Eric Zimmerman Tools — The Parsing Arsenal

KAPE collected the evidence. Now you need to turn those binary files into data you can actually read, search, and investigate.

Estimated time: 30 minutes.

Eric Zimmerman Tools — The Parsing Arsenal

The parsers that turn raw artifacts into investigation answers

KAPE collected the evidence. Now you need to read it. Prefetch files are binary. The $MFT is a binary database. Registry hives are binary structures. Event logs are XML buried in binary wrappers. You cannot open any of these in a text editor and get useful information. Eric Zimmerman's tools — EZTools — parse every one of these formats into structured, searchable, sortable output that you can analyze in Timeline Explorer.

Eric Zimmerman is a former FBI Special Agent, a Senior Director at Kroll, a SANS instructor (FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting), and a three-time winner of the SANS DFIR NetWars Tournament. He has spent over a decade building the most widely used open-source forensic parsing tools in the industry — tools that are now taught in SANS courses, used by government CERT teams and law enforcement agencies worldwide, deployed by the Big 4 consulting firms, and relied upon by thousands of independent DFIR practitioners for every investigation they conduct.

The EZTools suite is not one tool — it is a collection of specialized parsers, each dedicated to a single Windows forensic artifact type. This specialization is deliberate. A general-purpose forensic tool attempts to parse everything and inevitably compromises on depth. A specialized parser does one thing and does it comprehensively — extracting every forensically relevant field from the artifact, handling every known format variation across Windows versions, and producing output that is immediately ready for investigation without further transformation.

The tools share a common design philosophy: command-line first (for scripting and automation), CSV/JSON output (for analysis in Timeline Explorer, Excel, Splunk, or any data analysis platform), consistent switch naming across tools (learn one, know them all), and aggressive artifact recovery (parsing artifacts that are partially corrupted, recovering data from slack space, handling artifacts from all Windows versions from XP through Windows 11). Each tool is a standalone executable with no dependencies beyond .NET — portable, deployable from USB, and runnable on any Windows system without installation.

The tools are free and open source. The official EZ Tools Manual (available on Leanpub as a free download) provides comprehensive documentation for every switch and output column. Andrew Rathbun, who co-authored the manual with Zimmerman, maintains additional documentation and examples on the KapeFiles GitHub repository.

Installation

EZTools are distributed as individual zip archives. Eric Zimmerman provides an automated download script that retrieves the latest version of every tool in one pass. The tools are portable executables — no installer, no system modifications, no dependencies beyond .NET Framework 4.6.2 (for legacy .NET Framework builds) or .NET 6+ (for newer cross-platform builds).

# Step 1: Download the Get-ZimmermanTools script
# Navigate to https://ericzimmerman.github.io/#!index.md
# Download Get-ZimmermanTools.zip and extract to C:\IR\Tools\EZTools\

# Step 2: Run the download script to get ALL EZTools
Set-Location "C:\IR\Tools\EZTools"
.\Get-ZimmermanTools.ps1 -Dest "C:\IR\Tools\EZTools"

# The script downloads the latest version of every tool:
# PECmd, AmcacheParser, AppCompatCacheParser, EvtxECmd,
# MFTECmd, RECmd, Registry Explorer, ShellBags Explorer,
# JLECmd, LECmd, SBECmd, RBCmd, WxTCmd, Timeline Explorer,
# MFTExplorer, EZViewer, SQLECmd, SrumECmd, SumECmd, bstrings,
# Hasher, iisGeoLocate, RLA, and more.

# Step 3: Verify the key tools are present
$criticalTools = @(
    "PECmd.exe",             # Prefetch parser
    "AmcacheParser.exe",     # Amcache parser
    "AppCompatCacheParser.exe", # ShimCache parser
    "EvtxECmd.exe",          # Event log parser (THE most important tool)
    "MFTECmd.exe",           # $MFT, $UsnJrnl, $LogFile parser
    "RECmd.exe",             # Registry batch processor
    "RegistryExplorer.exe",  # Registry GUI browser
    "ShellBagsExplorer.exe", # ShellBags GUI
    "JLECmd.exe",            # Jump List parser
    "LECmd.exe",             # LNK shortcut parser
    "SBECmd.exe",            # ShellBags command-line
    "RBCmd.exe",             # Recycle Bin parser
    "WxTCmd.exe",            # Windows Timeline parser
    "TimelineExplorer.exe",  # Interactive CSV viewer
    "SrumECmd.exe",          # SRUM parser
    "SQLECmd.exe"            # SQLite database parser
)

$found = 0; $missing = 0
foreach ($tool in $criticalTools) {
    $path = Get-ChildItem "C:\IR\Tools\EZTools" -Recurse -Filter $tool -ErrorAction SilentlyContinue | Select-Object -First 1
    if ($path) {
        Write-Host "  OK  $tool" -ForegroundColor Green
        $found++
    } else {
        Write-Host "  MISSING  $tool" -ForegroundColor Red
        $missing++
    }
}
Write-Host "`n$found tools found, $missing missing" -ForegroundColor $(if ($missing -eq 0) { 'Green' } else { 'Red' })

All 16 critical tools should show OK. If any are missing, re-run the Get-ZimmermanTools script — it downloads the latest version of every tool in the suite.

The next step connects EZTools to KAPE. Without this integration, KAPE can collect artifacts but cannot process them — the Module phase fails silently because it cannot find the parser binaries.

# Copy EZTools parser executables to KAPE's Modules\bin\ directory
# This enables KAPE's !EZParser module to find and execute the parsers

$kapeBin = "C:\IR\Tools\KAPE\Modules\bin"
$ezDir = "C:\IR\Tools\EZTools"

# Create bin directory if it doesn't exist
New-Item -ItemType Directory -Path $kapeBin -Force | Out-Null

# Copy all EXE files from EZTools to KAPE bin
# The recursive search handles the nested directory structure
Get-ChildItem $ezDir -Recurse -Filter "*.exe" | ForEach-Object {
    Copy-Item $_.FullName -Destination $kapeBin -Force
}

# Also copy the EvtxECmd Maps directory — CRITICAL for event log enrichment
$mapsSource = Get-ChildItem $ezDir -Recurse -Directory -Filter "Maps" | Select-Object -First 1
if ($mapsSource) {
    Copy-Item $mapsSource.FullName -Destination "$kapeBin\Maps" -Recurse -Force
    Write-Host "EvtxECmd Maps copied: $(
        (Get-ChildItem "$kapeBin\Maps" -Recurse -Filter "*.map").Count
    ) map files" -ForegroundColor Cyan
}

# Verify the integration
$binCount = (Get-ChildItem $kapeBin -Filter "*.exe").Count
Write-Host "KAPE bin directory: $binCount executables ready" -ForegroundColor Green

The EvtxECmd Maps directory is frequently overlooked during installation and is critically important. Maps are YAML files that define how to extract meaningful fields from specific event log types. Without maps, EvtxECmd produces raw event data with generic column names. With maps, it produces enriched output with named columns specific to each event type — for example, a Security Event ID 4624 (logon) map extracts the target username, logon type, source IP, and authentication package into named columns, rather than leaving them buried in the raw XML payload. The community maintains over 700 maps covering every forensically significant event log type. Always copy the Maps directory alongside the EvtxECmd binary.

Tool-by-tool deep dive: what each parser extracts and what the output means

Each EZTools parser serves a specific investigation purpose. This section covers the four most critical parsers in depth — the tools you will use in every investigation. IR3-IR5 teach these tools in the context of specific artifact analysis; this section provides the operational foundation.

PECmd — Prefetch Parser (IR3: Execution and Persistence)

Prefetch is a Windows performance optimization feature that pre-loads frequently used applications. As a side effect, it creates forensic artifacts: one .pf file per executed program, containing the executable name, the last 8 execution timestamps (Windows 10/11), a run count, and a list of files and directories loaded during execution. PECmd parses these .pf files into structured CSV output.

What the investigation learns from PECmd output:

The ExecutableName column tells you what program ran. The LastRun column tells you when it most recently ran. The RunCount column tells you how many times it has run on this system. The PreviousRun0 through PreviousRun6 columns (Windows 10/11 only) provide timestamps for the 7 previous executions before LastRun. The FilesLoaded column lists every DLL and file referenced during execution — which can reveal the working directory, the files the program accessed, and any DLLs it loaded (including suspicious side-loaded DLLs).

