WxTCmd is bundled with EZTools. This tool is a Windows 10 timeline database parser.
Windows 10 Timeline is a feature in Windows 10 that displays user activity and makes it possible to quickly return to previous documents, programs, videos, images, and websites.
From an incident response perspective, we may want to gather or recover evidence of an activity that happened inside our suspected endpoint before behaving in such odd behavior.
VSCmount is bundled with EZTools. This tool can be used to mount all VSCs on a drive letter to a given mount point.
Volume Shadow Copy (VSC) is a feature in Windows that allows the system to take a snapshot or backup of your files, volumes, etc.
From an incident response perspective, we may want to gather or recover evidence of a deleted file and compare the system to its previous state before the detection happened.
VSCMount.exe command line option and arguments
We can look for information about our Volume Shadow Copy in the following Registry paths:
HKLM\SYSTEM\CurrentControlSet\Services\VSS
HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore
TimeLine Explorer is bundled with EZTools. This tool is used to view CSV and Excel(xls-x) files and can do filtering, grouping, sorting, and etc.
From an incident response perspective, we may be dealing with a lot of CVS and Excel file formats when we gather artifacts. Having a tool to parse and open these documents with ease can be very useful during investigation. Because, gathering evidence and artifacts alone consumes time, and looking inside these collected artifacts without a proper tool can drown us with data.
