WxTCmd

Incident Response with EZTools - WxTCmd

WxTCmd is bundled with EZTools. This tool is a Windows 10 timeline database parser.

Windows 10 Timeline is a feature in Windows 10 that displays user activity and makes it possible to quickly return to previous documents, programs, videos, images, and websites.

From an incident response perspective, we may want to gather or recover evidence of an activity that happened inside our suspected endpoint before behaving in such odd behavior.

VSCMount

Incident Response with EZTools - VSCMount

VSCmount is bundled with EZTools. This tool can be used to mount all VSCs on a drive letter to a given mount point.

Volume Shadow Copy (VSC) is a feature in Windows that allows the system to take a snapshot or backup of your files, volumes, etc.

From an incident response perspective, we may want to gather or recover evidence of a deleted file and compare the system to its previous state before the detection happened.

 

VSCMount.exe command line option and arguments

 

We can look for information about our Volume Shadow Copy in the following Registry paths:

HKLM\SYSTEM\CurrentControlSet\Services\VSS

HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore

 

The Volume Shadow Knows

Volume Shadow Copy Part 1

Volume Shadow Copy Part 2

Volume Shadow Copy Part 3

Timeline Explorer

Incident Response with EZTools - CSV XLS Format Viewer

TimeLine Explorer is bundled with EZTools. This tool is used to view CSV and Excel(xls-x) files and can do filtering, grouping, sorting, and etc.

From an incident response perspective, we may be dealing with a lot of CVS and Excel file formats when we gather artifacts. Having a tool to parse and open these documents with ease can be very useful during investigation. Because, gathering evidence and artifacts alone consumes time, and looking inside these collected artifacts without a proper tool can drown us with data.