Forensics investigators and incident responders may lean toward graphical user interface (GUI) tools that present interactive and graphical representations of data, especially if they don’t have years of experience under their belts. But don’t rule out command line interface (CLI) tools, just because they seem more complex and require some knowledge of commands.
Truth be told, CLI tools are the optimal choice for digital forensics and incident response (DFIR) today, because DFIR pros have to sift through colossal amounts of data culled from a variety of devices. GUI tools work well when you’re working with a just few pieces of evidence from a small number of devices. However, when it comes to hundreds, even thousands of pieces of evidence scattered across networks of desktops, laptops, and servers, a GUI tool is simply not efficient.
And it’s not just CLI tools’ ability to scale. They can be faster than GUI tools, they generally require less RAM, less CPU, are portable and require no installation, and the executables consume less hard drive space making cli tools better suited for covert deployment. Modern CLI tools can also take advantage of the operating system’s ability to multitask/multithread and therefore run tasks in parallel. Microsoft certainly sees the benefits of CLI with their addition of the Windows Subsystem for Linux and continued development of PowerShell. This isn’t to say that GUI tools don’t have a place in your DRIF toolset. They are especially useful for monitoring activity in real time and making sense of data through graphs, charts and timelines.
The EZ Tools Command-Line Poster
SANS certified instructor and former FBI agent Eric Zimmerman provides several open source command line tools free to the DFIR Community. These tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. The command-line versions of EZ Tools enable you to provide scriptable, scalable, and repeatable results with astonishing speed and accuracy. And to help you get started, SANS has just released the new EZ Tools Command-Line Poster!
Get a copy by registering here
Tune in to our “Fast, Scalable Results with EZ Tools and the New Command-line poster” webinar on March 11th at 3:30 pm ET, where we will do a deep dive into all the tools featured on the poster.
Download EZ Tools
Here's a sampling of the CLI tools featured on the EZ Tools Command-Line Poster:
EvtxECmd – Windows Event Log Parser
There can be hundreds of Event Log files on a system, some aimed at systemwide events and many others that record information in a much more targeted fashion. All Event Logs are stored in the same format on a Windows computer, but the actual data elements collected varies, and it is this variation of data elements that makes correlation of Event Logs a challenge. This is where EvtxECmd shines.
All event records are normalized across all event types and across all Event Logs file types, giving you a consolidated, big picture of the all the Windows events happening in your environment. The EvtxECmd parser has standardized CSV, XML, and JSON output. It also has a unique Maps feature that allows for the normalized output format. And it helps alleviate the pivot point scenarios that sometimes take you off track by aggregating events so you can see patterns and better understand what is happening.
RECMD – Registry Explorer Command-line Edition
This command-line tool is used to access, search, recover, and export any data found in the Windows registry. It’s an extremely powerful tool that takes a while to get used to. But to understand just how powerful this took is, think about searching and exporting a registry in a consistent output format. No big deal, until you have to search and export a consistent format when working across tens, hundreds, or thousands of machines.
MFTECmd – MFT Explorer
This tool parses a number of different files from Windows NT File System (NTFS) formatted drives. At a high level, MFTECmd parses each of these internal NTFS System files, but it also dives deep into NTFS and helps uncover much data of interest. MFTECmd takes a $MFT, $J, $SDS, $Logfile or $Boot as input that can be in the form of an exported copy of the file(s) or can be referenced from within a mounted image.
PECmd – Prefetch Parser
Prefetch is one source of Evidence of Execution of a particular program. The Prefetch Parser is a simple to use tool that provides two forms of output. First extraction and formatting the contents of the Prefetch file. Second, PECmd takes Prefetch data and puts it into a timeline.
JLECmd – Jumplist Explorer Command-line Edition
JLECmd takes Jumplists – which store critical information about files and folders that have been interacted with using various GUI applications in Windows – to indicate what applications were used to open target files and folders and store metadata specific to those target items. Those metadata contain details such as file name and location, dates and times, etc. Parsing the Jumplist data can be difficult and time-consuming because they are stored in a format known as MS OLE Structured Storage files. JLECmd makes parsing these data simple and quick.
LECmd – LNK File Explorer
The LNK File Explorer is simple to use and takes binary shortcut files AKA .lnk files – typically created when a user opens a non-executable file by double-clicking – and presents them in a human-readable format. These shortcut files are stored under the user profile that opened the file and contain information relating to the opened target file. This includes information such as the target file dates and times (at the time when the file was opened), file name and path, the drive type, volume serial number, volume label and more.
The EZ Tools Command-Line Poster details several easier-to-use yet powerful command-line tools and is designed to make your job easier and more successful as you investigate and respond to security and cyber events. Register to get your copy, and be sure to join our webinar on March 11.
.PNG "DFIR_ICON_(1).PNG"){kind=icon}
