explainx.ainewsletter3.4k
performing-windows-artifact-analysis-with-eric-zimmerman-tools

performing-windows-artifact-analysis-with-eric-zimmerman-tools

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools
0 commentsdiscussion
summary

Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.

skill.md
name
performing-windows-artifact-analysis-with-eric-zimmerman-tools
description
Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.
domain
cybersecurity
subdomain
digital-forensics
tags
- eric-zimmerman - ez-tools - kape - mftecmd - pecmd - lecmd - jlecmd - registry-forensics - windows-forensics - timeline-explorer - dfir - artifact-analysis
version
'1.0'
author
mahipal
license
Apache-2.0
nist_csf
- RS.AN-01 - RS.AN-03 - DE.AE-02 - RS.MA-01

Performing Windows Artifact Analysis with Eric Zimmerman Tools

Overview

Eric Zimmerman's EZ Tools suite is a collection of open-source forensic utilities that have become the global standard for Windows digital forensics investigations. Originally developed by a former FBI agent and current SANS instructor, these tools parse and analyze critical Windows artifacts including the Master File Table ($MFT), registry hives, prefetch files, event logs, shortcut (LNK) files, and jump lists. The suite integrates with KAPE (Kroll Artifact Parser and Extractor) for automated artifact collection and processing, producing structured CSV output that can be ingested into Timeline Explorer for visual analysis. EZ Tools are widely used by law enforcement, corporate incident responders, and forensic consultants worldwide.

When to Use

  • When conducting security assessments that involve performing windows artifact analysis with eric zimmerman tools
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Windows 10/11 or Windows Server 2016+ analysis workstation
  • .NET 6 Runtime installed (required for EZ Tools v2.x+)
  • Administrative privileges on the analysis workstation
  • Forensic disk image or triage collection from target system
  • At least 8 GB RAM (16 GB recommended for large datasets)
  • Familiarity with NTFS file system structures and Windows internals

Tool Suite Components

KAPE (Kroll Artifact Parser and Extractor)

KAPE is the primary orchestration tool that automates artifact collection (Targets) and processing (Modules). It uses configuration files (.tkape and .mkape) to define what artifacts to collect and which EZ Tools to run against them.

Installation and Setup:

# Download KAPE from https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
# Extract to C:\Tools\KAPE

# Update KAPE targets and modules
C:\Tools\KAPE\gkape.exe  # GUI version
C:\Tools\KAPE\kape.exe   # CLI version

# Sync latest EZ Tools binaries
C:\Tools\KAPE\Get-KAPEUpdate.ps1

Running KAPE Collection and Processing:

# Collect artifacts from E: drive (mounted forensic image) and process with EZ Tools
kape.exe --tsource E: --tdest C:\Cases\Case001\Collection --target KapeTriage --mdest C:\Cases\Case001\Processed --module !EZParser

# Collect specific artifact categories
kape.exe --tsource E: --tdest C:\Cases\Case001\Collection --target FileSystem,RegistryHives,EventLogs --mdest C:\Cases\Case001\Processed --module MFTECmd,RECmd,EvtxECmd

# Live system triage collection (run as administrator)
kape.exe --tsource C: --tdest D:\LiveTriage\Collection --target KapeTriage --mdest D:\LiveTriage\Processed --module !EZParser --vhdx LiveTriageImage

MFTECmd - Master File Table Parser

MFTECmd parses the NTFS $MFT, $J (USN Journal), $Boot, $SDS, and $LogFile into human-readable CSV format.

# Parse the $MFT file
MFTECmd.exe -f "C:\Cases\Evidence\$MFT" --csv C:\Cases\Output --csvf MFT_output.csv

# Parse the USN Journal ($J)
MFTECmd.exe -f "C:\Cases\Evidence\$J" --csv C:\Cases\Output --csvf USNJournal_output.csv

# Parse $Boot for volume information
MFTECmd.exe -f "C:\Cases\Evidence\$Boot" --csv C:\Cases\Output --csvf Boot_output.csv

# Parse $SDS for security descriptors
MFTECmd.exe -f "C:\Cases\Evidence\$SDS" --csv C:\Cases\Output --csvf SDS_output.csv

Key Fields in MFT Output:

FieldDescription
EntryNumberMFT record number
ParentEntryNumberParent directory MFT record
InUseWhether the record is active or deleted
FileNameName of the file or directory
Created0x10$STANDARD_INFORMATION creation timestamp
Created0x30$FILE_NAME creation timestamp
LastModified0x10$STANDARD_INFORMATION modification timestamp
IsDirectoryBoolean indicating directory or file
FileSizeLogical file size in bytes
ExtensionFile extension

PECmd - Prefetch File Parser

PECmd parses Windows Prefetch files (.pf) to provide evidence of program execution, including run counts and timestamps.

# Parse all prefetch files from a directory
PECmd.exe -d "C:\Cases\Evidence\Windows\Prefetch" --csv C:\Cases\Output --csvf Prefetch_output.csv

# Parse a single prefetch file with verbose output
PECmd.exe -f "C:\Cases\Evidence\Windows\Prefetch\CMD.EXE-4A81B364.pf" --json C:\Cases\Output

# Parse prefetch with keyword filtering
PECmd.exe -d "C:\Cases\Evidence\Windows\Prefetch" -k "powershell,cmd,wscript,cscript,mshta" --csv C:\Cases\Output --csvf SuspiciousExec.csv

RECmd - Registry Explorer Command Line

RECmd processes Windows registry hives using batch files that define which keys and values to extract.

# Process all registry hives with the default batch file
RECmd.exe --bn C:\Tools\KAPE\Modules\bin\RECmd\BatchExamples\RECmd_Batch_MC.reb -d "C:\Cases\Evidence\Registry" --csv C:\Cases\Output --csvf Registry_output.csv

# Process a single NTUSER.DAT hive
RECmd.exe -f "C:\Cases\Evidence\Users\suspect\NTUSER.DAT" --bn C:\Tools\KAPE\Modules\bin\RECmd\BatchExamples\RECmd_Batch_MC.reb --csv C:\Cases\Output

# Process SYSTEM hive for USB device history
RECmd.exe -f "C:\Cases\Evidence\Registry\SYSTEM" --bn C:\Tools\KAPE\Modules\bin\RECmd\BatchExamples\RECmd_Batch_MC.reb --csv C:\Cases\Output

EvtxECmd - Windows Event Log Parser

EvtxECmd parses Windows Event Log (.evtx) files into structured CSV format with customizable event ID maps.

# Parse all event logs from a directory
EvtxECmd.exe -d "C:\Cases\Evidence\Windows\System32\winevt\Logs" --csv C:\Cases\Output --csvf EventLogs_output.csv

# Parse a single event log
EvtxECmd.exe -f "C:\Cases\Evidence\Security.evtx" --csv C:\Cases\Output --csvf Security_output.csv

# Parse with custom maps for enhanced field extraction
EvtxECmd.exe -d "C:\Cases\Evidence\Logs" --csv C:\Cases\Output --maps C:\Tools\KAPE\Modules\bin\EvtxECmd\Maps

LECmd and JLECmd - Shortcut and Jump List Parsers

# Parse LNK files from Recent directory
LECmd.exe -d "C:\Cases\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Cases\Output --csvf LNK_output.csv

# Parse Jump Lists (automatic destinations)
JLECmd.exe -d "C:\Cases\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Cases\Output --csvf JumpLists_auto.csv

# Parse Jump Lists (custom destinations)
JLECmd.exe -d "C:\Cases\Evidence\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv C:\Cases\Output --csvf JumpLists_custom.csv

SBECmd - Shellbag Explorer Command Line

# Parse shellbags from a directory of registry hives
SBECmd.exe -d "C:\Cases\Evidence\Registry" --csv C:\Cases\Output --csvf Shellbags_output.csv

# Parse shellbags from a live system (requires admin)
SBECmd.exe --live --csv C:\Cases\Output --csvf LiveShellbags_output.csv

Timeline Explorer - Visual Analysis

Timeline Explorer is the GUI tool for analyzing CSV output from all EZ Tools. It supports filtering, sorting, column grouping, and conditional formatting.

