Skip to content

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

License

Notifications You must be signed in to change notification settings

wikijm/MemProcFS-Analyzer

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MemProcFS-Analyzer

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.

MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS

Features:

  • Fast and easy memory analysis!
  • You can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows
  • Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
  • Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
  • Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
  • Pagefile Support
  • OS Fingerprinting
  • Scan w/ Custom YARA rules (incl. 318 rules by e.g. Chronicle and Elastic Security)
  • Multi-Threaded scan w/ ClamAV for Windows
  • Collection of infected files detected by ClamAV for further analysis (PW: infected)
  • Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
  • Extracting IPv4/IPv6
  • IP2ASN Mapping and GeoIP w/ IPinfo CLI → Get your token for free at https://ipinfo.io/signup
  • Checking for Suspicious Port Numbers
  • Process Tree (TreeView) including complete Process Call Chain (Special thanks to Dominik Schmidt)
  • Checking Processes for Unusual Parent-Child Relationships and Number of Instances
  • Checking Processes for Unusual User Context
  • Checking for Process Path Masquerading and Process Name Masquerading (Damerau Levenshtein Distance)
  • Web Browser History (Google Chrome, Microsoft Edge and Firefox)
  • Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
  • Event Log Overview
  • Processing Windows Event Logs w/ Zircolite - A standalone SIGMA-based detection tool for EVTX
  • Analyzing extracted Amcache.hve w/ Amcacheparser (EZTools by Eric Zimmerman)
  • Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
  • Analyzing Syscache w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing ShellBags Artifacts w/ RECmd (EZTools by Eric Zimmerman)
  • Simple Prefetch View (based on Forensic Timeline)
  • Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing RecentDocs, Office Trusted Document w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing Registry w/ Kroll RECmd Batch File (Kroll Batch File by Andrew Rathbun)
  • Analyzing Metadata of Recovered Process Modules (experimental)
  • Extracting Windows Shortcut Files (LNK)
  • Hunting Malicious Windows Shortcut Files (LNK)
  • Integration of PowerShell module ImportExcel by Doug Finke
  • CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)
  • Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)
  • and much more

Download

Download the latest version of MemProcFS-Analyzer from the Releases section.

Usage

Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.

File-Browser
Fig 1: Select your Memory Snapshot and select your pagefile.sys (Optional)

Auto-Install
Fig 2: MemProcFS-Analyzer auto-installs dependencies (First Run)

Microsoft-Internet-Symbol-Store
Fig 3: Accept Terms of Use (First Run)

MemProcFS
Fig 4: If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk

Mounted
Fig 5: You can investigate the mounted memory dump by exploring drive letter

Auto-Update
Fig 6: MemProcFS-Analyzer checks for updates (Second Run)

Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.

FindEvil
Fig 7: FindEvil feature and additional analytics

Processes
Fig 8: Processes

RunningAndExited
Fig 9: Running and Exited Processes

ProcessTree
Fig 10: Process Tree (GUI)

ProcessTreeSearch
Fig 11: Checking Process Tree (to find anomalies)

ProcessTreeAlerts
Fig 12: Process Tree: Alert Messages w/ Process Call Chain

PropertiesView
Fig 13: Process Tree: Properties View → Double-Click on a process or alert message

IPinfo
Fig 14: GeoIP w/ IPinfo.io

MapReport
Fig 15: Map IPs w/ IPinfo.io

EVTX
Fig 16: Processing Windows Event Logs (EVTX)

Zircolite
Fig 17: Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI)

Amcache
Fig 18: Processing extracted Amcache.hve → XLSX

ShimCache
Fig 19: Processing ShimCache → XLSX

Timeline-Explorer
Fig 20: Analyze CSV output w/ Timeline Explorer (TLE)

ELK-Import
Fig 21: ELK Import

ELK-Timeline
Fig 22: Happy ELK Hunting!

Secure-Archive-Container
Fig 23: Multi-Threaded ClamAV Scan to help you finding evil! ;-)

Message-Box
Fig 24: Press OK to shutdown MemProcFS and Elastisearch/Kibana

Output
Fig 25: Secure Archive Container (PW: MemProcFS)

Introduction MemProcFS and Memory Forensics

Check out Super Easy Memory Forensics by Hiroshi Suzuki and Hisao Nashiwa.