# PECmd: Parse all Prefetch files from a KAPE collection
# Produces CSV with one row per .pf file

PECmd.exe -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\Windows\Prefetch" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Prefetch" --csvf prefetch.csv -q

# Key output columns and their investigation significance:
#
# ExecutableName    — program that ran (e.g., POWERSHELL.EXE-[hash].pf)
#   Investigation: what executed? Is this expected on this system?
#
# RunCount          — number of times the program has executed
#   Investigation: run count of 1 = first execution ever on this system
#   A run count of 1 for powershell.exe on a workstation that has been
#   in service for months is suspicious — PowerShell should have run
#   hundreds of times through normal system operations
#
# LastRun           — most recent execution timestamp (UTC)
#   Investigation: correlate with sign-in logs and event logs
#   to determine who was active when the program ran
#
# PreviousRun0-6   — up to 7 previous execution timestamps
#   Investigation: execution pattern — was this a one-time event
#   or repeated activity? A hacking tool with 7 run times over
#   3 days suggests persistent attacker activity
#
# SourceFilename   — the original .pf filename (includes hash)
#   The hash in the filename is based on the full path of the
#   executable, meaning the same program from different paths
#   produces different Prefetch files
#
# FilesLoaded       — DLLs and files referenced during execution
#   Investigation: reveals the working directory and any unusual
#   DLL loads (side-loading, DLL hijacking)

# Open the output in Timeline Explorer for analysis
TimelineExplorer.exe "C:\IR\Cases\INC-NE-2026-0315-001\Output\Prefetch\prefetch.csv"

EvtxECmd — Event Log Parser (IR5: Event Log Analysis)

EvtxECmd is arguably the single most important tool in the EZTools suite for incident response. Windows event logs are the richest chronological record of system activity — every logon, every process creation (if 4688 auditing is enabled), every service installation, every PowerShell command (if ScriptBlock logging is enabled), every scheduled task creation, every RDP connection. EvtxECmd parses all .evtx files from a KAPE collection into a single normalized CSV that can contain hundreds of thousands of rows spanning months of activity.

The critical capability that distinguishes EvtxECmd from other event log parsers is its Maps system. Windows event logs store data in XML payloads where the structure varies by event type — a Security Event ID 4624 (logon) has completely different XML fields than a System Event ID 7045 (service installation). Without maps, the parser outputs raw XML, and the investigator must manually parse each event type. With maps, EvtxECmd extracts the specific forensically relevant fields from each event type into named columns — TargetUserName, LogonType, IpAddress for logon events; ServiceName, ImagePath, ServiceType for service events; ScriptBlockText for PowerShell events. The community maintains over 700 maps covering every event type that matters for IR.

# EvtxECmd: Parse all event logs from a KAPE collection
# Uses maps to extract and normalize forensically relevant fields

EvtxECmd.exe -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\Windows\System32\winevt\Logs" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\EventLogs" --csvf events.csv -q

# To sync maps to the latest community versions:
EvtxECmd.exe --sync
# This downloads updated map files from the EricZimmerman/evtx GitHub repo

# Key output columns:
#
# TimeCreated       — when the event occurred (UTC)
# EventId           — the event ID (4624, 4688, 7045, 4104, etc.)
# Provider          — which log source (Security, System, PowerShell, etc.)
# Channel           — the log file name
# Computer          — hostname that generated the event
# MapDescription    — human-readable description from the map
#   e.g., "Logon - successful" or "Service installed"
#
# PayloadData1-6    — extracted fields specific to each event type
#   The map defines what goes into each PayloadData column
#   For 4624 logon events: PayloadData1 = TargetUserName,
#   PayloadData2 = LogonType, PayloadData3 = IpAddress
#   For 7045 service events: PayloadData1 = ServiceName,
#   PayloadData2 = ImagePath
#
# UserName          — account associated with the event
# RemoteHost        — source system (for network logons)

A typical workstation collection produces 50,000-500,000 event log entries. A domain controller can produce millions. Timeline Explorer handles these volumes efficiently with column filtering, date range selection, and text search. The investigation workflow: load the CSV in Timeline Explorer, sort by TimeCreated, filter to the investigation timeframe, and filter by EventId to focus on specific event types (4624 for logons, 4688 for process creation, 7045 for service installation, 4104 for PowerShell execution).

MFTECmd — NTFS Metadata Parser (IR4: Filesystem and Registry)

The $MFT (Master File Table) is the index of every file and directory that has ever existed on an NTFS volume. Every file creation, modification, and deletion is recorded in the $MFT. Even after a file is deleted, its $MFT entry persists (marked as free but not overwritten until the space is needed) — meaning the investigator can see deleted files, their original paths, their sizes, and their timestamps even after the attacker has attempted to clean up.