# Launch Timeline Explorer and open CSV output
TimelineExplorer.exe "C:\Cases\Output\MFT_output.csv"

Key Timeline Explorer Features:

  • Column-level filtering with regular expressions
  • Conditional formatting for timestamp anomalies
  • Multi-column sorting for chronological analysis
  • Export filtered results to new CSV files
  • Bookmarking rows of interest

Investigation Workflow

Step 1: Artifact Collection with KAPE

# Full triage collection from forensic image mounted at E:
kape.exe --tsource E: --tdest C:\Cases\Case001\Collected --target KapeTriage --vhdx TriageImage --zv false

Step 2: Artifact Processing with EZ Tools

# Process all collected artifacts
kape.exe --msource C:\Cases\Case001\Collected --mdest C:\Cases\Case001\Processed --module !EZParser

Step 3: Timeline Analysis

  1. Open processed CSV files in Timeline Explorer
  2. Sort by timestamp columns to establish chronological order
  3. Filter for specific file extensions, paths, or event IDs
  4. Cross-reference MFT timestamps with event log entries
  5. Identify timestomping by comparing $SI and $FN timestamps
  6. Document findings with bookmarks and exported filtered views

Step 4: Timestomping Detection

# In Timeline Explorer, compare these columns:
# Created0x10 ($STANDARD_INFORMATION) vs Created0x30 ($FILE_NAME)
# If Created0x10 < Created0x30, timestomping is indicated
# $FILE_NAME timestamps are harder to manipulate than $STANDARD_INFORMATION

Forensic Artifacts Reference

ToolArtifactLocation
MFTECmd$MFTRoot of NTFS volume
MFTECmd$J (USN Journal)$Extend$UsnJrnl:$J
PECmdPrefetch filesC:\Windows\Prefetch*.pf
RECmdNTUSER.DATC:\Users{user}\NTUSER.DAT
RECmdSYSTEM hiveC:\Windows\System32\config\SYSTEM
RECmdSAM hiveC:\Windows\System32\config\SAM
RECmdSOFTWARE hiveC:\Windows\System32\config\SOFTWARE
EvtxECmdEvent logsC:\Windows\System32\winevt\Logs*.evtx
LECmdLNK filesC:\Users{user}\AppData\Roaming\Microsoft\Windows\Recent\
JLECmdJump listsC:\Users{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
SBECmdShellbagsNTUSER.DAT and UsrClass.dat registry hives

Common Investigation Scenarios

Malware Execution Evidence

  1. Parse Prefetch with PECmd to identify executed binaries
  2. Cross-reference with MFT for file creation timestamps
  3. Check Amcache.hve with RECmd for SHA1 hashes of executables
  4. Correlate with Event Log entries for process creation (Event ID 4688)

Data Exfiltration Investigation

  1. Parse USN Journal with MFTECmd for file rename/delete operations
  2. Analyze LNK files with LECmd for recently accessed documents
  3. Review Shellbags with SBECmd for directory browsing activity
  4. Check for USB device connections in SYSTEM registry with RECmd

Lateral Movement Detection

  1. Parse Security.evtx with EvtxECmd for logon events (4624, 4625)
  2. Analyze RDP-related event logs (Microsoft-Windows-TerminalServices)
  3. Cross-reference with network share access from SMB logs
  4. Review scheduled tasks and services for persistence mechanisms

Output Format and Integration

All EZ Tools produce CSV output that can be:

  • Analyzed in Timeline Explorer for visual investigation
  • Imported into Splunk, Elastic, or other SIEM platforms
  • Processed by Python/PowerShell scripts for automated analysis
  • Combined into super timelines using log2timeline/Plaso

References

how to use performing-windows-artifact-analysis-with-eric-zimmerman-tools

How to use performing-windows-artifact-analysis-with-eric-zimmerman-tools on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add performing-windows-artifact-analysis-with-eric-zimmerman-tools
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools

The skills CLI fetches performing-windows-artifact-analysis-with-eric-zimmerman-tools from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools

Reload or restart Cursor to activate performing-windows-artifact-analysis-with-eric-zimmerman-tools. Access the skill through slash commands (e.g., /performing-windows-artifact-analysis-with-eric-zimmerman-tools) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Exploratory Data Analysis

Quickly understand datasets, identify patterns, and generate insights

Example

Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses

Reduce EDA time from hours to minutes, uncover insights faster

Data Cleaning & Transformation

Write scripts to clean messy data, handle missing values, normalize formats

Example

Generate Python/SQL to fix date formats, impute missing values, remove duplicates

Automate 80% of data preprocessing work

Statistical Analysis

Perform hypothesis testing, regression, and statistical modeling

Example

Run A/B test analysis, calculate confidence intervals, interpret p-values

Get statistically sound analysis without PhD in statistics

Data Visualization

Create charts, dashboards, and visual reports

Example

Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps

Build presentation-ready visualizations 3x faster

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client
  • Python environment (pandas, numpy, matplotlib) or SQL database access
  • Basic understanding of data analysis concepts
  • Sample datasets for testing skill capabilities

Time Estimate

20-40 minutes to set up and run first analysis

Installation Steps

  1. 1.Install data analysis skill using provided command
  2. 2.Prepare a sample dataset (CSV, JSON, or database connection)
  3. 3.Start with descriptive statistics: 'Summarize this dataset'
  4. 4.Progress to visualization: 'Create a scatter plot of X vs Y'
  5. 5.Advanced analysis: 'Run linear regression and interpret results'
  6. 6.Validate outputs: check calculations, verify visualizations make sense
  7. 7.Document analysis workflow for reproducibility

Common Pitfalls

  • Not validating statistical assumptions before applying tests
  • Accepting visualizations without checking data accuracy
  • Overlooking data quality issues (missing values, outliers)
  • Misinterpreting correlation as causation
  • Using wrong statistical test for data distribution
  • Not considering sample size and statistical power

Best Practices

✓ Do

  • +Always validate data quality before analysis
  • +Check statistical assumptions (normality, independence, etc.)
  • +Visualize data before running statistical tests
  • +Document analysis steps for reproducibility
  • +Cross-validate findings with domain experts
  • +Use skill for initial exploration, then dive deeper manually
  • +Save generated code for reuse on similar datasets

✗ Don't

  • Don't trust analysis without verifying data quality
  • Don't apply statistical tests without checking assumptions
  • Don't make business decisions solely on AI-generated analysis
  • Don't ignore outliers without investigating cause
  • Don't skip data validation and sanity checks
  • Don't use for mission-critical financial or medical analysis without expert review

💡 Pro Tips

  • Describe data context: 'This is user behavior data from e-commerce site'
  • Ask for interpretation: 'What does this correlation mean for business?'
  • Request multiple approaches: 'Show 3 ways to handle missing data'
  • Combine AI analysis with domain expertise for best insights
  • Use for rapid prototyping, then refine analysis manually

When to Use This

✓ Use When

Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.

✗ Avoid When

Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.

Learning Path

  1. 1Basic: descriptive statistics, data cleaning, simple visualizations
  2. 2Intermediate: hypothesis testing, regression, correlation analysis
  3. 3Advanced: time series analysis, clustering, predictive modeling
  4. 4Expert: causal inference, experimental design, advanced statistical methods

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.828 reviews
  • Xiao Martinez· Dec 24, 2024

    Keeps context tight: performing-windows-artifact-analysis-with-eric-zimmerman-tools is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Chaitanya Patil· Dec 16, 2024

    performing-windows-artifact-analysis-with-eric-zimmerman-tools is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Amina Diallo· Dec 8, 2024

    performing-windows-artifact-analysis-with-eric-zimmerman-tools has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Harper Gonzalez· Nov 27, 2024

    performing-windows-artifact-analysis-with-eric-zimmerman-tools reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Xiao Huang· Nov 15, 2024

    performing-windows-artifact-analysis-with-eric-zimmerman-tools is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Piyush G· Nov 7, 2024

    Keeps context tight: performing-windows-artifact-analysis-with-eric-zimmerman-tools is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Shikha Mishra· Oct 26, 2024

    Registry listing for performing-windows-artifact-analysis-with-eric-zimmerman-tools matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Xiao Choi· Oct 18, 2024

    I recommend performing-windows-artifact-analysis-with-eric-zimmerman-tools for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Kabir Liu· Oct 6, 2024

    performing-windows-artifact-analysis-with-eric-zimmerman-tools fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Advait Patel· Jul 3, 2024

    We added performing-windows-artifact-analysis-with-eric-zimmerman-tools from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

showing 1-10 of 28

1 / 3