Prerequisites

  1. Download and install the latest Dokany Library Bundle → DokanSetup.exe
    https://github.com/dokan-dev/dokany/releases/latest

  2. Download and install the latest .NET 6 Desktop Runtime (Requirement for EZTools)
    https://dotnet.microsoft.com/en-us/download/dotnet/6.0

  3. Download and install the latest Windows package of ClamAV.
    https://www.clamav.net/downloads#otherversions

  4. First Time Set-Up of ClamAV
    Launch Windows PowerShell console as Administrator.
    cd "C:\Program Files\ClamAV"
    copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
    copy .\conf_examples\clamd.conf.sample .\clamd.conf
    write.exe .\freshclam.conf → Comment or remove the line that says "Example".
    write.exe .\clamd.conf → Comment or remove the line that says "Example".
    https://docs.clamav.net/manual/Usage/Configuration.html#windows

  5. Optimize ClamAV scan speed performance (30% faster)
    Open "C:\Program Files\ClamAV\clamd.conf" with your text editor and search for: "Don't scan files and directories matching regex"
    ExcludePath "\\heaps\\"
    ExcludePath "\\handles\\"
    ExcludePath "\\memmap\\vad-v\\"
    ExcludePath "\\sys\\pool\\"

  6. Create your free IPinfo account [approx. 1-2 min]
    https://ipinfo.io/signup?ref=cli
    Open "MemProcFS-Analyzer.ps1" with your text editor, search for "Please insert your Access Token here" and copy/paste your access token.

  7. Install the NuGet package provider for PowerShell
    Check if NuGet is available in the package providers by running the following command:
    Get-PackageProvider -ListAvailable
    If NuGet is not installed on your system yet, you have to install it.
    Install-PackageProvider -Name NuGet -Force

  8. Make sure touncomment/disable the functions you want to play with (by default, Elasticsearch and ELKImport are disabled). Check out the "Main" in the bottom of the script.

  9. Done! 😃

Notes:

  • Turn off your antivirus protection temporarily or better exclude your MemProcFS-Analyzer directory from scanning.
  • Elasticsearch Tips

Dependencies

7-Zip 23.01 Standalone Console (2023-06-20)
https://www.7-zip.org/download.html

AmcacheParser v1.5.1.0 (.NET 6)
https://ericzimmerman.github.io/

AppCompatCacheParser v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/

ClamAV - Download → Windows → clamav-1.2.0.win.x64.msi (2023-08-28)
https://www.clamav.net/downloads

Dokany Library Bundle v2.0.6.1000 (2022-10-02)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe

Elasticsearch 8.9.2 (2023-09-06)
https://www.elastic.co/downloads/elasticsearch

entropy v1.1 (2023-07-28)
https://github.com/merces/entropy

EvtxECmd v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/

ImportExcel v7.8.6 (2023-10-12)
https://github.com/dfinke/ImportExcel

IPinfo CLI 3.1.1 (2023-10-02)
https://github.com/ipinfo/cli

jq v1.7 (2023-09-06)
https://github.com/stedolan/jq

Kibana 8.9.2 (2023-09-06)
https://www.elastic.co/downloads/kibana

lnk_parser v0.2.0 (2022-08-10)
https://github.com/AbdulRhmanAlfaifi/lnk_parser

MemProcFS v5.8.17 - The Memory Process File System (2023-08-20)
https://github.com/ufrisk/MemProcFS

RECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

SBECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

xsv v0.13.0 (2018-05-12)
https://github.com/BurntSushi/xsv

YARA v4.3.1 (2023-04-21)
https://virustotal.github.io/yara/

Zircolite v2.9.10 (2023-07-15)
https://github.com/wagga40/Zircolite

Links

MemProcFS
Demo of MemProcFS with Elasticsearch
Sponsor MemProcFS Project
MemProcFS-Plugins
SANS FOR532 - Enterprise Memory Forensics In-Depth

About

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 68.4%
  • Rebol 21.9%
  • Python 9.6%
  • C# 0.1%