MFTECmd parses the raw $MFT binary into a CSV with one row per file/directory. For a typical workstation, this is 500,000 to 2,000,000 rows — every file the system has ever contained. The investigation value is in the timestamps: each $MFT entry contains four timestamps from the $STANDARD_INFORMATION attribute (Created, Modified, Accessed, Entry Modified) and four more from the $FILE_NAME attribute. Discrepancies between the $SI and $FN timestamps can indicate timestomping — an anti-forensic technique where the attacker modifies the $SI timestamps to make a malicious file appear old, but the $FN timestamps (which are harder to modify) retain the true creation time.

MFTECmd also parses the $UsnJrnl (USN Change Journal) — a sequential log of every file system operation. Where the $MFT shows the current state of each file (or the state at deletion), the $UsnJrnl shows the history of operations: file created, file renamed, file modified, file deleted, attributes changed. The $UsnJrnl is particularly valuable for tracking file manipulation sequences — "update.exe was created, then renamed to svchost.exe, then moved to C:\Windows\, then the original file was deleted."

# MFTECmd: Parse the $MFT from a KAPE collection
# The backtick (`) escapes the $ in PowerShell

MFTECmd.exe -f "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\`$MFT" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Filesystem" --csvf mft.csv -q

# Parse the $UsnJrnl change journal
MFTECmd.exe -f "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\`$Extend\`$UsnJrnl:`$J" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Filesystem" --csvf usnjrnl.csv -q

# Key $MFT output columns:
#
# EntryNumber       — MFT record number (unique file identifier)
# FileName          — file or directory name
# ParentPath        — full directory path
# Extension         — file extension
# FileSize          — size in bytes
# IsDirectory       — true/false
#
# TIMESTAMPS (the investigation core):
# Created0x10       — $STANDARD_INFORMATION creation time
# Created0x30       — $FILE_NAME creation time
# LastModified0x10  — last content modification
# LastAccess0x10    — last access time
# LastRecordChange0x10 — last MFT record modification
#
# If Created0x10 ≠ Created0x30, possible timestomping detected
# The $FN (0x30) timestamp is harder to modify than $SI (0x10)
#
# InUse             — true = active file, false = deleted (record free)
#   Even "false" entries retain the file's metadata — name, path,
#   size, timestamps — evidence of what was deleted and when

Timeline Explorer — The Investigation Workbench (IR3-IR7, IR13-IR16)

Timeline Explorer is where the investigation actually happens. It is a purpose-built CSV viewer designed for forensic data — optimized for loading millions of rows, filtering by any column, sorting by timestamp, color-coding rows by criteria, and exporting filtered subsets. Where Excel struggles with large datasets and crashes on 500,000+ row CSVs, Timeline Explorer handles them efficiently.

The workflow for every investigation in this course: parse the KAPE collection with EZTools (manually or via KAPE's !EZParser module), load the resulting CSV files into Timeline Explorer, and build the investigation timeline by filtering and sorting.

# Open Timeline Explorer with parsed event logs
TimelineExplorer.exe "C:\IR\Cases\INC-NE-2026-0315-001\Output\EventLogs\events.csv"

# Timeline Explorer capabilities for investigation:
#
# Column filtering — click any column header to filter
#   Filter EventId to 4624 → shows only logon events
#   Filter EventId to 4688 → shows only process creation events
#   Filter UserName to "jmorrison" → shows only events for that user
#   Combine filters: EventId=4624 AND TimeCreated > 14:00 → logons
#   after the suspected compromise time
#
# Date range selection — filter TimeCreated to investigation window
#   "Show me everything between 14:00 and 16:00 on March 15"
#
# Text search — search any column for specific values
#   Search "powershell" across all columns → finds every event
#   mentioning PowerShell regardless of event type
#
# Color coding — highlight rows matching specific criteria
#   Red for Event ID 4625 (failed logon) → spot brute force patterns
#   Orange for Event ID 7045 (service installed) → spot persistence
#   Yellow for Event ID 1102 (log cleared) → spot anti-forensics
#
# Multi-file loading — load multiple CSVs simultaneously
#   Load Prefetch + event logs + MFT in one session
#   Sort all by timestamp → unified chronological timeline
#   across all artifact types
#
# Export — save filtered views to new CSV files
#   Export the investigation timeline for the IR report
#   Export specific findings for colleague review

The multi-file capability is critical for cross-artifact correlation. The investigation question "what happened at 14:32 on March 15?" requires data from multiple sources: Prefetch (what executed), event logs (who was logged in, what processes were created), MFT (what files were created or modified), and registry (what persistence was installed). Loading all of these in Timeline Explorer and sorting by timestamp produces a unified timeline that tells the complete story of that moment — across all artifact types simultaneously.

