Understanding the EZ Tools Suite: A Forensic Powerhouse for Linux

Developed by Eric Zimmerman, the EZ Tools Suite is a collection of powerful utilities designed to enhance forensic investigations. Whether you're analyzing NTFS file structures, Windows Event Logs, or registry hives, these tools provide invaluable insights. Below are some of the key tools:

• MFTECmd – Parses and analyzes NTFS Master File Table (MFT) records and system files.
• EvtxECmd – A command-line parser for Windows Event Logs, standardizing data across different event types (e.g., 4624 vs. 5140).
• RECmd – Extracts, searches, and exports valuable data from Windows registry hives.
• PECmd – Parses Prefetch files to uncover evidence of program execution.
• JLECmd & LECmd – Analyze jump lists and shortcut (.lnk) files, revealing metadata on file interactions.

Though EZ Tools run natively on Windows, having the ability to use them seamlessly on Linux ensures forensic flexibility across platforms.

---

System Requirements: Preparing Your Linux Workstation

Before you begin, ensure your Linux machine meets the following prerequisites:

• Operating System – A modern Linux distribution like Ubuntu, Debian, Fedora, or Kali.
• Architecture – Intel is straightforward; Apple M systems* pose challenges with virtualization, though Ubuntu and Kali ARM ISOs are available.
• Software Dependencies:
  • .NET 9 (Linux-native support)
  • Git (for cloning repositories, if building tools from source)
  • Common utilities (unzip, wget, curl—helpful for downloading and extracting files)

---

Installing .NET on Linux

Since EZ Tools rely on the .NET framework, you’ll need to install the runtime. Below are the steps for Ubuntu, though the process is similar across distributions.

# Update package index and install prerequisites
sudo apt update
sudo apt install -y wget apt-transport-https software-properties-common

# Install .NET 9
wget https://builds.dotnet.microsoft.com/dotnet/scripts/v1/dotnet-install.sh -O /tmp/dotnet-install.sh
chmod +x /tmp/dotnet-install.sh
/tmp/dotnet-install.sh --channel 9.0
rm -r /tmp/dotnet-install.sh

# Set up alias for easy command-line execution
alias dotnet='~/.dotnet/dotnet'
source ~/.bashrc

# Test installation
dotnet --info

Once installed, .NET is ready for EZ Tools.

---

Downloading & Setting Up EZ Tools

To begin using EZ Tools, download them into /opt/ or a preferred directory:

# Download and unzip MFTECmd
wget https://download.ericzimmermanstools.com/net9/MFTECmd.zip -O /tmp/MFTECmd.zip
sudo unzip /tmp/MFTECmd.zip -d /opt/MFTECmd
rm -r /tmp/MFTECmd.zip

# Set up alias for easy execution
alias mftecmd='dotnet /opt/MFTECmd/MFTECmd.dll'
source ~/.bashrc

# Test tool functionality
mftecmd -h

Important: Folder structures within archives and file naming may vary. Always verify them before creating aliases.

---

Running EZ Tools & Verifying Output

Once installed, run EZ Tools against forensic artifacts. For example:

# Extract data from an NTFS-formatted drive
mftecmd -f "/mnt/drive/$MFT" --csv "/mnt/output/MFT_Analysis.csv"

To quickly validate output:

head -10 /mnt/output/MFT_Analysis.csv | cut -d',' -f1-2,7,9,12-14,17 | tr ',' '\t'

---

Alternative: PowerShell-Based Installation

EZ Tools can also be downloaded using PowerShell, which is now cross-platform:

# Install PowerShell on Linux
wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell-7.5.0-linux-arm64.tar.gz -O /tmp/powershell.tar.gz
sudo mkdir -p /opt/powershell/
sudo tar zxf /tmp/powershell.tar.gz -C /opt/powershell/
sudo chmod +x /opt/powershell/pwsh
rm -r /tmp/powershell.tar.gz

# Set up alias for ease of use
alias pwsh='/opt/powershell/pwsh'
source ~/.bashrc
pwsh

Once inside PowerShell, download the Get-ZimmermanTools.ps1 script to automate EZ Tools updates.

PS> wget https://download.ericzimmermanstools.com/Get-ZimmermanTools.zip -O /tmp/Get-ZimmermanTools.zip
PS> unzip /tmp/Get-ZimmermanTools.zip -d /opt/
PS> rm /tmp/Get-ZimmermanTools.zip
PS> /opt/Get-ZimmermanTools.ps1 -Dest /opt/ -NetVersion 9

---

Automate Everything: Script It Up

For a streamlined forensic workflow, automate the installation and configuration process using a script. Check out my GitHub repository for a fully automated solution with error handling.

---

Final Thoughts: Forensics, the Linux Way

Running EZ Tools natively on Linux ensures forensic investigators can work efficiently within Linux-based workflows without relying on Windows environments.

With everything now set up, you're ready to harness the full investigative power of EZ Tools!

---

Key Improvements in the Revised Version

1. Enhanced Persuasiveness – The improved version presents EZ Tools as essential forensic utilities, reinforcing their significance.
2. Improved Structure & Clarity – Clearer section divisions with bold headings for readability.
3. Better Flow – Each step logically builds on the previous one, ensuring a smooth learning experience.
4. More Engaging Tone – Uses a confident, authoritative voice to make the content sound compelling.
5. Streamlined Commands – Code snippets are formatted, reducing ambiguity and making instructions easy to follow.

References:

• https://www.sans.org/blog/running-ez-tools-natively-on-linux-a-step-by-step-guide/
• Eric Zimmerman’s Official Website – Latest EZ Tools updates