Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/evild3ad/MemProcFS-Analyzer
MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://github.com/evild3ad/MemProcFS-Analyzer
dfir digital-forensics incident-response live-response memory-forensics memprocfs powershell
Last synced: 2 months ago
JSON representation
MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
- Host: GitHub
- URL: https://github.com/evild3ad/MemProcFS-Analyzer
- Owner: evild3ad
- License: gpl-3.0
- Created: 2021-05-15T05:03:25.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-03-09T14:47:26.000Z (7 months ago)
- Last Synced: 2024-06-11T01:22:46.784Z (4 months ago)
- Topics: dfir, digital-forensics, incident-response, live-response, memory-forensics, memprocfs, powershell
- Language: PowerShell
- Homepage: https://lethal-forensics.com
- Size: 10.4 MB
- Stars: 417
- Watchers: 20
- Forks: 47
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-memory-forensics - MemProcFS-Analyzer
README
 
# MemProcFS-Analyzer
MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.
MemProcFS - The Memory Process File System by [Ulf Frisk](https://twitter.com/ulffrisk)
https://github.com/ufrisk/MemProcFS
Features:
* Fast and easy memory analysis!
* You can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows
* Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
* Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
* Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
* Pagefile Support
* OS Fingerprinting
* Scan w/ Custom YARA rules (incl. 318 rules by e.g. [Chronicle](https://github.com/chronicle/GCTI/tree/main/YARA) and [Elastic Security](https://github.com/elastic/protections-artifacts))
* Multi-Threaded scan w/ ClamAV for Windows
* Collection of infected files detected by ClamAV for further analysis (PW: infected)
* Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
* Extracting IPv4/IPv6
* IP2ASN Mapping and GeoIP w/ [IPinfo CLI](https://github.com/ipinfo/cli) → Get your token for free at [https://ipinfo.io/signup](https://ipinfo.io/signup)
* Checking for Suspicious Port Numbers
* [Process Tree](https://github.com/evild3ad/MemProcFS-Analyzer/wiki/Process-Tree) (TreeView) including complete Process Call Chain (Special thanks to [Dominik Schmidt](https://github.com/DaFuqs))
* Checking Processes for Unusual Parent-Child Relationships and Number of Instances
* Checking Processes for Unusual User Context
* Checking for Process Path Masquerading and Process Name Masquerading (Damerau Levenshtein Distance)
* Web Browser History (Google Chrome, Microsoft Edge and Firefox)
* Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Event Log Overview
* Processing Windows Event Logs w/ [Zircolite](https://github.com/wagga40/Zircolite) - A standalone SIGMA-based detection tool for EVTX
* Analyzing extracted Amcache.hve w/ Amcacheparser ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Analyzing Syscache w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Analyzing UserAssist Artifacts w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Analyzing ShellBags Artifacts w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Simple Prefetch View (based on Forensic Timeline)
* Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Analyzing RecentDocs, Office Trusted Document w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)
* Analyzing Registry w/ Kroll RECmd Batch File ([Kroll Batch File](https://github.com/EricZimmerman/RECmd/projects/1) by Andrew Rathbun)
* Analyzing Metadata of Recovered Process Modules (experimental)
* Extracting Windows Shortcut Files (LNK)
* Hunting Malicious Windows Shortcut Files (LNK)
* Integration of PowerShell module [ImportExcel](https://github.com/dfinke/ImportExcel) by Doug Finke
* CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)
* Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)
* and much more
## Download
Download the latest version of **MemProcFS-Analyzer** from the [Releases](https://github.com/evild3ad/MemProcFS-Analyzer/releases) section.
## Usage
Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.
**Fig 1:** Select your Memory Snapshot and select your pagefile.sys (Optional)
**Fig 2:** MemProcFS-Analyzer auto-installs dependencies (First Run)
**Fig 3:** Accept Terms of Use (First Run)
**Fig 4:** If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk
**Fig 5:** You can investigate the mounted memory dump by exploring drive letter
**Fig 6:** MemProcFS-Analyzer checks for updates (Second Run)
Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.
**Fig 7:** FindEvil feature and additional analytics
**Fig 8:** Processes
**Fig 9:** Running and Exited Processes
**Fig 10:** Process Tree (GUI)
**Fig 11:** Checking Process Tree (to find anomalies)
**Fig 12:** Process Tree: Alert Messages w/ Process Call Chain
**Fig 13:** Process Tree: Properties View → Double-Click on a process or alert message
**Fig 14:** GeoIP w/ IPinfo.io
**Fig 15:** Map IPs w/ IPinfo.io
**Fig 16:** Processing Windows Event Logs (EVTX)
**Fig 17:** Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI)
**Fig 18:** Processing extracted Amcache.hve → XLSX
**Fig 19:** Processing ShimCache → XLSX
**Fig 20:** Analyze CSV output w/ Timeline Explorer (TLE)
**Fig 21:** ELK Import
**Fig 22:** Happy ELK Hunting!
**Fig 23:** Multi-Threaded ClamAV Scan to help you finding evil! ;-)
**Fig 24:** Press **OK** to shutdown MemProcFS and Elastisearch/Kibana
**Fig 25:** Secure Archive Container (PW: MemProcFS)
## Introduction MemProcFS and Memory Forensics
Check out [Super Easy Memory Forensics](https://www.slideshare.net/IIJ_PR/super-easy-memory-forensics) by [Hiroshi Suzuki](https://twitter.com/herosi_t) and [Hisao Nashiwa](https://twitter.com/unk0unk0).
## Prerequisites
1. Download and install the latest Dokany Library Bundle → DokanSetup.exe
https://github.com/dokan-dev/dokany/releases/latest
2. Download and install the latest .NET 6 Desktop Runtime (Requirement for [EZTools](https://ericzimmerman.github.io/))
https://dotnet.microsoft.com/en-us/download/dotnet/6.0
3. Download and install the latest Windows package of ClamAV.
https://www.clamav.net/downloads#otherversions
4. First Time Set-Up of ClamAV
Launch Windows PowerShell console as Administrator.
`cd "C:\Program Files\ClamAV"`
`copy .\conf_examples\freshclam.conf.sample .\freshclam.conf`
`copy .\conf_examples\clamd.conf.sample .\clamd.conf`
`write.exe .\freshclam.conf` → Comment or remove the line that says "Example".
`write.exe .\clamd.conf` → Comment or remove the line that says "Example".
https://docs.clamav.net/manual/Usage/Configuration.html#windows
5. Optimize ClamAV scan speed performance (30% faster)
Open "C:\Program Files\ClamAV\clamd.conf" with your text editor and search for: "Don't scan files and directories matching regex"
`ExcludePath "\\heaps\\"`
`ExcludePath "\\handles\\"`
`ExcludePath "\\memmap\\vad-v\\"`
`ExcludePath "\\sys\\pool\\"`
6. Create your free IPinfo account [approx. 1-2 min]
https://ipinfo.io/signup?ref=cli
Open "MemProcFS-Analyzer.ps1" with your text editor, search for "Please insert your Access Token here" and copy/paste your access token.
7. Install the NuGet package provider for PowerShell
Check if NuGet is available in the package providers by running the following command:
`Get-PackageProvider -ListAvailable`
If NuGet is not installed on your system yet, you have to install it.
`Install-PackageProvider -Name NuGet -Force`
8. Make sure to comment/uncomment (selectively enable or disable) the functions you want to play with (Elasticsearch and ELKImport are disabled by default). Check out the "Main" in the bottom of the script.
9. Done! :smiley:
Notes:
- Turn off your antivirus protection temporarily or better exclude your MemProcFS-Analyzer directory from scanning.
- [Elasticsearch Tips](https://github.com/evild3ad/MemProcFS-Analyzer/wiki/Elasticsearch)
## Dependencies
7-Zip 23.01 Standalone Console (2023-06-20)
https://www.7-zip.org/download.html
AmcacheParser v1.5.1.0 (.NET 6)
https://ericzimmerman.github.io/
AppCompatCacheParser v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/
ClamAV - Download → Windows → clamav-1.2.0.win.x64.msi (2023-08-28)
https://www.clamav.net/downloads
Dokany Library Bundle v2.0.6.1000 (2022-10-02)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe
Elasticsearch 8.9.2 (2023-09-06)
https://www.elastic.co/downloads/elasticsearch
entropy v1.1 (2023-07-28)
https://github.com/merces/entropy
EvtxECmd v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/
ImportExcel v7.8.6 (2023-10-12)
https://github.com/dfinke/ImportExcel
IPinfo CLI 3.1.1 (2023-10-02)
https://github.com/ipinfo/cli
jq v1.7 (2023-09-06)
https://github.com/stedolan/jq
Kibana 8.9.2 (2023-09-06)
https://www.elastic.co/downloads/kibana
lnk_parser v0.2.0 (2022-08-10)
https://github.com/AbdulRhmanAlfaifi/lnk_parser
MemProcFS v5.8.17 - The Memory Process File System (2023-08-20)
https://github.com/ufrisk/MemProcFS
RECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/
SBECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/
xsv v0.13.0 (2018-05-12)
https://github.com/BurntSushi/xsv
YARA v4.3.1 (2023-04-21)
https://virustotal.github.io/yara/
Zircolite v2.9.10 (2023-07-15)
https://github.com/wagga40/Zircolite
## Links
[MemProcFS](https://github.com/ufrisk/MemProcFS)
[Demo of MemProcFS with Elasticsearch](https://www.youtube.com/watch?v=JcIlowlrvyI)
[Sponsor MemProcFS Project](https://github.com/sponsors/ufrisk)
[MemProcFS-Plugins](https://github.com/ufrisk/MemProcFS-Plugins)
[SANS FOR532 - Enterprise Memory Forensics In-Depth](https://www.sans.org/cyber-security-courses/enterprise-memory-forensics-in-depth/)