Install Eric Zimmerman's forensics toolkit

Oct 4, 2023 by Thibault Debatty | 920 views

Forensics Windows

https://cylab.be/blog/290/install-eric-zimmermans-forensics-toolkit

Eric Zimmerman has written a collection of powerful forensics analysis tools. The installation process requires some work, but here is a step by step guide to install the tools on a Windows 11 computer.

https://ericzimmerman.github.io/

There are actually 2 caveats for installation:

  1. You must first install .NET Desktop Runtime 6.0 and
  2. Eric Zimmerman has written a powershell script to download and update the tools, but to run the installation script you will first have to change PowerShell Execution policy...

Install .NET Desktop Runtime 6.0

Download and install the latest version of .NET Desktop Runtime environment from

https://dotnet.microsoft.com/en-us/download/dotnet/6.0

Make sure you download the Desktop Runtime. It's located on the right on the page, as illustrated below...

download-dot-net-6.png

Change PowerShell Execution Policy

To change the PowerShelle Execution Policy, open Windows PowerShell as Administrator.

run-powershell.png

Then type the following command, and hit Y to accept the change:

Set-ExecutionPolicy RemoteSigned

powershell-policy.png

Download and run installation script

Now you can download the installation script from

https://f001.backblazeb2.com/file/EricZimmermanTools/Get-ZimmermanTools.zip

Extract the ZIP archive, open the folder in a terminal, and execute the script with

.\Get-ZimmermanTools.ps1

When asked, you can accept to always execute the script (A):

eric-zimmerman-installation.png

The installer shows you the progress...

eric-zimmerman-progress.png

Usage

After download and installation, the tools will be available in the net6 directory, like the RegistryExplorer...

registry-explorer.png

%PATH%

Some of the tools are actually command line tools, that are easier to use if their directory is added to the %PATH% environment variable. To modify your PATH:

  1. Open the Advanced System Settings

advanced-settings.png

  1. Click on the Environment variables button

environment-variables.png

  1. Select the Path variable and click on Edit

environemnt-variable-path.png

  1. Finally, add to the list the full path to Zimmerman's tools directory

path.png

Troubleshooting

If, during installation, you get the error message running scripts is disabled on this system, it means you forgot to Change PowerShell Execution Policy

installation-error-running-scripts-disabled.png

This blog post is licensed under CC BY-SA 4.0

Velociraptor : hunt malwares as a pack
Velociraptor is a digital forensic and incident response tool that allows to collect information on multiple endpoints at once, and easily analyze the collected data using Notebooks and a query language (called Velociraptor Query Language, VQL), which is very similar to SQL. This makes Velociraptor a valuable tool for threat hunting over a large network.
Nov 22, 2023 | 585 views
Explore the SAM hive with Regedit (and Sysinternals)
The Windows Registry is a kind of database that stores a lot of important configuration parameters for Windows and installed applications. The specific of this database is that the data is actually stored in different files called hives. One of these is the SAM (Security Account Manager) hive, which stores, among others, user passwords. Let's explore this hive a little..
Nov 21, 2023 | 632 views
Install Sysinternals
Sysinternals is a collection of powerful utilities for Windows. They can be used by system administrators to perform local or remote system administration, and also by analysts to perform some forensics tasks. The tools were originally developed by Mark Russinovich, and are now maintained by Microsoft. Here is how to install them...
Nov 21, 2023 | 378 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept