MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.
MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS
Features:
- Fast and easy memory analysis!
- You can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows
- Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
- Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
- Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
- Pagefile Support
- OS Fingerprinting
- Scan w/ Custom YARA rules (incl. 318 rules by e.g. Chronicle and Elastic Security)
- Multi-Threaded scan w/ ClamAV for Windows
- Collection of infected files detected by ClamAV for further analysis (PW: infected)
- Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
- Extracting IPv4/IPv6
- IP2ASN Mapping and GeoIP w/ IPinfo CLI → Get your token for free at https://ipinfo.io/signup
- Checking for Suspicious Port Numbers
- Process Tree (TreeView) including complete Process Call Chain (Special thanks to Dominik Schmidt)
- Checking Processes for Unusual Parent-Child Relationships and Number of Instances
- Checking Processes for Unusual User Context
- Checking for Process Path Masquerading and Process Name Masquerading (Damerau Levenshtein Distance)
- Web Browser History (Google Chrome, Microsoft Edge and Firefox)
- Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
- Event Log Overview
- Processing Windows Event Logs w/ Zircolite - A standalone SIGMA-based detection tool for EVTX
- Analyzing extracted Amcache.hve w/ Amcacheparser (EZTools by Eric Zimmerman)
- Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
- Analyzing Syscache w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing ShellBags Artifacts w/ RECmd (EZTools by Eric Zimmerman)
- Simple Prefetch View (based on Forensic Timeline)
- Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing RecentDocs, Office Trusted Document w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing Registry w/ Kroll RECmd Batch File (Kroll Batch File by Andrew Rathbun)
- Analyzing Metadata of Recovered Process Modules (experimental)
- Extracting Windows Shortcut Files (LNK)
- Hunting Malicious Windows Shortcut Files (LNK)
- Integration of PowerShell module ImportExcel by Doug Finke
- CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)
- Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)
- and much more
Download the latest version of MemProcFS-Analyzer from the Releases section.
Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.
Fig 1: Select your Memory Snapshot and select your pagefile.sys (Optional)
Fig 2: MemProcFS-Analyzer auto-installs dependencies (First Run)
Fig 3: Accept Terms of Use (First Run)
Fig 4: If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk
Fig 5: You can investigate the mounted memory dump by exploring drive letter
Fig 6: MemProcFS-Analyzer checks for updates (Second Run)
Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.
Fig 7: FindEvil feature and additional analytics
Fig 9: Running and Exited Processes
Fig 11: Checking Process Tree (to find anomalies)
Fig 12: Process Tree: Alert Messages w/ Process Call Chain
Fig 13: Process Tree: Properties View → Double-Click on a process or alert message
Fig 16: Processing Windows Event Logs (EVTX)
Fig 17: Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI)
Fig 18: Processing extracted Amcache.hve → XLSX
Fig 19: Processing ShimCache → XLSX
Fig 20: Analyze CSV output w/ Timeline Explorer (TLE)
Fig 23: Multi-Threaded ClamAV Scan to help you finding evil! ;-)
Fig 24: Press OK to shutdown MemProcFS and Elastisearch/Kibana
Fig 25: Secure Archive Container (PW: MemProcFS)
Check out Super Easy Memory Forensics by Hiroshi Suzuki and Hisao Nashiwa.
-
Download and install the latest Dokany Library Bundle → DokanSetup.exe
https://github.com/dokan-dev/dokany/releases/latest -
Download and install the latest .NET 6 Desktop Runtime (Requirement for EZTools)
https://dotnet.microsoft.com/en-us/download/dotnet/6.0 -
Download and install the latest Windows package of ClamAV.
https://www.clamav.net/downloads#otherversions -
First Time Set-Up of ClamAV
Launch Windows PowerShell console as Administrator.
cd "C:\Program Files\ClamAV"
copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
copy .\conf_examples\clamd.conf.sample .\clamd.conf
write.exe .\freshclam.conf
→ Comment or remove the line that says "Example".
write.exe .\clamd.conf
→ Comment or remove the line that says "Example".
https://docs.clamav.net/manual/Usage/Configuration.html#windows -
Optimize ClamAV scan speed performance (30% faster)
Open "C:\Program Files\ClamAV\clamd.conf" with your text editor and search for: "Don't scan files and directories matching regex"
ExcludePath "\\heaps\\"
ExcludePath "\\handles\\"
ExcludePath "\\memmap\\vad-v\\"
ExcludePath "\\sys\\pool\\"
-
Create your free IPinfo account [approx. 1-2 min]
https://ipinfo.io/signup?ref=cli
Open "MemProcFS-Analyzer.ps1" with your text editor, search for "Please insert your Access Token here" and copy/paste your access token. -
Install the NuGet package provider for PowerShell
Check if NuGet is available in the package providers by running the following command:
Get-PackageProvider -ListAvailable
If NuGet is not installed on your system yet, you have to install it.
Install-PackageProvider -Name NuGet -Force
-
Make sure touncomment/disable the functions you want to play with (by default, Elasticsearch and ELKImport are disabled). Check out the "Main" in the bottom of the script.
-
Done! 😃
Notes:
- Turn off your antivirus protection temporarily or better exclude your MemProcFS-Analyzer directory from scanning.
- Elasticsearch Tips
7-Zip 23.01 Standalone Console (2023-06-20)
https://www.7-zip.org/download.html
AmcacheParser v1.5.1.0 (.NET 6)
https://ericzimmerman.github.io/
AppCompatCacheParser v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/
ClamAV - Download → Windows → clamav-1.2.0.win.x64.msi (2023-08-28)
https://www.clamav.net/downloads
Dokany Library Bundle v2.0.6.1000 (2022-10-02)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe
Elasticsearch 8.9.2 (2023-09-06)
https://www.elastic.co/downloads/elasticsearch
entropy v1.1 (2023-07-28)
https://github.com/merces/entropy
EvtxECmd v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/
ImportExcel v7.8.6 (2023-10-12)
https://github.com/dfinke/ImportExcel
IPinfo CLI 3.1.1 (2023-10-02)
https://github.com/ipinfo/cli
jq v1.7 (2023-09-06)
https://github.com/stedolan/jq
Kibana 8.9.2 (2023-09-06)
https://www.elastic.co/downloads/kibana
lnk_parser v0.2.0 (2022-08-10)
https://github.com/AbdulRhmanAlfaifi/lnk_parser
MemProcFS v5.8.17 - The Memory Process File System (2023-08-20)
https://github.com/ufrisk/MemProcFS
RECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/
SBECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/
xsv v0.13.0 (2018-05-12)
https://github.com/BurntSushi/xsv
YARA v4.3.1 (2023-04-21)
https://virustotal.github.io/yara/
Zircolite v2.9.10 (2023-07-15)
https://github.com/wagga40/Zircolite
MemProcFS
Demo of MemProcFS with Elasticsearch
Sponsor MemProcFS Project
MemProcFS-Plugins
SANS FOR532 - Enterprise Memory Forensics In-Depth