to a friendlier description of what it means, etc.
stores information about those executables. AmcacheParser can be leveraged applications being run from external devices. In the example below, the This command line tool is used to access, search and recover, and export any
VolumeID is different for each executable run, meaning that they were all run
• HiveType: The type of hive this entry corresponds to. Valid choices are NTUSER,
to assist forensic investigators in determining what executables were run on data found in the WIndows Registry. To grasp why this tool is so powerful, just SAM, SECURITY, SOFTWARE, SYSTEM, USRCLASS, COMPONENTS, BCD, DRIVERS,
Windows, when they were run and provide a SHA-1 hash of the executables in from different volumes even though two entries reference the E:\ drive. think about searching and exporting registry in a consistent output format. It’s AMCACHE, SYSCACHE
order to track the same executables across assets. no big deal to do this with other tools until you have to do exactly the same
thing across tens, hundreds, or thousands of machines. • KeyPath: The path to the key to look for
Volume ID File ID Last-Write SHA1 Full Path
Basic Usage Timestamp • ValueName: OPTIONAL value that, when present, is looked for under KeyPath
AmcacheParser takes the Amcache.hve registry hive as input and interprets the abcd082d-3b8e-11e3- 10/23/2013 3:09 f107ec56d650bf2cb00b186cbfbd202f66209ecf E:\FTK Imager\FTK Imager.exe Basic Usage
be8d-24fd52566ede • Recursive: Whether or not to process KeyPath recursively
data stored therein. Search NTUSER.dat for the key name that contains “Dropbox”
afd25598-3b2c-11e3- 10/22/2013 21:42 ca5fd519a43ff95d1ec0bbdf3533e9392109af74 E:\TACTICAL • Comment: Like Description in that you can add various things here that end up
In the example command below, AmcacheParser is being run against an be8c-24fd52566ede Subject\f-response-tacsub.exe RECmd.exe -f “C:\Temp\NTUSER.dat” --sk Dropbox
in the CSV
Amcache.hve registry hive stored on an evidence file mounted as a disk (E:). dbcc2aeb-5826-41c0- 10/13/2013 9:42 9fef303bedf8430403915951564e0d9888f6f365 C:\Windows\System32\ Search UsrClass.dat for the key value that contains “Dropbox”
Output is stored on the G: drive to the “Amcache” folder. The AmcacheParser 8011-f0153438122b notepad.exe HiveType determines which kind of hive the entry corresponds to. This saves
application will create an output file (CSV in this case) with the date and time in RECmd.exe -f “C:\Temp\UsrClass.dat” --sd Dropbox time in that RECmd won’t search a SOFTWARE hive for keys that won’t ever exist
the file name. PRO TIP: Looking for something specific in the Amcache? You can use the (because they are NTUSER-specific, for example).
Search the directory registry_files for the key value that contains “Dropbox”. The
switches -b (blacklist) or -w (whitelist). Blacklisting will include only those last write time is >= Startdate, and the value name contains either “AppName” Batch File Example
AmcacheParser.exe -f E:\Windows\AppCompat\Programs\Amcache.hve
Amcache entries that match the SHA-1 hashes specified in the file, while or “DisplayName”, so don’t recover deleted keys and don’t process log files.
--csv G:\Amcache
whitelisting will exclude those Amcache entries that match the SHA-1 hashes. Detailed, fully functional example batch files can be found in the
In the example below, we’ve provided SHA-1 values in the Blacklist.txt, meaning RECmd.exe --d “C:\Temp\registry_files” --sk “Dropbox” --StartDate
ZimmermanTools\RegistryExplorer\BatchExamples folder.
Key Data Returned that the output CSV will contain items that are only responsive to the SHA-1 “11/13/2014 15:35:01” --RegEx --sv “(App|Display)Name” --recover
Processed Amcache data in a standardized CSV, XML, or JSON format is available. values in the text file. false --nl
Wildcards are supported in the KeyPath within the batch file. Example:
The columns of most significance are typically the “FileIDLastWriteTimestamp” RECmd will replay and apply all registry hive logs automatically. Use --nl to
AmcacheParser.exe -f E:\Windows\AppCompat\Programs\Amcache.hve SOFTWARE\Microsoft\Office\*\*\User MRU\*
(the first time the executable was run), “SHA1” (the SHA-1 hash of the file being
-b G:\Blacklist.txt --csv G:\Amcache suppress this.
