Home / .NET / CLI

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to assist with the memory analysis workflow.
Information
Category: .NET / CLI
Watchers: 5
Star: 30
Fork: 3
Last update: Jun 2, 2021
Resource links
https://evild3ad.com/
https://github.com/evild3ad/MemProcFS-Analyzer

MemProcFS-Analyzer

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to assist with the memory analysis workflow.

MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS

Features:

  • Auto-Install of MemProcFS, Elasticsearch, Kibana, EvtxECmd, AmcacheParser, AppCompatCacheParser, ImportExcel, and IPinfo CLI
  • Auto-Update of MemProcFS, Elasticsearch, Kibana, ClamAV Virus Databases (CVD), EvtxECmd (incl. Maps), AmcacheParser, AppCompactCacheParser, Import-Excel, and IPinfo CLI
  • Update-Info when there's a new version of ClamAV or a new Redistributable packaged Dokany Library Bundle available
  • Multi-Threaded scan w/ ClamAV for Windows
  • Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
  • Extracting IPv4/IPv6
  • IP2ASN Mapping w/ Team Cymru
  • GeoIP w/ IPinfo CLI
  • Checking for Unusual Parent-Child Relationships and Number of Instances
  • Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
  • Analyzing extracted Amcache.hve w/ Amcacheparser (EZTools by Eric Zimmerman)
  • Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
  • Integration of PowerShell module ImportExcel by Doug Finke
  • Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)

Download

Download the latest version of MemProcFS-Analyzer from the Releases section.

Usage

Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.

File-Browser
Fig 1: Select your Raw Physical Memory Dump (File Browser)

Auto-Install
Fig 2: MemProcFS-Analyzer checks for dependencies (First Run)

Microsoft-Internet-Symbol-Store
Fig 3: Accept Terms of Use (First Run)

Auto-Install
Fig 4: MemProcFS-Analyzer checks for dependencies (Second Run)

ClamAV-Scan
Fig 5: Multi-Threaded ClamAV Scan

IPinfo
Fig 6: GeoIP w/ IPinfo.io

IPinfo
Fig 7: Map IPs w/ IPinfo.io

Elasticsearch
Fig 8: Processing Windows Event Logs (EVTX)

Amcache
Fig 9: Processing extracted Amcache.hve → XLSX

ShimCache
Fig 10: Processing ShimCache → XLSX

ELK-Import
Fig 11: ELK Import

ELK-Timeline
Fig 12: Happy ELK Hunting!

Secure-Archive-Container
Fig 13: ClamAV Scan found 29 infected file(s)

Message-Box
Fig 14: Press OK to shutdown MemProcFS and Elastisearch/Kibana

Output
Fig 15: Secure Archive Container (PW: MemProcFS)

Prerequisites

  1. Download and install the latest Dokany Library Bundle (Redistributable packaged) → DokanSetup_redist.exe
    The Dokany installer will also install the required Microsoft Visual C++ Redistributables for Visual Studio 2019.
    https://github.com/dokan-dev/dokany/releases/latest

  2. Download and install the latest Windows package of ClamAV.
    https://www.clamav.net/downloads

  3. First Time Set-Up of ClamAV
    Launch Windows PowerShell console as Administrator.
    cd "C:\Program Files\clamav"
    copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
    copy .\conf_examples\clamd.conf.sample .\clamd.conf
    write.exe .\freshclam.conf → Comment or remove the line that says “Example”.
    write.exe .\clamd.conf → Comment or remove the line that says “Example”.
    https://www.clamav.net/documents/installing-clamav-on-windows

  4. Create your free IPinfo account [approx. 1-2 min]
    https://ipinfo.io/signup?ref=cli
    Open "MemProcFS-Analyzer.ps1" with your text editor, search for "access_token" and copy/paste your access token.

  5. Done! 😃

Dependencies

7-Zip 9.20 Command Line Version (2010-11-18)
https://www.7-zip.org/download.html

AmcacheParser v1.4.0.0 (2021-03-20)
https://binaryforay.blogspot.com/

AppCompatCacheParser v1.4.4.0 (2021-03-20)
https://binaryforay.blogspot.com/

ClamAV - Windows Packages → Win64 → ClamAV-0.103.2.exe (2021-04-07)
https://www.clamav.net/downloads
https://www.clamav.net/documents/installing-clamav-on-windows → First Time Set-Up

Dokany Library Bundle v1.4.0.1000 x64 (2020-06-01)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup_redist.exe

Elasticsearch 7.13.0 (2021-05-25)
https://www.elastic.co/downloads/elasticsearch

EvtxECmd v0.6.5.0 (2020-12-21)
https://binaryforay.blogspot.com/

ImportExcel 7.1.2 (2020-05-08)
https://github.com/dfinke/ImportExcel

Ipinfo CLI 2.0.0 (2021-05-26)
https://github.com/ipinfo/cli

Kibana 7.13.0 (2021-05-25)
https://www.elastic.co/downloads/kibana

MemProcFS v4.0 - The Memory Process File System (2021-05-24)
https://github.com/ufrisk/MemProcFS

Microsoft Visual C++ Redistributables for Visual Studio 2019 https://go.microsoft.com/fwlink/?LinkId=746572 → VC_redist.x64.exe

Netcat v1.11 (2009-04-10)
https://joncraton.org/blog/46/netcat-for-windows/

Links

MemProcFS
Demo of MemProcFS with Elasticsearch
Sponsor MemProcFS project
MemProcFSHunter

0 Open More issues
Closed

Dokany File System Library NOT found

Hi I am trying to run MemProcFS-Analyzer on my Windows 10 VM however I received the above mentioned error. So I installed Dokany 0.7.4 for Windows 10 (https://github.com/dokan-dev/dokany/releases/tag/v0.7.4) ran MemProcFS-Analyzer again and I keep getting the following error:

[Info] Dokany File System Library NOT found. [Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01) [Info] Please download/install the latest release of Dokany File System Library manually: https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)

Can you please update Analyzer to support the latest version of Dokany for Windows 10?

opened Jun 2, 2021 by antmar904 25
Closed

Analyzer Stuck

Hi. When trying to analyze a different complete memory dump the script stops at: [Info] 3 IPv4 address found (269).

It's hard to say if the script is frozen, a process is stuck or the analyzer is still working.

It's been in this state for 5 hrs now and I'm not sure if that is normal as there is no progress type bar.

opened Jun 3, 2021 by antmar904 11
Closed

ClamAV

Hi.

I performed (3) different memory analysis and I've been getting the following error in the "ClamAV\LogFile.txt" file:

ERROR: Could not connect to clamd on 127.0.0.1: Connection refused

----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 1 Time: 2.047 sec (0 m 2 s) Start Date: 2021:06:04 06:42:53 End Date: 2021:06:04 06:42:56

Just wanted to make sure that it is successfully scanning the files.

opened Jun 4, 2021 by antmar904 8
Closed

RECmd .reb file missing.

RECmd version 1.6.0.0

Author: Eric Zimmerman ([email protected]) https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces (and all RegEx) with double quotes

Command line: -d E:\MemProcFS-Analyzer-v0.2\2021-06-19T115429-complete\Registry\Registry --bn E:\MemProcFS-Analyzer-v0.2\Tools\RECmd_BatchFiles\RegistryASEPs.reb --csv E:\MemProcFS-Analyzer-v0.2\2021-06-19T115429-complete\Registry\RegistryASEPs\CSV --csvf RegistryASEPs.csv

Batch file 'E:\MemProcFS-Analyzer-v0.2\Tools\RECmd_BatchFiles\RegistryASEPs.reb' does not exist.

opened Jun 20, 2021 by antmar904 2
Open

Issues with Kibana

Hi. When running the script here is the output I am getting with Kibana and EvtxECmd:

MemProcFS-Analyzer v0.2 - Automated Forensic Analysis of Windows Memory Dumps for DFIR (c) 2021 Martin Willing (https://evild3ad.com/)

Analysis date: 2022-05-04 11:20:27 UTC

[Info] Current Version: MemProcFS v4.7 (2022-04-26) [Info] Latest Release: MemProcFS v4.7 (2022-01-30) [Info] You are running the most recent version of MemProcFS. [Info] Dokany File System Library NOT found. [Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01) [Info] Please download/install the latest release of Dokany File System Library manually: https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe) [Info] Current Version: Elasticsearch v8.1.3 [Info] Latest Release: Elasticsearch v8.2.0 (2022-05-03) [Info] Dowloading Latest Release ... [Info] Extracting Files ... [Info] Kibana NOT found. [Info] Latest Release: Kibana v8.2.0 (2022-05-03) [Info] Dowloading Latest Release ... [Info] Extracting Files ... Rename-Item : Cannot rename because item at 'E:\Tools\MemProcFS-Analyzer-v0.2\Tools\kibana-8.2.0-windows-x86_64' does not exist. At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:512 char:9

  •     Rename-Item "$SCRIPT_DIR\Tools\kibana-$LatestRelease-windows- ...

  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException
    • FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand

[Info] EvtxECmd NOT found. [Info] Dowloading Latest Release ... Invoke-WebRequest : { "code": "not_found", "message": "File with such name does not exist.", "status": 404 } At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:566 char:5

  • Invoke-WebRequest -Uri $URL -OutFile "$SCRIPT_DIR\Tools\$Zip"

  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand [Info] Current Version: AmcacheParser v1.5.1.0 [Info] You are running the most recent version of AmcacheParser. [Info] Current Version: AppCompatCacheParser v1.5.0.0 [Info] You are running the most recent version of AppCompatCacheParser. [Info] Current Version: ImportExcel v7.4.2 [Info] Latest Release: ImportExcel v7.5.1 (2022-05-03) [Info] Dowloading ImportExcel v7.5.1 ... [Info] Current Version: IPinfo CLI v2.8.0 (2022-03-22) [Info] Latest Release: IPinfo CLI v2.8.0 (2022-03-21) [Info] You are running the most recent version of IPinfo CLI. [Info] Starting Elasticsearch ... [Info] Starting Kibana ...
opened May 4, 2022 by antmar904 0

Contents

    memprocfshunt A powershell parser for MemProcFS
    Boris-code Same as json.dumps or json.loads, feapson support feapson.dumps and feapson.loads
    platomav Intel Engine Firmware Analysis Tool
    ufrisk The Memory Process File System
    joshlemon Repository of public reference frameworks for the DFIR community.
    hashlookup Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service
    Akaion A Windows virtual memory editing library with support for pattern scanning.
    DynamoRIO Memory Debugger for Windows, Linux, Mac, and Android
    milostosic MTuner is a C/C++ memory profiler and memory leak finder for Windows, PlayStation 4 and 3, Android and other platforms
    AndrewRathbun A config file that's curated for DFIR examiners with shortcuts to common Windows artifacts and settings enabled that help make your life easier with various file management tasks.
    rek7 mXtract - Offensive Memory Extractor & Analyzer
    facebookincubator A memory analyzer for running python processes
    GPUOpen-Tools The Radeon GPU Analyzer (RGA) is an offline compiler and code analysis tool for Vulkan, DirectX, OpenGL, and OpenCL.
    Microsoft Attack Surface Analyzer can help you analyze your operating system's security configuration for changes during software installation.
    fantasticmao A lightweight (simplistic) log analyzer for Nginx.
    Preetam MySQL JSON Explain Analyzer
    fetlife Redis Memory Analyzer written in Rust
    evilsocket Git Repository Analyzer.
    neolea Open source training materials for law-enforcement and organisations interested in DFIR.
    cado-security Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack
    rathbuna A repository of DFIR-related Mind Maps geared towards the visual learners!
    Share this repo

    Related Repos


    CLI
    26
    grpc-curl is a command line tool for interacting with gRPC servers
    xoofx grpc-curl grpc-curl is a command line tool for interacting with gRPC servers. This tool is the .NET equivalent of the popular gRPCurl written in Golan
     
    CLI
    6
    This package helps you to make colorful console apps
    Ramin-Guliyev MakeUp Make your console app looks much more pretty 😉 * Introduction This package helps you to make colorful console apps with the best solution. Cur
     
    CLI
    279
    PowerShell Module for Docker
    Microsoft THIS MODULE HAS BEEN DEPRECATED Please note that due to low usage this module is no longer being actively maintained. It is recommended to use either
     
    CLI
    50
    How to spoof the command line when spawning a new process from C#.
    plackyhacker Command Line Spoofer An example of using C# to inject a meterpreter shell, whilst spoofing the command line. The command line is stored in the Process
     
    CLI
    3
    fakys really bad Powershell Northstar Server Watcher
    RomeoCantCode PSNorthstarWatcher faky's really bad Powershell Northstar Server Watcher. Use at own risk. It is very minimalistic and a dev would probably cry when h
     
    CLI
    5
    2D game framework for use with the Pode PowerShell web server
    Badgerati Pode.Game This is still a work in progress, until v1.0.0 expect possible breaking changes in some releases. 💝 A lot of my free time, evenings, and we
     
    CLI
    3
    This is for patching against Log4Shell in Windows via Powershell
    SkeletonMan03 Patch Against Log4Shell This is for patching against Log4Shell in Windows via Powershell What it does This searches your entire computer for jar files
     
    CLI
    8
    log4j PowerShell Checker
    crypt0jan CHAPTER8 - log4j PowerShell Checker CVE-2021-44228 Perform a scan of a single host (using Powershell) to see if it's vulnerable for the above-mentione
     
    CLI
    3
    Customize windows PowerShell using oh-my-posh module and make a simple, elegant and eye ca...
    aminbabu Customize Your Windows Terminal - Like A Pro No more default windows terminal! Let's customize our windows terminal like a pro using oh-my-posh a prom
     
    CLI
    66
    Load any Beacon Object File using Powershell!
    airbus-cert Invoke-Bof Load any Beacon Object File using Powershell! > $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/tes
     
    CLI
    3
    PowerBruteLogon (Ported version of WinBruteLogon in pure PowerShell)
    DarkCoderSc PowerBruteLogon PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell Notice that this version is slower than WinBruteLogon but has
     
    CLI
    6
    Tools for naturally defining PowerShell dynamic parameters
    wethreetrees ✨ Dynamic ✨ Working with dynamic parameters in PowerShell has never been easy. The Dynamic module will change that forever. In the past, developers we
     
    CLI
    3
    turbinando o powershell
    nathanramorim oh-my-zsh no powershell Sabiam que tem jeito de personalizar o PowerShell similiar a quando utilizamos o oh-my-zsh? Eu nem sabia. Eu curto bastante um
     
    CLI
    3
    PowerShell Module for Advanced Registry Functionality
    jborean93 AdvReg Various cmdlets that expose more advanced functions of the Windows Registry. Documentation Documentation for this module and details on the cmd
     
    CLI
    10
    Demo to create abp module and convert it into microservice.
    antosubash Add a new Module and convert it to a microservice in ABP In this post we will see how to create a modular abp application and convert it to microservi