Additional parsers: the complete reference

Beyond the four core parsers, EZTools includes specialized tools for additional artifact types. Each is used in specific investigation contexts:

RECmd — Registry Batch Processor (IR4). Command-line tool that processes multiple registry hives against predefined "batch" files containing forensic extraction rules. Where Registry Explorer is interactive (one hive at a time, manual navigation), RECmd automates extraction across all hives. The community-maintained batch file RECmd_Batch_MC.reb extracts the most forensically significant keys from all hive types: Run/RunOnce persistence, UserAssist execution history, TypedPaths, RecentDocs, USB device history, network profiles, installed software, service configurations, and more.

# RECmd: batch process all registry hives
RECmd.exe --bn "C:\IR\Tools\EZTools\BatchExamples\RECmd_Batch_MC.reb" -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence" --csv "C:\IR\Cases\INC-NE-2026-0315-001\Output\Registry" --csvf registry.csv -q

Registry Explorer — Interactive Registry Browser (IR4). GUI tool for loading and browsing individual registry hives. Includes bookmarks that highlight forensically significant keys — the investigator loads a NTUSER.DAT hive and immediately sees bookmarks for Run persistence, UserAssist, TypedPaths, RecentDocs, and other high-value locations. Essential for targeted analysis of specific keys rather than batch processing.

ShellBags Explorer / SBECmd — Folder Navigation History (IR4). Parses ShellBags data from UsrClass.dat to reconstruct every folder the user opened in Windows Explorer. ShellBags persist even after folders are deleted — meaning the investigator can prove the user navigated to a specific path (including paths on USB drives and network shares) even if the folder no longer exists. SBECmd is the command-line version for scripted processing.

JLECmd — Jump List Parser (IR3-IR4). Jump Lists record which files were recently accessed through each taskbar-pinned application. Each Jump List entry includes the target file path, timestamps, and the application used to open it. This provides evidence of user interaction with specific documents — "the user opened invoice_modified.xlsx through Excel at 15:23."

LECmd — LNK Shortcut Parser (IR3-IR4). Windows creates .lnk shortcut files when files are opened, and these shortcuts persist after the original file is deleted or the USB drive is disconnected. Each LNK file records the target file's original path, MAC timestamps, file size, and — critically — the volume serial number of the drive where the file resided. This can prove that a specific USB drive (identifiable by serial number) contained a specific file at a specific time.

RBCmd — Recycle Bin Parser (IR4). Parses Recycle Bin metadata ($I and $R files) to determine what was deleted, when it was deleted, and the original file path before deletion. Even after the Recycle Bin is emptied, the $I metadata files may persist and the $MFT entries for the deleted files still exist.

SrumECmd — SRUM Parser. Parses the System Resource Usage Monitor database (SRUDB.dat), which records per-application network usage (bytes sent/received per hour), application execution time, and energy usage. SRUM data covers the last 30-60 days of activity. The network usage data is particularly valuable for identifying data exfiltration — an application that sent 2 GB of data between 02:00 and 04:00 is suspicious even if the application name is a legitimate Windows binary (living-off-the-land exfiltration).

SQLECmd — SQLite Database Parser. Parses SQLite databases used by Chrome, Firefox, Edge, and numerous applications for storing user data. Browser history, bookmarks, downloads, cookies, autofill data, and search terms are stored in SQLite databases that SQLECmd extracts into CSV format.

Building the automated processing pipeline

For production investigations, automate the entire parsing pass so that every artifact is processed in a single script execution. This eliminates the manual step of running each parser individually.

# Automated EZTools processing pipeline
# Save as: C:\IR\Tools\Scripts\Parse-All.ps1
# Usage: .\Parse-All.ps1 -CasePath "C:\IR\Cases\INC-NE-2026-0315-001"

param(
    [Parameter(Mandatory)][string]$CasePath
)

$ez = "C:\IR\Tools\EZTools"
$evidence = "$CasePath\Evidence"
$output = "$CasePath\Output"
New-Item -ItemType Directory -Path $output -Force | Out-Null

Write-Host "=== EZTools Processing Pipeline ===" -ForegroundColor Cyan
Write-Host "Case: $CasePath" -ForegroundColor White
$startTime = Get-Date

# 1. Prefetch → Evidence of Execution
$pfPath = Get-ChildItem $evidence -Recurse -Directory -Filter "Prefetch" | Select-Object -First 1
if ($pfPath) {
    & "$ez\PECmd.exe" -d $pfPath.FullName --csv "$output\Prefetch" --csvf prefetch.csv -q
    Write-Host "  Prefetch: $(
        (Import-Csv "$output\Prefetch\prefetch.csv" -ErrorAction SilentlyContinue).Count
    ) entries" -ForegroundColor Green
}

# 2. Event Logs → Chronological Activity
$evtxPath = Get-ChildItem $evidence -Recurse -Directory -Filter "Logs" |
    Where-Object { $_.FullName -like "*winevt*" } | Select-Object -First 1
if ($evtxPath) {
    & "$ez\EvtxECmd.exe" -d $evtxPath.FullName --csv "$output\EventLogs" --csvf events.csv -q
    Write-Host "  Event Logs: $(
        (Import-Csv "$output\EventLogs\events.csv" -ErrorAction SilentlyContinue).Count
    ) entries" -ForegroundColor Green
}

# 3. Amcache → Execution with Hashes
$amcache = Get-ChildItem $evidence -Recurse -Filter "Amcache.hve" | Select-Object -First 1
if ($amcache) {
    & "$ez\AmcacheParser.exe" -f $amcache.FullName --csv "$output\Amcache" --csvf amcache.csv -q
    Write-Host "  Amcache: DONE" -ForegroundColor Green
}

# 4. $MFT → Filesystem Timeline
$mft = Get-ChildItem $evidence -Recurse -Filter '$MFT' -ErrorAction SilentlyContinue | Select-Object -First 1
if ($mft) {
    & "$ez\MFTECmd.exe" -f $mft.FullName --csv "$output\Filesystem" --csvf mft.csv -q
    Write-Host "  MFT: $(
        (Import-Csv "$output\Filesystem\mft.csv" -ErrorAction SilentlyContinue).Count
    ) entries" -ForegroundColor Green
}

# 5. Registry Batch → Persistence, User Activity, System Config
& "$ez\RECmd.exe" --bn "$ez\BatchExamples\RECmd_Batch_MC.reb" -d $evidence --csv "$output\Registry" --csvf registry.csv -q 2>$null
Write-Host "  Registry: DONE" -ForegroundColor Green

# 6. ShellBags → Folder Navigation
$usrclass = Get-ChildItem $evidence -Recurse -Filter "UsrClass.dat" -ErrorAction SilentlyContinue
foreach ($uc in $usrclass) {
    $user = $uc.Directory.Parent.Name
    & "$ez\SBECmd.exe" -d $uc.DirectoryName --csv "$output\ShellBags" --csvf "shellbags_$user.csv" -q 2>$null
}
Write-Host "  ShellBags: DONE" -ForegroundColor Green

$elapsed = (Get-Date) - $startTime
Write-Host "`n=== Pipeline complete in $([math]::Round($elapsed.TotalMinutes, 1)) minutes ===" -ForegroundColor Cyan
Write-Host "Output: $output" -ForegroundColor White
Write-Host "Next: Open CSV files in Timeline Explorer for analysis" -ForegroundColor White

This pipeline runs in 2-10 minutes depending on the collection size. The output is a set of CSV files organized by evidence category, ready for Timeline Explorer analysis. Save this script to C:\IR\Tools\Scripts\Parse-All.ps1 and include it in the jump bag — it automates the parsing step that follows every KAPE collection.

EZTools are installed and integrated. One question comes up from teams with existing commercial tool investments.

EZTools are installed, integrated with KAPE, and validated. The parsing pipeline is operational — every KAPE collection you run from this point forward produces structured CSV ready for analysis. Timeline Explorer is where those CSVs become an investigation narrative.

KAPE and EZTools handle the endpoint you can physically reach. The next tool handles the endpoints you cannot — remote collection across a fleet without requiring physical access or RDP.