digital-forensics.sans.

org

DIGITAL FORENSICS & INCIDENT RESPONSE

Operating System Incident Response
& Device In-Depth & Threat Hunting

FOR498 FOR500 FOR518 FOR508 FOR572 FOR578

Battlefield Forensics Windows Forensic Mac and iOS Advanced Incident Advanced Network Forensics: Cyber Threat Intelligence
& Data Acquisition Analysis Forensic Analysis and Response, Threat Hunting, Threat Hunting, Analysis, and GCTI

Results in Seconds
GCFE Incident Response and Digital Forensics Incident Response
GCFA GNFA

at the Command-line
FOR526 FOR585 FOR610 SEC504
Advanced Memory Smartphone Forensic Reverse-Engineering Hacker Tools,
Forensics & Analysis In-Depth Malware: Malware Analysis Techniques, Exploits,
Threat Detection GASF Tools and Techniques and Incident Handling
GREM GCIH

DFPS_Command-Line_v1.1_01-20

Forensics the EZ Way:

Common CLI Options & Switches
Short options (single letter) are prefixed with a single dash.
Long options are prefixed with two dashes.
OPTIONS DEFINITION
With the wealth of data stored on Windows computers it is often difficult to know where -d Directory to process

to start. If you encounter a sizable hard drive, it could be hours or even days before you’re -f
-q
File to process
Quiet mode - Reduces output sent to the screen and can increase program performance

ready to even start your investigation, much less report the results. EZ tools enables you to --dt
--mp
Custom date/Time format
Higher precision timestamps are displayed and will also be reflected in any exported data

provide scriptable, scalable, and repeatable results with astonishing speed and accuracy. --csv --json --html
--csvf --jsonf --xmlf
Data can be exported to several formats. You can request multiple formats at the same time
Allows you to provide the name of the output CSV, JSON or XML

Go from one investigation a week to several per day. This type of performance is common --debug Shows debug info during tool execution (more info)
--trace Shows trace info during tool execution. Use both --debug and --trace for the most information

with the command-line versions of EZ Tools, and this poster will show you how to use them. --sync Sync updates from GitHub for KAPE targets and module updates. Use for EvtxECmd map updates
--vss Process Volume Shadow Copies – Supported in EvtxECmd, MFTECmd, PECmd, and RECmd

AppCompatCacheParser – Shimcache Parser Key Data Returned bstrings – Extract Text From Binary Files Advanced Usage
Processed Shimcache data in CSV, XML, or JSON formats are available. The --lr Regular Expression searches bstrings and also contains over a dozen built-
Type of Artifact columns of most significance are typically the "Path" (the location and name of Type of Artifact in regular expression patterns for things like credit card numbers, social security
the executable), "LastModifiedTimeUTC" (the last written time of the executable) numbers, IP addresses, email addresses, and more.
Application Compatibility Cache (also known as Shimcache) is part of the Bstrings can be used to search any type of file for potentially valuable
and "Executed" (whether the executable was run). The most common mistake
Windows capability to provide backwards compatibility for programs meant to information. -p shows a list of built-in regular expressions. When using a built-in expression,
made by forensicators is that they’ll assume that the LastModifiedTimeUTC
run on older versions of Windows. When an executable is found by Windows, use the value in the Name column. For example, to look for email addresses,
value refers to the execution of the file. Don’t fall into this trap!
the operating system determines how to best run the program. As a byproduct Basic Usage use this command:
of this, the AppCompatCache stores information about those executables. bstrings.exe -f <file>
Advanced Usage bstrings.exe -f <some file> --lr email
AppCompatCache can be leveraged to assist forensic investigators in determining
what executables were run on Windows. PRO TIP: Watch for changes at the start of the "Path". Anything that shows Option/Switch Use Example bstrings also allows searching for several strings or regular expressions at
"SYSVOL" ran from the host’s OS volume. Other volumes will be recorded by their once using the --fr and --fs switches.
--Is Search for string bstrings -f suspect.exe --Is password
Basic Usage drive letter.
--Ir Search with regular expression bstrings -f suspect.exe --Is (ntos|win32k) In addition to Unicode strings, bstrings looks for strings encoded using
AppCompatCacheParser takes the SYSTEM registry hive as input and interprets the Path Last Modified Time UTC Executed Western (1252) code page. Use the --cp switch to search in any other code page
--p List built-in regular expressions bstrings -p
data stored therein. The SYSTEM hive must be specified using the -f parameter SYSVOL\Windows\System32\notepad.exe 8/22/2019 11:00:12 Yes supported by .net.
--Ir XX The XX represents a built-in regex bstrings -f suspect.exe --Ir ipv4
to indicate that the command is to be run over that registry hive only.
E:\TACTICAL Subject\f-response-tacsub.exe 8/12/2019 19:21:00 Yes --fr Read file containing regex’s to use in search bstrings -f suspect.exe -fr DFIR_RegExs.txt
In the example command below, AppCompatCacheParser is being run against a -h List all options bstrings -h
SYSTEM registry hive stored on an evidence file mounted as a drive E. Output PRO TIP: Since a file’s last written time does not change when a file is moved, A full listing of available code pages is available at
--cp Use a different ANSI code page bstrings -f Powershell.evtx --Is download --cp 1201
is stored on drive G to the "AppCompatCache" folder. The AppCompatCacheParser renamed or copied, it may be possible to track the same executable across https://for500.com/codepages
application will create an output file (CSV in this case) with the date and time a single or even multiple systems, as a new entry will be created in the Note: Windows Event Log requires the 1201 specific code page for bstrings to find the search string.
that the AppCompatCacheParser was executed and the detected version operating AppCompatCache when the file is executed from a different location or with
a different name. The table below shows the same executable being run in Interesting options and switches:
system, in the file name.
different scenarios. We know they are all the same executable because they bstrings.exe -f <file> --ls "password"
AppCompatCacheParser.exe -f E:\Windows\System32\config\SYSTEM
share the same last written time.
--csv G:\AppCompatCache Use the -x and -m switches to set maximum and minimum string lengths.
Path Last Modified Time UTC Executed Use --off to show the offset for each search hit.
SYSVOL\Windows\System32\spinlock.exe 10/23/2019 14:27:18 Yes
SYSVOL\Users\SRogers\AppData\Local\Temp\spinlock.exe 10/23/2019 14:27:18 Yes

EvtxECmd – Windows Event Log Parser

SYSVOL\Windows\prune.exe 10/23/2019 14:27:18 Yes

EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf evtxecmd_

Type of Artifact out.csv

PECmd – Prefetch Parser Key Data Returned There can be hundreds of Event Log files on a system, some aimed at system-
wide events like Security.evtx, System.evtx and Application.evtx. There can be
Process all Event Logs and only include event_id specified by the --inc option.
PECmd, in CSV mode, will output two CSV files, one of which is a timeline. The EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf evtxecmd_
Timeline CSV will have "_ Timeline" in the file name. The main Prefetch ouptut many others that record information in a much more targeted fashion. All Event
Type of Artifact Logs are stored in the same format on a Windows computer, but the actual out.csv --inc 4624,4625,4634,4647,4672
file will contain important information such as:
Prefetch is one source of evidence of a program being run on a system, data elements collected varies. It is this variation of data elements that makes Exclude specific event_id’s by using the --exc option.
otherwise known as evidence of execution. Prefetch files are created in the • Executable name and full path from which it was executed correlation of Event Logs a challenge. This is where EvtxECmd shines. All event
C:\Windows\Prefetch folder when a program is run from a specific location. If that EvtxECmd.exe -d E:\evtx\logs --csv G:\evtx\out --csvf evtxecmd_
• Volume name and serial number from which the program ran records are normalized across all event types and across all Event Logs file
program is run from more than one location, there will be a separate Prefetch out.csv --exc 4656,4660,4663
types!
file created for each location from which the program ran. Prefetch files are not • Run Count – the number of times that the program was run from that location
automatically deleted if the related program is deleted and therefore can be a The EvtxECmd parser has standardized CSV, XML, and JSON output. It also has Key Data Returned
• Timestamps (UTC) for the last eight executions custom maps and locked file support, and it’s unbelievably fast. EvtxECmd has a
source of historical information. Processed Event Logs are in a standardized CSV, XML, or JSON format. Output
• Volumes, files and directories accessed during execution unique feature, "Maps", that allows for the normalized output format.
The creation date of the Prefetch files is generally the first time that the normalization is accomplished through the use of Event Log "maps". Maps
program was attempted to be run from a particular location. This statement is Console Output Color: Event Log Location: Event Logs for Windows Vista or later are found in provide specific handling of a single combination of Event Log and Event ID.
intentionally vague because (1) programs that do not successfully run can still %systemroot%\System32\winevt\logs Events without maps are still processed, but output format will vary. The
Items in Red: Any path that has the strings "temp" or "tmp" in them. Also, any normalized Event Log output makes it possible to analyze many different types
create a Prefetch file, (2) the Prefetch directory is limited to 1024 files, so files key word that you included on the command-line using the "-k" option and Although you may preserve all the logs, you probably would not parse and
are overwritten, and (3) a Prefetch file can be created for a program that has of Event Logs in a single view. Timeline Explorer is perfect for this analysis.
that appears in the path will be shown in red. analyze them all. The same statement can be made for all the Event _ IDs in the
previously run and which has had its Prefetch file overwritten. A Prefetch file’s Event Log files. EvtxECmd makes the selective processing of Event Logs easier
creation time can be off or delayed by approximately 10 seconds. Items in Yellow: Executables that are referenced in the files section are and scriptable. Advanced Usage
highlighted in yellow. PRO TIP: Process only the Event Logs and Event IDs that are relevant to your
Basic Usage Basic Usage case. Filter for Map Descriptions in Timeline Explorer to start your analysis.
Process a single Prefetch file and send results to screen. Advanced Usage Recursively parsing a directory of event logs is probably the most efficient way
KEYWORDS: You can provide a comma separated list of keywords on the to use EvtxECmd. To parse a directory use the -d option. Additionally, use the
PECmd.exe -f E:\Windows\Prefetch\CMD.EXE-8E75B5BB.pf command-line. Volumes, directories, and files accessed by the program that are Check out this PowerShell script that copies out the
--inc option to only include specific Event _ IDs in the processing.
Process a directory of Prefetch files and send results to a CSV file named responsive to these keywords will be shown in red on the display. relevant Event Logs and processes only specific Event IDs
prefetch.csv. The --csvf allows you to provide the name of the Prefetch You have extracted the Event Log to a folder named E:\evtx\logs and now you (your list of relevant logs and Event IDs may vary).
PECmd.exe -d E:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf want to process all those logs in a single command.
output CSV. prefetch.csv -k "system32, downloads, fonts" https://for500.com/evtx2process
PECmd.exe -d E:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf PRO TIP: PECmd can extract and process Prefetch files from Volume Shadow
prefetch.csv Copies by using the "--vss" option. This will process Prefetch from ALL Volume
Process a directory of Prefetch files, send the results to a CSV file named Shadow Copies. The output files will be separated by individual VSS numbers.
prefetch.csv, include processing of Volume Shadow Copies, use higher precision
timestamps and minimize output to the screen for faster processing.
PECmd.exe -d E:\Windows\Prefetch\ -q --csv G:\Prefetch --csvf
prefetch.csv --vss
SBECmd – Shellbag Explorer Command-line To process a single user’s Shellbags data, use the following command:

PECmd.exe -d E:\Windows\Prefetch\ --csv G:\Prefetch --csvf Note: To decompress the new compressed Prefetch files created with Windows
Edition SBECmd.exe -d E:\Users\nromanoff --csv G:\temp\sbe_out
prefetch.csv --vss --mp -q 10, you must run PECmd on Windows 8 or later. Type of Artifact PRO TIP: If you need to process several users’ Shellbags data, you might
The Shellbags artifact is truly amazing. Every time Windows Explorer interacts consider exporting their data first and then processing just that folder
with a folder, an entry is created in the computer’s Shellbags. Folders also include containing the exported data. This is a performance decision. Recursively
other "Explorer Like" items like the Control Panel, zip files, ISOs, and mounted
VSCMount – Volume Shadow Copy Mounter links to all of the Volume Shadow Copies found on the mounted evidence. In
encrypted containers. Shellbags entries are not prepopulated based upon the
processing many user folders will take additional time.
this instance, the Volume Shadow Copies will be mapped to "C:\VSCs". To process all users in the Users folder, use the following command.
system’s folder structure; they are only created when the user interaction occurs.
Type of Artifact .\VSCMount.exe --dl E --mp C:\VSCs The simple existence of a directory in Shellbags is evidence that the specific SBECmd.exe -d E:\Users --csv G:\tmp\sbe_out
Volume Shadow Copies are created periodically to capture the previous state user account once interacted with that folder. Shellbags entries are likely to
of a system. This means that deleted and wiped files, or even older versions Key Data Returned persist even when the original directories, files, and physical devices have been
Key Data Returned
of a file or folder, can be recovered from Volume Shadow Copies. In order to When run, VSCMount counts the number of removed from the system, and because of this, they can serve as a "history" of
the types of data that were previously on a system but may have since been SBECmd generates a CSV with the full path of folder, MACB times for target
recover such data a Volume Shadow Copy must be mounted. VSCMount allows an Volume Shadow Copies on the mounted image folders and first and last folder interaction times. The Bag Path, Slot, Node
investigator to mount each Volume Shadow Copy. and maps each one to the target directory. removed.
Slot, and MRU position for each entry are also shown. These can initially be
From the example command given above, Shellbags are a set of Windows Registry keys located in NTUSER.dat and confusing to decipher in table form. Using the GUI version of Shellbags Explorer
Basic Usage VSCMount found and mapped three Volume USRClass.dat. These Registry hives maintain view, icon, position, size, and to see the table view translated in a hierarchal tree format can be very useful.
Before running the VSCMount tool, an evidence file must itself be mounted as Shadow Copies. other attributes of folders when using Windows Explorer. We used to say that
Shellbags tracked folders that a user opened. Our understanding of the artifact Timestamps Shown in SBECmd Output:
a physical drive. Arsenal Image Mounter is the ideal tool for this task. Open Note that VSCMount has appended the
Arsenal Imager Mounter and click on "Mount disk image". Then select the "map point" with the drive letter. has subsequently grown, and we now know that simply bringing a folder into Because of the nature of how registry key timestamps have only a single last
evidence file to mount. Ensure that the option to "Write temporary disk device" "focus" in Windows Explorer can create and populate the Shellbags registry update value for each key, the hierarchal data in the BagMRU registry key can
is enabled and click "OK". Inside the map point, there are three mapped Volume key. Moreover, different levels of interaction can populate more or less of the become stale. This means that there may be a value in the key, but it could be
Shadow Copies from the mounted drive E. Each of Shellbags fields. At a high level, opened == accessed == interacted. outdated. Therefore if SBECmd is not positive that a date is current and accurate,
Once mounted, note the drive letter. In the example below it is drive E. these can be expanded and viewed as needed.
Surely, Shellbags were not created for the purpose of tracking use folder access. that date will not be shown in the output. This why you will often see that an
The official statement is that they were created to enhance the user experience entry has a LastInteractedTimestamp and no FirstInteractedTimestamp. The
Advanced Usage by "remembering" the Windows Explorer view settings on a folder-by-folder FirstInteractedTimestamp is stale and can’t be relied upon.
PRO TIP: Looking at the mapped Volume basis. When a user navigates to a folder, they will see the same display settings You will also notice that SBECmd will only show Last Interacted Timestamps for
Shadow Copies, it isn’t immediately clear that were in place when they last visited the folder. Display settings being MRU values.
when they were created. Adding the "--ud" attributes like icon size, sort order and columns displayed.
switch to the command adds the creation Advanced Usage
Open an Administrator PowerShell window and run VSCMount. In the example Basic Usage
date of each mapped Volume Shadow Copy, PRO TIP: SBECmd can pull data from a live system. This makes for a great learning
command below, the "--dl" switch stands for "drive letter". This is the drive
as shown in the example below: SBECmd uses -d for a directory to recursively process user registry hives.
letter from the evidence file mounted above. The "--mp" switch stands for "map and testing feature. Pull some baseline Shellbags data, run a test like navigating
There is no -f option for SBECmd.
point". In this example, the drive E is the location where VSCMount will create the .\VSCMount.exe --dl E --mp C:\VSCs --ud into a folder, pull the data again and compare. See what your own activity does
to the Shellbags data.

The most trusted source for EZ Tools are free resources for
cybersecurity training, certifications, the DFIR community. Development
degrees, and research @sansforensics sansforensics dfir.to/DFIRCast dfir.to/MAIL-LIST
is funded in part by the SANS Institute. sans.org/eztools
RBCmd – Recycle Bin Artifact Parser In the next example, RBCmd is being run against a single $I (information) file on JLECmd – Jumplist Explorer Command-line Key Data Returned
a mounted drive E. The output is displayed in the window where the command The JLECmd output contains two important categories of data, evidence of
was run. Edition execution and evidence of file knowledge. The table below shows some of the
Type of Artifact
RBCmd.exe -f E:\$Recycle.Bin\S-1-5-21-718126207-1171771683- more significant columns to include in your review.
Windows stores information relating to user deletions on a per user basis in the Type of Artifact
Recycle Bin. Windows XP used a file named "INFO2" to track the deletions. This file 1750804747-1001\$IG1VEXX.xls Column Name Forensic Value
Jumplists store critical information about files and folders that have been
included the original location and time that each file was deleted. That behavior Source file: .\$IG1VEXX.xls interacted with using various GUI applications in Windows. Among other things, AppIdDescription Human-readable name for AppID
changed in Windows Vista when each deleted file was tracked on its own. Now, Jumplists contain information about the application used to open target files
when a file is deleted, it is renamed. For example, if cat.jpg was deleted, the Version: 1 (Pre-Windows 10) DestListVersion Used with MRU to determine most recently opened file in the Jumplist
File size: 16384 (16KB) and folders and store metadata specific to those target items. Those metadata
deleted file would have a name such as $R7YQ28P.jpg. The $R prefix means that File name: C:\Users\Donald\SkyDrive\Documents\WACC Calc Spreadsheet -SECRET.xls contain details such as file name and location, dates and times, etc. Parsing the
MRU Used with DestListVersion to determine most recently opened file in the Jumplist
it contains the content (Resource) of the original file. In addition to the $R file, a Deleted on: 2013-10-21 18:32:52.5320000 Jumplist data can be difficult and time-consuming because they are stored in a
Path Location and name of file opened
new corresponding $I (Information) file is created in the Recycle Bin. So every format known as MS OLE Structured Storage files. JLECmd makes parsing these TargetCreated Creation Timestamp of file referenced in JL
deleted file has both a $R and $I file with a matching random string for the In the final example, RBCmd is being run against the parent folder of the $I file
data simple and quick. TargetModified Modification Timestamp of file referenced in JL
rest of the file name. The $I file contains the information about the original above, thereby parsing all of the $I files. This time, the output is stored in a CSV
location of the file and the date and time of deletion. RBCmd takes these data and stored in G:\RBFiles with the date and time in the file name. Use of the -q switch
prevents all of the output from being sent to the window, making processing Basic Usage Advanced Usage
presents them in a human-readable format. PRO TIP: Watch for changes in the "DriveType", "VolumeSerialNumber" and
faster. JLECmd takes either a single Jumplist file (relating to a specific application) or
a directory of Jumplists as input. If parsing a single Jumplist, use the -f option. "VolumeLabel" columns as the data in these columns can indicate whether files
Basic Usage RBCmd.exe -d E:\$Recycle.Bin\S-1-5-21-718126207-1171771683-
If parsing a directory of Jumplists, use the -d option. It is also suggested that have been opened from external devices. In the example below, the change in
In the example command below, RBCmd is being run against an INFO2 file stored 1750804747-1001 --csv G:\RBFiles -q these columns shows that a file was opened from the USB device named "FILES".
the -q switch be used to avoid dumping all results to the screen (which can
on an evidence file mounted as a drive E. When running this command the dramatically slow down JLECmd’s execution time). Additionally, the local path may show the same drive letter for multiple
output is shown in the window running the command (command-line window Key Data Returned removable devices (e.g., drive F) but you should also review the volume serial
or PowerShell). Note that because the INFO2 file may contain information about Processed Recycle Bin data are either output to the screen (if no output file is In the example command below, JLECmd is being run against a single Jumplist
stored on an evidence file mounted as drive E. Output is stored on drive G to the number and the volume label to determine if the drive letter is associated with
several deleted items, it may be best served to output to a CSV for review (see specified) or in a standardized CSV, XML, or JSON. The screenshot below shows
"Jumplists" folder. JLECmd will create an output file (CSV in this case) with the the same or different devices.
third example below). an example of the output when run against a single file. The source file is
shown, as is the file size, original file name and location, and date of deletion. date and time in the file name.
RBCmd.exe -f E:\RECYCLER\S-1-5-21-3001495921- Target Drive Type Volume Serial Volume Label Local Path
Modified Number
1769015868-3887507880-1001\INFO2 JLECmd.exe -f E:\Users\Donald\AppData\Microsoft\Windows\Recent\
AutomaticDestinations\ff103e2cc310d0d.automaticDestinations-ms 9/1/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\NETFLIX SEC
16:53 (Hard drive) Filings\SEC-NFLX-1193125-12-53009.pdf
--csv G:\Jumplists -q
9/27/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\Netflix 3Q13
In the example command below, JLECmd is being run against all automatic 17:42 (Hard drive) Conference Call Announcement 09 30 13.pdf
Advanced Usage Jumplist files stored for the user "Donald". Output is stored in the same folder as 9/3/2018 Removable storage B0A9FE90 FILES F:\Forms\fy08-form-10k.pdf
PRO TIP: Running RBCmd on a mounted drive will work, but remember that when
before. JLECmd will create an output file (CSV in this case) with the date and time 14:13 media (Floppy, USB)
doing so, Windows does not see deleted files, so RBCmd won’t pick them up. It
in the file name. 9/1/2018 Fixed storage media 7E58AAB0 Windows10_OS C:\Users\srogers\Documents\NETFLIX SEC
is often worth extracting and/or carving deleted $I files using another tool and 16:43 (Hard drive) Filings\SEC-NFLX-1065280-13-8.pdf
then running RBCmd over those recovered files. JLECmd.exe -d E:\Users\Donald\AppData\Microsoft\Windows\Recent\
AutomaticDestinations --csv G:\Jumplists -q
A mapping of app_ids to app name can be found at
https://for500.com/appid.

AmcacheParser – Amcache Parser to determine if the executable was run from an NTFS volume) and information
about the internal metadata of the executable itself.
Type of Artifact
Amcache is part of the Application Experience Service in Windows. The
Advanced Usage RECmd – Registry Explorer Command-line Edition Keys

Application Experience Service monitors executables and determines if those PRO TIP: Watch for changes in the VolumeID, as these can be indicative of • Description: A user-friendly description of what this key will find. Can be
programs require updating when run. As a byproduct of this, the Amcache applications being run from external devices. In the example below, the Type of Artifact anything from the key name to a friendlier description of what it means.
stores information about those executables. AmcacheParser can be leveraged VolumeID is different for each executable run, meaning that they were all run This command-line tool is used to access, search and recover, and export any
from different volumes even though two entries reference drive E.
• HiveType: The type of hive this entry corresponds to. Valid choices are NTUSER,
to assist forensic investigators in determining what executables were run on data found in the Windows registry. To grasp why this tool is so powerful, just SAM, SECURITY, SOFTWARE, SYSTEM, USRCLASS, COMPONENTS, BCD, DRIVERS,
Windows and when they were run, and provides a SHA-1 hash of the executables VolumeID File ID Last-Write SHA1 Full Path
think about searching and exporting registry in a consistent output format. It’s AMCACHE, SYSCACHE
in order to track the same executables across assets. Timestamp no big deal to do this with other tools until you have to do exactly the same
abcd082d-3b8e-11e3- 10/23/2013 3:09 f107ec56d650bf2cb00b186cbfbd202f66209ecf E:\FTK Imager\FTK Imager.exe thing across tens, hundreds, or thousands of machines. • KeyPath: The path to the key to look for
be8d-24fd52566ede • ValueName: OPTIONAL value that, when present, is looked for under KeyPath
Basic Usage
AmcacheParser takes the Amcache.hve registry hive as input and interprets the afd25598-3b2c-11e3- 10/22/2013 21:42 ca5fd519a43ff95d1ec0bbdf3533e9392109af74 E:\TACTICAL Basic Usage
be8c-24fd52566ede Subject\f-response-tacsub.exe • Recursive: Whether or not to process KeyPath recursively
data stored therein. Search NTUSER.dat for the key name that contains "Dropbox".
dbcc2aeb-5826-41c0- 10/13/2013 9:42 9fef303bedf8430403915951564e0d9888f6f365 C:\Windows\System32\ • Comment: Like Description in that you can add various things here that end up
In the example command below, AmcacheParser is being run against an 8011-f0153438122b notepad.exe RECmd.exe -f "C:\Temp\NTUSER.dat" --sk Dropbox
in the CSV
Amcache.hve registry hive stored in an evidence file mounted as a drive E. Output Search UsrClass.dat for the key value that contains "Dropbox".
is stored on drive G to the "Amcache" folder. The AmcacheParser application will PRO TIP: Looking for something specific in the Amcache? You can use the HiveType determines which kind of hive the entry corresponds to. This saves
create an output file (CSV in this case) with the date and time in the file name. switches -b (blacklist) or -w (whitelist). Blacklisting will include only those RECmd.exe -f "C:\Temp\UsrClass.dat" --sd Dropbox time in that RECmd won’t search a SOFTWARE hive for keys that won’t ever exist
Amcache entries that match the SHA-1 hashes specified in the file, while (because they are NTUSER-specific, for example).
AmcacheParser.exe -f E:\Windows\AppCompat\Programs\Amcache.hve Search the directory registry_files for the key value that contains "Dropbox". The
whitelisting will exclude those Amcache entries that match the SHA-1 hashes. last write time is >= Startdate, and the value name contains either "AppName" Batch File Example
--csv G:\Amcache
In the example below, we’ve provided SHA-1 values in the Blacklist.txt, meaning or "DisplayName", so don’t recover deleted keys and don’t process log files.
that the output CSV will contain items that are only responsive to the SHA-1 Detailed, fully functional example batch files can be found in the
Key Data Returned values in the text file. RECmd.exe --d "C:\Temp\registry_files" --sk "Dropbox" --StartDate
ZimmermanTools\RegistryExplorer\BatchExamples folder.
Processed Amcache data in a standardized CSV, XML, or JSON format is available. "11/13/2014 15:35:01" --RegEx --sv "(App|Display)Name" --recover
AmcacheParser.exe -f E:\Windows\AppCompat\Programs\Amcache.hve
The columns of most significance are typically the FileIDLastWriteTimestamp false --nl
-b G:\Blacklist.txt --csv G:\Amcache Wildcards are supported in the KeyPath within the batch file. Example:
(the first time the executable was run), SHA1 (the SHA-1 hash of the file being RECmd will replay and apply all registry hive logs automatically. Use --nl to
executed) and FullPath (the location and name of the executable ran). Other SOFTWARE\Microsoft\Office\*\*\User MRU\*
suppress this.
data of potential interest include the VolumeID (used to determine from which To use batch mode, supply the file to the --bn switch, along with --csv to tell
volume the executable was run), MFT Entry Number and Sequence Numbers (used RECmd where to save results:
Search
• StartDate Start date: last write timestamps (UTC) • Export UserAssist data via RECmd batch file that uses a Registry Explorer plugin.
• EndDate End date: last write timestamps (UTC) RECmd.exe --bn .\BatchExamples\BatchExampleUserAssist.reb -f
WxTCmd – Windows Timeline Explorer Key Data Returned • MinSize Find values with data size >= MinSize (specified in bytes) C:\Temp\NTUSER_dblake.DAT --nl --csv C:\Temp
Three CSV files containing processed Timeline data in a standardized CSV, • The RECmd_Batch_MC.reb batch file used in this example exports many
• sk Search for <string> in key names
Type of Artifact XML, or JSON. There are several columns of potential interest. The "Executable" forensically relevant registry keys.