executed) and FullPath (the location and name of the executable ran). Other To use batch mode, supply the file to the --bn switch, along with --csv to tell
data of potential interest include the Volume ID (used to determine from which RECmd where to save results:
Search
• StartDate Start date: last write timestamps (UTC) • Export UserAssist data via RECmd batch file that uses a Registry Explorer plugin
• EndDate End date: last write timestamps (UTC) RECmd.exe --bn .\BatchExamples\BatchExampleUserAssist.reb -f
WxTCmd – Timeline Explorer Key Data Returned • MinSize Find values with data size >= MinSize (specified in bytes) C:\Temp\NTUSER_dblake.DAT --nl --csv C:\Temp
Processed Timeline data in a standardized CSV, XML, or JSON. There are several • Export Registry many of the Registry Explorer Plugin CSVs using a batch file
• sk Search for <string> in key names
Type of Artifact columns of potential interest in a forensic investigation. The “Executable”
column provides the name and the path of the executable in use. For example, • sv Search for <string> in value names RECmd.exe --bn .\BatchExamples\RECmd_Batch_MC.reb -d G:\blake\
The 1803 update of Windows 10 introduced the Timeline feature. This keeps a
“Program Files x86\Adobe\Acrobat Reader DC\Reader\Acrord32.exe” would show Registry\E --nl --csv g:\blake\recmd_out
record of the last 30 days of applications and files opened by a given user. This • sd Search for <string> in value record’s value data
that Acrobat Reader was opened. “Display Text” provides information regarding
can be seen by holding the Tab button and pressing the Windows button. The • ss Search for <string> in value record’s value slack PRO TIP: Be as specific as possible about the directory to process as it can have
the content opened and the application used. For example, “Tax Documents.
data for this are also synchronized from other computers where the user has a significant impact on performance. These two commands generate the same
pdf (Acrobat Reader DC)” would indicate that the file “Tax Documents.pdf” was • Regular expressions must of course be valid .net regular expressions
logged in with their Microsoft account. The data for the Timeline is stored in a results but the second one runs much faster.
opened using Acrobat Reader. “Content Info” provides information relating to
SQLite database. • If either the key or value has spaces in them, enclose in quotes
the location of the item that was opened. Following the same example as above, This is much slower because the RECmd has to process the entire drive.
“C:\Users\lee _ w\Desktop\Tax Documents.pdf” would indicate the location of • To get default values, use a value name of “(default)”
Basic Usage the file that was opened. There are also various dates and times recorded in RECmd.exe --bn “C:\Forensic Program Files\ZimmermanTools\
WxTCmd takes a single ActivitiesCache.db file as input. If the input is coming the Timeline. “Start Time” indicates the first time, in the last 30 days, that this • “--sX” are search options; they use the “contains” logic RegistryExplorer\BatchExamples\UserActivity.reb” -d G:\blake\
from a mounted evidence item, it needs to be mounted as read-write/write- specific activity occurred. Registry\E --nl --csv g:\blake\registry\recmd_out
• -sd will convert the compare values to ASCII and Unicode before doing
temporary. Output for this command is not output to the screen, so a CSV needs
comparison unless the”--l” literal switch is used This is much faster because RECmd is only processing a single user directory
to be specified. Advanced Usage
In the example command below, we are looking for large registry key (1MB and RECmd.exe --bn “C:\Forensic Program Files\ZimmermanTools\
In the example command below, WxTCmd is being run against the PRO TIP: Among the parsed data provided by WxTCmd is the column named
base64 encoded) that often contain malware. Deleted keys are also retrieved RegistryExplorer\BatchExamples\UserActivity.reb” -d G:\blake\
ActivitiesCache.db file stored on an evidence file mounted as a disk (E:). Note “Content Info”. As described above, this column contains the location and name
and parsed. Registry\E\Users\Donald --nl --csv g:\blake\registry\recmd_out
that the subfolder named “a3936c317ac1474e” is not consistent. An equivalent, of the opened file or resource. However, it also contains another valuable piece
differently named folder will be present for other users. of information. In the example below, a file was opened from a “D:” drive. This RECmd.exe -d “C:\Temp\registry_files” --minsize 1M --Base64
ActivitiesCache.db file contains information for all computers synchronized to --recover true PRO TIP: A RECmd batch file can contain instructions for processing different
WxTCmd.exe -f E:\Users\srogers\AppData\Local\ Hives & Keys. Using the -f option allows you to target a specific hive instead, if
this Microsoft account, so several linked computers could have a “D:” drive. The
ConnectedDevicesPlatform\a393c317ac1474e\ActivitiesCache.db To search for binary data in value data, simply string together the hex characters desired, all hives mentioned in the batch file.
example below provides the GUID (Global Unique Identifier) for the volume that you want to find, separated by dashes (04-00-EF-BE, for example).
stores that file. This means that the file can be tied back to a specific volume on When RECmd runs in batch mode, several files will get generated in the --csv
a specific device. RECmd.exe -hive “C:\Temp\registry_files” --sd” directory (see the example to the left).
D:\Files\Cat.jpg (file:Unmapped GUID: //D:/Files/Cat.
