Zimmerman

#EvtxECMD Output evtx to csv for timeline parsing
Tools\Get-ZimmermanTools\EvtxECmd\EvtxECmd.exe -d F:\Tools\Investigate\Logs --csv F:\Tools\Investigate --csvf Logs.csv

#MFTCmd Output MFT to csv for timeline parsing
Tools\Get-ZimmermanTools\MFTECmd.exe -f Tools\Investigate\Logs\Logs3\$MFT --csv \tools\Investigate\Logs --csvf mft.csv

#Shellbag dump of live system
Tools\Get-ZimmermanTools\SBECmd.exe -l --csv .\

#Clean Dirty Hive
rla.exe -d "F:\tools\investigate\logs" --out F:\tools\investigate\logs\CleanReg

#Analysis at scale
RECmd.exe --bn F:\Tools\Get-Zimmerman\RECmd\BatchExamples\Kroll_batch.reb -f F:\Tools\Investigate\logs\NTUSER.dat\ --csv F:\tools\investigate\logs --csvf recmd.csv

#Parse Prefetch Files
PECmd.exe -d C:\Windows\prefetch 
PECmd.exe -f C:\Windows\pretfetch\filename.pf

#Shimcache parsing
AppCompatCacheParser -f F:\Tools\investigate\logs\SYSTEM --csv F:\Tools\investigate\logs --csvf reboot.csv 

#Amacache
AmcacheParser.exe -f F:\Tools\investigate\logs\amcache.hve --csv F:\Tools\investigate\logs

#Used to grab SYSTEM hive and Srumb.dat
SrumECmd.exe -d F:\Tools\Investigation\logs --csv F:\Tools\Investigation\logs\log1
PreviousAdminNextInvestigation

Last updated