TZWorks LLC
System Analysis and Programming
tzworks.com
TZWorks LLC is a small business located in Virgina that specializes in the design and development of cyber related tools. We provide an array of software security products that can be customized for either passive or proactive requirements. These include: E-Discovery, computer incident response, malware detection, remote monitoring and data exfiltration.
Built from the ground up, all critical parsing of data is done via TZWorks® internal libraries. This approach minimizes the number of required library dependencies (or DLLs), which in turn, reduces the chances of an infected DLL influencing the final results. When appropriate, artifact data is collected at the cluster level to ensure file statistics or data content is not masked or modified by a rootkit. Our tools perform self-checks on startup to ensure their internal hash matches its original from when it was released. This in conjunction with signing each tool with an X-509 certificate, along with built-in error checking, ensures the tool has not been modified or corrupted during runtime. Collectively, these measures ensure maximum confidence that the data returned by one of our tools has not been affected by any hosted malware/rootkit.
Pulling artifacts from a live system is the default behavior for our tools. Any file needing analysis that has been locked down by the operating system, such as registry hives, journaling files, or other critical files, can be examined by reading raw data at the cluster level. This live data collection is paired with parallel processing to convert the raw data into readable/useable results to the responder in near real-time so that data triaging can be performed. Our tools run out-of-the-box without any required installation, so running them from either: a CD/DVD, a USB thumb drive or network share, can be done to collect data quickly while ensuring the minimal footprint is left behind. For live ubiquitous Windows collection, the tools are compiled for Intel and ARM64 based machines and work with a range of Windows versions, from Windows XP up to Windows 11.
Our tools work across a number of operating systems, giving flexibility to the examiner to use their choice operating system for offline processing during artifact analysis. Currently over 90% of the tools have been compiled to work on Linux and macOS; all the tools are compiled for both 32 and 64 bit versions of Windows.
When considering the unique character sets that exist globally, ensuring your tools can handle Chinese, Arabic or any other non-ASCII character set, is paramount. Therefore, a Unicode library is embedded into each of our tools so they have the ability to process and output in multi-language character sets.
By leveraging any of the various popular scripting languages, one can automate the TZWorks® toolset for easy insertion into many workflow processes. On the front end, one can configure the tools to read in raw 'dd' images, VMWare images, raw files that were extracted from another tool, or a collection of many files that are located in various directories. On the back end, the output can be put into CSV format, Log2Timeline format, or unformatted text output. To ensure the results of our tools provide maximum importability, we include a resource in our suite to extend any of our tool's CSV formats into either: (a) HTML table output, (b) JSON format or (c) into a SQLite database.
Many of the tools are compiled for Windows, Linux and OS-X. There are a few that are only compiled for Windows and Linux. The ven-diagram below shows which tool is compiled for which operating system.
With the additional ARM chipsets being used for these primary operating systems, the TZWorks tools have been compiled for a few of the ARM64 chipsets.
Many of the tools are compiled for Windows, Linux and OS-X. There are a few that are only compiled for Windows and Linux. The ven-diagram below shows which tool is compiled for which operating system.
From the table above, one should note that for Windows, the Win32 binaries should work on all flavors (CPU type and version), even for the Win11 ARM64. This is because Win11 ARM64 has an emmulator to allow many of the Intel 32 bit based binaries to run. For TZWorks, this includes all versions of Intel 32 bit (and Intel 64 bit) compiled binaries. In emulation mode, however, the binaries will operate slower but still work. Conversely, the native compiled binaries are much faster and require less CPU resources.
For Linux, only the native CPU-based compiled binaries will work on their respective CPU version.
For macOS, the fat binary contains both the Intel and ARM 64-bit binaries embedded into one Mach-O package. This allows the host operating system to use the optimal binary version available in the package. The Mach-O packages have been tested on Lion OS-X (version 10.9) up to the latest macOS versions (using Intel or ARM chipsets). The GUI version of the tools ( yaru, gena, evtx_view , and pe_view) require the X-Windowing system (X11) to be present. This was included in the older versions of OS-X, but not with the new versions of macOS. The X-Windowing system can be added to any macOS where it is not present, by installing the XQuartz distribution (www.xquartz.org).