column in the "ActivityOperations" CSV provides the name and the path of • sv Search for <string> in value names
The 1803 update of Windows 10 introduced the Timeline feature. This keeps a
the executable in use. The "Payload" column provides information regarding RECmd.exe --bn .\BatchExamples\RECmd_Batch_MC.reb -d G:\blake\
record of the last 30 days of applications and files opened by a given user. This • sd Search for <string> in value record’s value data Registry\E --nl --csv G:\blake\recmd_out
the content opened and the application used. The "DisplayText" item from this
can be seen by holding the Tab button and pressing the Windows button. The • ss Search for <string> in value record’s value slack
column contains the filename and "appDisplayName" shows the name of the
data for this are also synchronized from other computers where users have PRO TIP: Be as specific as possible about the directory to process as it can have
application. For example, the displayText of "Tax Documents.pdf" would indicate • Regular expressions must of course be valid .net regular expressions
logged in with their Microsoft account. The data for the Timeline are stored in a a significant impact on performance. These two commands generate the same
that the file was opened, and the appDisplayName of "Acrobat Reader DC" shows
SQLite database. • If either the key or value have spaces in them, enclose in quotes results but the second one runs much faster.
that application was used. This field also provides a "description" containing
information relating to the location of the file that was opened. Following the • To get default values, use a value name of "(default)" This is much slower because the RECmd has to process the entire drive.
Basic Usage same example as above, "C:\\Users\\lee _ w\\Desktop\\Tax Documents.pdf" would
WxTCmd takes a single ActivitiesCache.db file as input. If the input is coming indicate that location. "Start Time" indicates the first time in the last 30 days • "--sX" are search options; they use the "contains" logic RECmd.exe --bn "C:\Forensic Program Files\ZimmermanTools\
from a mounted evidence item, it needs to be mounted as read-write/write- that this specific activity occurred. RegistryExplorer\BatchExamples\UserActivity.reb" -d G:\blake\
• -sd will convert the compare values to ASCII and Unicode before doing
temporary. Output for this command is not output to the screen, so a CSV needs Registry\E --nl --csv G:\blake\registry\recmd_out
comparison unless the "--l" literal switch is used
to be specified. Advanced Usage This is much faster because RECmd is only processing a single user directory.
In the example command below, we are looking for large registry keys (1MB and
In the example command below, WxTCmd is being run against the PRO TIP: As described above, the "Payload" column contains the location and
base64 encoded) that often contain malware. Deleted keys are also retrieved RECmd.exe --bn "C:\Forensic Program Files\ZimmermanTools\
ActivitiesCache.db file stored on an evidence file mounted as a drive E. Note name of the opened file or resource. However, it also includes another valuable
and parsed. RegistryExplorer\BatchExamples\UserActivity.reb" -d G:\blake\
that the subfolder named "a3936c317ac1474e" is not consistent. An equivalent, piece of information, the "contentUri". In the example below, a file was opened Registry\E\Users\Donald --nl --csv G:\blake\registry\recmd_out
differently named folder will be present for other users. from drive D. This ActivitiesCache.db file contains information for all computers RECmd.exe -d "C:\Temp\registry_files" --minsize 1M --Base64
synchronized to this Microsoft account, so several linked computers could have --recover true
WxTCmd.exe -f E:\Users\srogers\AppData\Local\ PRO TIP: A batch file can contain instructions to process many registry keys.
a drive D. The example below provides the GUID (Global Unique Identifier) for
ConnectedDevicesPlatform\a393c317ac1474e\ActivitiesCache.db To search for binary data in value data, simply string together the hex characters You can use the -f option to tell RECmd to only process a single specific registry
the volume that stores that file. This means that the file can be tied back to a
--csv C:\Output you want to find, separated by dashes (04-00-EF-BE, for example). key instead of all the keys that are mentioned in the batch file.
specific volume on a specific device.
RECmd.exe -hive "C:\Temp\registry_files" --sd" When RECmd runs in batch mode, several files will get generated in the --csv
Payload directory (see example file listing below).
"contentUri":"file:///D:/Files/Cat.jpg?VolumeId={A98818E7-5868-4C06-807E- Batch Mode
0F24C9746829}&ObjectId={AE26BE95-ACAC-11E9-B3FB-60F6770E22E2}" By default, batch mode utilizes the same plugins as found in Registry Explorer
and works the same way. When used by RECmd, the data from the plugin will
be normalized into a standard format for CSV output. When a plugin is used
to process a key or key/value, the data generated by the plugin are also saved
MFTECmd – MFT Explorer the MFT such as timestamps and other metadata. In the example, below follow out to a CSV. In this way, it is very similar to exporting the data from Registry
Explorer (albeit to Excel vs. CSV).
the flow of activity the files recorded in $J. The first entry is for the creation
of a file named $IT74KUZ, then data are added to the file before it is closed. Batch File
Type of Artifact Immediately afterwards, the file sdelete64.exe is renamed to $RT74KUZ before
MFTECmd parses a number of different files from NTFS-formatted drives. At a also being closed. This all happens within the same hundredth of a second as Header
high level, MFTECmd parses each of these internal NTFS System files. At a lower sdeleted64.exe is being sent to the $Recycle.bin • Description: A general description of what this batch file is going to find
level, the application dives deep into NTFS and helps uncover much data of
interest. • Author: Name of this batch file (can be more, too, like contact information)

File Description Contents • Version: A version number that should be incremented as changes happen
$MFT Index of each file and folder on volume File name timestamps, and other metadata • Id: A unique (across all other batch files) GUID (Global Unique Identifier) that
$Boot Volume boot record Volume serial number, volume signature, number of sectors identifies this batch file
$SDS File ownership Contains a list of all the Security Descriptors on the volume
$J USN Journal Transaction log of all changes to a file A few moments later, both files are deleted as the $Recycle.bin is emptied.
(write, delete, rename, etc.) (file change journal)
$Logfile Transaction Log File Used by NTFS to maintain the integrity of the filesystem in
the event of a crash (metadata change journal) LECmd – LNK File Explorer Advanced Usage
PRO TIP: Taking the data from key columns not only tells a forensic investigator
The $SDS file allows us determine file ownership. For example, in the first
Basic Usage Type of Artifact when the file was opened, but may also provide details about the number of
screenshot below we see output from the parsed $MFT loaded into Timeline
MFTECmd takes a $MFT, $J, $SDS, $Logfile or $Boot as input. These input files can Explorer. Looking at the NTUSER.DAT Shortcut files (*.lnk) are shell items and, as such, not entirely human-readable.
times a user accessed a file with that name. In the table below, the first row
be in the form of an exported copy of the file(s) or can be referenced from within of results indicates that the file was only opened once, as SourceCreated and
entry we can see that the Security ID LNK files are most frequently created when a user opens a non-executable file
a mounted image. The example command below shows MFTECmd being run against SourceModified contain the same time. The second instance indicates that the
for this file is 8271. by double-clicking. These shortcut files are stored under the user profile that
a $MFT file that has been exported from an evidence file and the data being saved file has been opened at least twice, as the SourceCreated occurred around seven
opened the file and contain information relating to the opened target file. This
to a CSV file. If we then go to the $SDS output and hours before the SourceModified. We also see that the Target dates are identical,
includes information such as the target file dates and times (at the time when
search for that same Security ID, we find that the NTUSER.DAT file is owned by suggesting that the file has not been changed since it was created. The last
MFTECmd.exe -f 'G:\Exports\$MFT' --csv G:\MFT_Output the user with the Relative ID of 1001. If needed, we can take the SID and tie it to
the file was opened), file name and path, the drive type, volume serial number,
row indicates that the file was only opened once, since the Source entries are
volume label and more. LECmd takes these data and presents them in a human-
In the next example MFTECmd is run against a $MFT file stored on a mounted a username via the SAM Registry Hive. identical, However, the TargetModified precedes the TargetCreated, indicating
readable format.
drive E and the data is output in CSV format. In order to run this command, it is that the file has been copied to the F: drive from another location.
recommended to mount the evidence using Arsenal Image Mounter as write-
temporary. Basic Usage
LECmd takes, as input, either a single LNK file or a folder containing several such Source Source Target Target Path (Combined from Local Path and
MFTECmd.exe -f 'E:\$MFT' --csv G:\MFT_Output files.
Created Modified Created Modified Common Path)
Advanced Usage 9/1/2018 9/1/2018 8/27/2018 9/6/2018 C:\Users\Donald\Documents\NETFLIX SEC Filings\
Note the command-line syntax for referencing the alternate data streams PRO TIP: It is important to remember that NTFS stores two sets of dates In the example command below, LECmd is being run against a single LNK file 16:53 16:53 09:24 14:43 SEC-NFLX-1193125-12-53009.pdf
$UsnJrnl and $Secure. and times in each $MFT entry. These are known as the Standard Information stored on an evidence file mounted as a drive E. When running this command 9/27/2018 9/27/2018 9/27/2018 9/27/2018 C:\Users\srogers\Documents\Netflix 3Q13
MFTECmd.exe -f 'E:\$Extend\$UsnJrnl:$J' --csv G:\USN_Output Attributes (SIA) and the FILENAME attributes (FNA). This means that each file the output is shown in the window running the command (command-line 10:42 17:37 10:28 10:28 Conference Call Announcement 09 30 13.pdf
and folder will have timestamps in both groups. These dates and times behave window or PowerShell). 9/3/2018 9/3/2018 9/3/2018 9/1/2018 F:\Forms\fy08-form-10k.pdf
MFTECmd.exe -f 'E:\$Secure:$SDS' --csv G:\SDS_Output differently and can indicate when a file was truly created, not just what Windows 14:13 14:13 14:11 18:19
LECmd.exe -f E:\Users\srogers\AppData\Microsoft\Windows\Recent\
reports. For example, in the table below we see a number of files stored under
Key Data Returned Peggy.jpg.lnk
the Windows directory. The Created0x10 is the created date and time as stored in PRO TIP: LNK facts to keep in mind:
The columns of most significance are highly dependent on the type of the SIA and Created0x30 relates to those stored in the FILENAME attributes. In the next example, LECmd is being run against a folder of LNK files stored on
• The target file name extension is not always provided in the LNK name.
investigation and the reason for parsing the files in the first place. For example, the same mounted evidence file as above. This time, the output is stored in a
As can be seen in the table, both dates and times are the same for the first
the dates and times in the $MFT could provide an indication as to the copying CSV stored in G:\LnkFiles. • The LNK file points to the last file of that name. This means that if there were
two entries, but the third entry shows a FILENAME creation date that is much
of files from external devices. If the written/modification time precedes the two files named exactly the same, the LNK files point to the last one opened.
later than the creation date stored in the SIA. This may be an indication of LECmd.exe -f E:\Users\srogers\AppData\Microsoft\Windows\Recent
creation time, there is a high degree of probability that the file was copied
manipulation of the SIA timestamp for the syncmon.exe file and would warrant --csv G:\LnkFiles -q
from another volume.
further investigation.
In the example below, the $MFT has been parsed to CSV and loaded into Key Data Returned
Created0x10 Created0x30 Path (combined from Parent Path and File Name)
Timeline Explorer. In each row the Last Modified time precedes the Created time.
Column Name Forensic Value
3/18/2019 09:17 3/18/2019 09:17 C:\Windows\System32\cmd.exe
3/18/2019 09:18 3/18/2019 09:18 C:\Windows\System32\mountvol.exe AppIdDescription Human-readable name for AppID
3/18/2019 09:19 8/18/2019 01:12 C:\Windows\System32\syncmon.exe DestListVersion Used with MRU to determine most recently opened file in the Jumplist
MRU Used with DestListVersion to determine most recently opened file in the Jumplist
PRO TIP: When an evidence file is mounted as a drive, MTFECmd can also dive Path Multiple Path Columns: Location and name of source and target files
into the Volume Shadow Copies and retrieve previous versions of the $MFT, $J
SourceCreate Creation Timestamp of the LNK itself
and $SDS files. This can be done by virtue of the switches --vss and --dedupe as
SourceModified Modification Timestamp of the LNK itself
demonstrated in the command below. The --vss switch tells MFTECmd to search
This is a clear indication that these files were copied from another volume. in the Volume Shadow Copies and the --dedupe switch stops MFTECmd from TargetCreated Creation Timestamp of target file the LNK points to
reporting duplicate entries found in the Volume Shadow Copies. TargetModified Modification Timestamp of target file the LNK points to
The processed $J data can be used to determine the date and time that specific
DriveType Network, fixed, or removable
actions were taken on a file. These actions include (but are not limited to) MFTECmd.exe -f 'E:\$Extend\$UsnJrnl:$J' --csv G:\MFT_Output
creating a new file, making changes to a file, deleting a file, overwriting a file, --vss --dedupe VolumeSerialNumber MFT Entry Number
and renaming a file. The $LogFile tracks changes to the information found in MFT Nbr & Seq nbr MFT - Seg nbr - If present then Volume is NTFS

The most trusted source for This poster was created by Mark Hallman and
Lee Whitfield with support from the SANS DFIR faculty.
cybersecurity training, certifications, sans.org
degrees, and research sans.org/eztools ©2020 Mark Hallman and Lee Whitfield. All rights reserved.