Batch Mode
jpgVolumeId={A98818E7-5868-4C06-807E-0F24C9746829}&ObjectId=
By default, batch mode utilizes the same plugins as found in Registry Explorer
{AE26BE95-ACAC-11E9-B3FB-60F6770E22E2})
and works the same way. When used by RECmd, the data from the plugin will
be normalized into a standard format for CSV output. When a plugin is used
to process a key or key/value, the data generated by the plugin are also saved
MFTECmd – MFT Explorer MFT such as timestamps and other metadata. In the example below follow the out to a CSV. In this way, it is very similar to exporting the data from Registry
Explorer (albeit to Excel vs. CSV).
flow of activity the files recorded in $J. The first entry is for the creation of a file
named $IT74KUZ, then data is added to the file before it is closed. Immediately Batch File
Type of Artifact afterwards, the file sdelete64.exe is renamed to $RT74KUZ before also being
MFTECmd parses a number of different files from NTFS-formatted drives. At a closed. This all happens within the same hundredth of a second as sdeleted64. Header
high level, MFTECmd parses each of these internal NTFS System files. At a lower exe being sent to the $Recycle.bin • Description: A general description of what this batch file is going to find
level, the application dives deep into NTFS and helps uncover much data of
interest. • Author: Name of this batch file (can be more, too, like contact information)

File Description Contents • Version: A version number that should be incremented as changes happen A mapping of app_ids to app name can be found at
$MFT Index of each file and folder on volume File name timestamps, and other metadata • Id: A unique (across all other batch files) GUID (Global Unique Identifier) that https://for500.com/appid.
$Boot Volume boor record Volume serial nbr, volume signature, nbr of sectors identifies this batch file
$SDS File ownership Contains a list of all the Security Descriptors on the volume
$J USN Journal Transaction log of all changes to a file A few moments later, both files are deleted as the $Recycle.bin is emptied.
(write, delete, rename, etc.) (file change journal)
$Logfile Transaction Log File Used by NTFS to maintain the integrity of the filesystem in
the event of a crash (metadata change journal) LECmd – LNK File Explorer Advanced Usage
PRO TIP: Taking the data from key columns not only tells a forensic investigator
The $SDS file allows us determine file ownership. For example, in the first
Basic Usage Type of Artifact when the file was opened, but may also provide details about the number of
screenshot below we see output from the parsed $MFT loaded into Timeline
MFTECmd takes a $MFT, $J, $SDS, $Logfile or $Boot as input. These input files Explorer. Looking at the NTUSER.DAT Shortcut files (*.lnk) are shell items and, as such, not entirely human-readable.
times a user accessed a file with that name. In the table below, the first row
can be in the form of an exported copy of the file(s) or by referencing them from of results indicates that the file was only opened once, as SourceCreated and
entry we can see that the Security ID Lnk files are most frequently created when a user opens a non-executable file
within a mounted image. The example command below shows MFTECmd being SourceModified contain the same time. The second instance indicates that the
for this file is 8271. by double-clicking. These shortcut files are stored under the user profile that
run against a $MFT file that has been exported from an evidence file and the data file has been opened at least twice, as the SourceCreated occurred around seven
opened the file and contain information relating to the opened target file. This
being saved to a CSV file. If we then go to the $SDS output and hours before the SourceModified. We also see that the Target dates are identical,
includes information such as the target file dates and times (at the time when
search for that same Security ID, we find that the NTUSER.DAT file is owned by suggesting that the file has not been changed since it was created. The last
MFTECmd.exe -f ‘G:\Exports\$MFT’ --csv G:\MFT_Output the user with the Relative ID of 1001. If needed, we can take the SID and tied it
the file was opened), file name and path, the drive type, volume serial number,
row indicates that the file was only opened once, since the Source entries are
volume label and more. LECmd takes this data and presents it in a human-
In the next example MFTECmd is run against a $MFT file stored on a mounted to a username via the SAM Registry Hive. identical, However, the TargetModified precedes the TargetCreated, indicating
readable format.
disk (E:) and outputting the data as a CSV file. In order to run this command, it that the file has been copied to the F: drive from another location.
is recommended to mount the evidence using Arsenal Image Mounter as write-
temporary. Basic Usage
LECmd takes, as input, either a single lnk file or a folder containing several such Source Source Target Target Path (Combined from Local Path and
MFTECmd.exe -f ‘E:\$MFT’ --csv G:\MFT_Output files.
