Eric Zimmerman's EZ Tools
What is Eric Zimmerman's EZ Tools?
Eric Zimmerman's EZ ToolsA free suite of Windows DFIR command-line and GUI tools by Eric Zimmerman for parsing common forensic artifacts and building timelines.
EZ Tools is a collection of specialized parsers and viewers maintained by Eric Zimmerman, formerly FBI and now at Kroll. Each tool targets a specific Windows artifact: PECmd for Prefetch, MFTECmd for $MFT/$LogFile/$J, EvtxECmd for Event Log records, RECmd for the registry, AmcacheParser, LECmd for LNK files and JLECmd for Jump Lists, among others. Output is consistent CSV or JSON, which can be loaded into Timeline Explorer for fast filtering or fed into KAPE Modules. EZ Tools are open source, frequently updated, and underpin most modern Windows intrusion analyses and SANS FOR500/FOR508 lab work.
● Examples
- 01
Parsing a copied $MFT with `MFTECmd.exe -f $MFT --csv .` and reviewing in Timeline Explorer.
- 02
Running `EvtxECmd.exe -d C:\Triage\EventLogs --csv .` to normalize event logs for SIEM ingest.
● Frequently asked questions
What is Eric Zimmerman's EZ Tools?
A free suite of Windows DFIR command-line and GUI tools by Eric Zimmerman for parsing common forensic artifacts and building timelines. It belongs to the Forensics & IR category of cybersecurity.
What does Eric Zimmerman's EZ Tools mean?
A free suite of Windows DFIR command-line and GUI tools by Eric Zimmerman for parsing common forensic artifacts and building timelines.
How does Eric Zimmerman's EZ Tools work?
EZ Tools is a collection of specialized parsers and viewers maintained by Eric Zimmerman, formerly FBI and now at Kroll. Each tool targets a specific Windows artifact: PECmd for Prefetch, MFTECmd for $MFT/$LogFile/$J, EvtxECmd for Event Log records, RECmd for the registry, AmcacheParser, LECmd for LNK files and JLECmd for Jump Lists, among others. Output is consistent CSV or JSON, which can be loaded into Timeline Explorer for fast filtering or fed into KAPE Modules. EZ Tools are open source, frequently updated, and underpin most modern Windows intrusion analyses and SANS FOR500/FOR508 lab work.
How do you defend against Eric Zimmerman's EZ Tools?
Defences for Eric Zimmerman's EZ Tools typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Eric Zimmerman's EZ Tools?
Common alternative names include: EZ Tools, Zimmerman Tools.
● Related terms
- forensics-ir№ 578
KAPE (Kroll Artifact Parser and Extractor)
A Windows triage tool from Kroll that collects forensic artifacts from live systems or images and then runs parser modules to produce ready-to-review output.
- forensics-ir№ 644
Magnet AXIOM
A commercial DFIR platform from Magnet Forensics that ingests disks, mobile and cloud sources, parses artifacts and presents them in a unified review interface.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 1156
Timeline Analysis
A forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts.