[DFIR TOOLS] EvtxECmd, what is it & how to use!

Following on from the previous [DFIR TOOLS] posts.

• [DFIR TOOLS] Timeline Explorer, what is it & how to use!
• [DFIR TOOLS] AmcacheParser, what is it & how to use
• [DFIR TOOLS] AppCompatCacheParser, what is it & how to use!
• [DFIR TOOLS] bstrings, what is it & how to use!

This time we we are going to talk about one of my favourite tools EvtxECmd.

So, what does Mr Zimmerman say about it:-

But it is way more than just that, coupled with ‘Timeline Explorer’ it is a ridiculously powerful tool.

Before I get into it there is a fantastic video by my friend Richard/Mr 13 Cubed that I urge you to watch as he explains it all better than I ever could.

What is EvtxECmd?

Well, as you can see if the video above it parses the event logs into a more usable format like CSV so we can load it into a viewer like ‘Timeline Explorer’ for investigation, because it is in ‘Timeline Explorer’ we can then dig down like into the Event ID and Login Type etc.

I won’t go over what has already been written by Zimmerman himself so check out his posts:-

http://windowsir.blogspot.com/2019/05/evtxecmd.html

https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html

Regards

Alex