Created Modified Created Modified Common Path)
Advanced Usage 9/1/2018 9/1/2018 8/27/2018 9/6/2018 C:\Users\Donald\Documents\NETFLIX SEC Filings\
Note the command line syntax for referencing the alternate data streams PRO TIP: It is important to remember that NTFS stores two sets of dates In the example command below, LECmd is being run against a single lnk file 16:53 16:53 09:24 14:43 SEC-NFLX-1193125-12-53009.pdf
$UsnJrnl and $Secure. and times in each $MFT entry. These are known as the Standard Information stored on an evidence file mounted as a disk (E:). When running this command 9/27/2018 9/27/2018 9/27/2018 9/27/2018 C:\Users\srogers\Documents\Netflix 3Q13
MFTECmd.exe -f ‘E:\$Extend\$UsnJrnl:$MFT’ --csv G:\USN_Output Attributes (SIA) and the FILENAME attributes. This means that each file and the output is shown in the window running the command (command line 10:42 17:37 10:28 10:28 Conference Call Announcement 09 30 13.pdf
folder will have timestamps in both groups. These dates and times behave window or PowerShell). 9/3/2018 9/3/2018 9/3/2018 9/1/2018 F:\Forms\fy08-form-10k.pdf
MFTECmd.exe -f ‘E:\$Secure:$SDS’ --csv G:\SDS_Output differently and can indicate when a file was truly created, not just what Windows 14:13 14:13 14:11 18:19
LECmd.exe -f E:\Users\srogers\AppData\Microsoft\Windows\Recent\
reports. For example, in the table below we see a number of files stored under
Key Data Returned Peggy.jpg.lnk
the Windows directory. The Created0x10 is the created date and time as stored in PRO TIP: LNK facts to keep in mind:
The columns of most significance are highly dependent on the type of the SIA and Created0x30 relates to those stored in the FILENAME attributes. In the next example, LECmd is being run against a folder of lnk files stored on the
• The target file name extension is not always provided in the LNK name.
investigation and the reason for parsing the files in the first place. For example, same mounted evidence file as above. This time, the output is stored in a CSV
As can be seen in the table, both dates and times are the same for the first
the dates and times in the $MFT could provide an indication as to the copying stored in G:\LnkFiles. • T
 he LNK file points to the last file of that name. Meaning, if there were two
two entries, but the third entry shows a FILENAME creation date that is much
of files from external devices. If the written/modification time precedes the files named exactly the same, the link files point to the last one opened.
later than the creation date stored in the SIA. This may be an indication of LECmd.exe -f E:\Users\srogers\AppData\Microsoft\Windows\Recent
creation time, there is a high degree of probability that the file was copied
manipulation of the SIA timestamp for the syncmon.exe file and would warrant --csv G:\LnkFiles -q
from another volume.
further investigation.
In the example below, the $MFT has been parsed to CSV and loaded into Key Data Returned
Created0x10 Created0x30 Path (combined from Parent Path and File Name)
Timeline Explorer. In each row the Last Modified time precedes the Created time.
Column Name Forensic Value
3/18/2019 09:17 3/18/2019 09:17 C:\Windows\System32\cmd.exe
3/18/2019 09:18 3/18/2019 09:18 C:\Windows\System32\mountvol.exe AppIdDescription Human readable name for AppID
3/18/2019 09:19 8/18/2019 01:12 C:\Windows\System32\syncmon.exe DestListVersion Used with MRU to detemine most recentely opened file in the Jump List
MRU Used with DestListVersion to detemine most recentely opened file in the Jump List
PRO TIP: When an evidence file is mounted as a drive MTFECmd can also dive into Path Multiple Path Columns: Location and name of source and target files
the volume shadow copies and retrieve previous versions of the $MFT, the $J
SourceCreate Creation Timestamp of the LNK itself
and $SDS files. This can be done by virtue of the switches --vss and --dedupe as
SourceModified Modification Timestamp of the LNK itself
demonstrated in the command below. The --vss switch tells MFTECmd to search
This is a clear indication that these files were copied from another volume. in the volume shadow copies and the --dedupe switch stops MFTECmd from TargetCreated Creation Timestamp of target file the LNK points to
reporting duplicate entries found in the volume shadow copies. TargetModified Modification Timestamp of target file the LNK points to
The processed $J data can be used to determine the date and time that specific
DriveType Network, fixed loal, ior Removable
actions were taken on a file. These actions include (but are not limited to) MFTECmd.exe -f ‘E:\$Extend\$UsnJrnl:$J’ --csv G:\MFT_Output
creating a new file, making changes to a file, deleting a file, overwriting a file, --vss --dedupe VolumeSerialNumber MFT Entry Number
and renaming a file. The $LogFile tracks changes to the information found in the MFT Nbr & Seq nbr MFT - Seg nbr - If present then Voluome is NTFS

The most trusted source for This poster was created by Mark Hallman and
cybersecurity training, certifications, Lee Whitfield with support from the SANS DFIR Faculty

degrees, and research sans.org/eztools ©2021 Mark Hallman and Lee Whitfield. All rights reserved.