EZ Tools Manuals
Minimum price
Suggested price

EZ Tools Manuals

About the Book

The official manual for Eric Zimmerman's Tools. Please watch the the book's GitHub repository to stay updated on the development of this manual! Any suggestions for improvement are welcomed on GitHub!

About the Authors

Andrew Rathbun
Andrew Rathbun

Andrew Rathbun is a DFIR professional with multiple years of experience in law enforcement and the private sector. Andrew is involved in multiple community projects, including but not limited to: the Digital Forensics Discord Server, AboutDFIR, and multiple GitHub repositories.

Eric Zimmerman
Eric Zimmerman

Eric Zimmerman is a former FBI Special Agent and C# developer of various open source, forensic tools targeting Windows host based artifacts. Eric is a certified SANS instructor and co-author of FOR498.

Table of Contents

  • Enabling Update Notifications on Leanpub
  • Introduction to EZ Tools
    • What are EZ Tools?
    • Download EZ Tools
    • CLI vs GUI
    • .NET 4 vs .NET 6 EZ Tools
    • What is this book?
    • Mastering EZ Tools
    • Content by Eric Zimmerman
    • Content by the DFIR Community about EZ Tools
  • EZ Tools - Common Switches
    • Common Switches
  • EZ Tools - PowerShell vs CMD
    • Common Scenarios
  • EZ Tools - CLI
  • AmcacheParser
    • AmcacheParser Introduction
    • AmcacheParser Switches
    • AmcacheParser Command Examples
    • AmcacheParser Output
    • AmcacheParser Key Takeaways
    • AmcacheParser References
  • AppCompatCacheParser
    • AppCompatCacheParser Introduction
    • AppCompatCacheParser Switches
    • AppCompatCacheParser Command Examples
    • AppCompatCacheParser Output
    • AppCompatCacheParser Key Takeaways
    • AppCompatCacheParser References
  • bstrings
    • bstrings Introduction
    • bstrings Switches
    • bstrings Command Examples
    • bstrings References
  • EvtxECmd
    • EvtxECmd Introduction
    • EvtxECmd Switches
    • EvtxECmd Command Examples
    • EvtxECmd Output
    • EvtxECmd Key Takeaways
    • EvtxECmd References
  • IISGeoLocate
    • IISGeoLocate Introduction
    • IISGeoLocate Switches
    • IISGeoLocate Output
    • IISGeoLocate References
  • JLECmd
    • JLECmd Introduction
    • JLECmd Switches
    • JLECmd Command Examples
    • JLECmd Output
    • JLECmd Sample Output
    • JLECmd Key Takeaways
    • JLECmd References
  • LECmd
    • LECmd Introduction
    • LECmd Switches
    • LECmd Command Examples
    • LECmd Sample Output
    • LECmd Output
    • LECmd Key Takeaways
    • LECmd References
  • MFTECmd
    • MFTECmd Introduction
    • File Types Parsed by MFTECmd
    • MFTECmd Switches
    • MFTECmd Command Examples
    • MFTECmd Output
    • MFTECmd References
  • PECmd
    • PECmd Introduction
    • PECmd Switches
    • PECmd Command Examples
    • PECmd Output
    • PECmd Key Takeaways
    • PECmd References
  • RBCmd
    • RBCmd Introduction
    • RBCmd Switches
    • RBCmd Command Examples
    • RBCmd Output
    • RBCmd Key Takeaways
    • RBCmd References
  • RecentFileCacheParser
    • RecentFileCacheParser Introduction
    • RecentFileCacheParser Switches
    • RecentFileCacheParser Command Examples
    • RecentFileCacheParser Output
    • RecentFileCacheParser References
  • RECmd
    • RECmd Introduction
    • RECmd Switches
    • RECmd Command Examples
    • RECmd Output
    • RECmd References
  • RLA
    • RLA Introduction
    • RLA Switches
    • RLA Command Examples
    • RLA References
  • SBECmd
    • SBECmd Introduction
    • SBECmd Switches
    • SBECmd Command Examples
    • SBECmd Output
    • SBECmd Key Takeaways
    • SBECmd References
  • SQLECmd
    • SQLECmd Introduction
    • SQLECmd Switches
    • SQLECmd Command Examples
    • SQLECmd References
  • SrumECmd
    • SrumECmd Introduction
    • SrumECmd Switches
    • SrumECmd Command Examples
    • SrumECmd Output
    • SrumECmd Sample Data
    • SrumECmd References
  • SumECmd
    • SumECmd Introduction
    • SumECmd Switches
    • SumECmd Command Examples
    • SumECmd Output
    • SumECmd References
  • VSCMount
    • VSCMount Introduction
    • VSCMount Switches
    • VSCMount Command Examples
    • VSCMount References
  • WxTCmd
    • WxTCmd Introduction
    • WxTCmd Switches
    • WxTCmd Command Examples
    • WxTCmd Output
    • WxTCmd Key Takeaways
    • WxTCmd References
  • EZ Tools - GUI
  • EZViewer
    • EZViewer Introduction
    • EZViewer Screenshot
    • EZViewer Key Takeaways
    • EZViewer References
  • Hasher
    • Hasher Introduction
    • Hasher Screenshot
    • Hasher Features
    • Hasher References
  • JumpList Explorer
    • JumpList Explorer Introduction
    • JumpList Explorer Functionality
    • JumpList Explorer References
  • MFT Explorer
    • MFT Explorer Introduction
    • MFT Explorer Features
    • MFT Explorer References
  • Registry Explorer
    • Registry Explorer Introduction
    • RECmd
    • Version changes
  • SDB Explorer
    • SDB Explorer Introduction
    • SDB Explorer References
  • Shellbags Explorer
    • Requirements
    • What are ShellBags?
    • ShellBags location in the registry
    • Using RegEdit to view ShellBag data
    • Why another ShellBags program?
    • ShellBagsExplorer.exe
    • Menus
    • Workflow overview
    • SBECmd.exe
    • General usage tips and tricks
    • Version changes
  • TimeApp
    • TimeApp Introduction
    • TimeApp Screenshots
    • TimeApp References
  • Timeline Explorer
    • Timeline Explorer Introduction
    • Timeline Explorer Features
    • Timeline Explorer Settings
    • Timeline Explorer Layout Files
    • Timeline Explorer Plugins
    • Timeline Explorer References
    • Using XWFIM
    • XWFIM References
  • Errata
    • Reporting Errata

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

80% Royalties. Earn $16 on a $20 book.

We pay 80% royalties. That's not a typo: you earn $16 on a $20 sale. If we sell 5000 non-refunded copies of your book or course for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $13 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub