evild3ad / memprocfs-analyzer Goto Github PK

Hi, my team typically uses splunk which favors JSON formatting. It would be extremely beneficial to us if you could add a JSON option on top of the CSV option you already provide. Fantastic addition to the already amazing MemProcFS project, thank you for creating this.

Hi
I am trying to run MemProcFS-Analyzer on my Windows 10 VM however I received the above mentioned error. So I installed Dokany 0.7.4 for Windows 10 (https://github.com/dokan-dev/dokany/releases/tag/v0.7.4) ran MemProcFS-Analyzer again and I keep getting the following error:

[Info] Dokany File System Library NOT found.
[Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01)
[Info] Please download/install the latest release of Dokany File System Library manually:
https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)

Can you please update Analyzer to support the latest version of Dokany for Windows 10?

Hi.

It looks like your PS script is unable to find the Kibana executable. Here is my output:

MemProcFS-Analyzer v0.2 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021 Martin Willing (https://evild3ad.com/)

Analysis date: 2022-06-09 13:39:55 UTC

[Info]  Current Version: MemProcFS v4.7 (2022-04-26)
[Info]  Latest Release:  MemProcFS v4.8 (2022-05-12)
[Info]  Dowloading Latest Release ...
[Info]  Extracting Files ...
[Info]  Dokany File System Library NOT found.
[Info]  Latest Release:  Dokany File System Library v1.4.0.1000 (2020-06-01)
[Info]  Please download/install the latest release of Dokany File System Library manually:
        https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)
[Info]  Current Version: Elasticsearch v8.2.0
[Info]  Latest Release:  Elasticsearch v8.2.2 (2022-05-26)
[Info]  Dowloading Latest Release ...
[Info]  Extracting Files ...
[Info]  Current Version: Kibana v8.2.0
[Info]  Latest Release:  Kibana v8.2.2 (2022-05-26)
[Info]  Dowloading Latest Release ...
[Info]  Extracting Files ...
Rename-Item : Cannot rename because item at 'E:\Tools\MemProcFS-Analyzer-v0.2\Tools\kibana-8.2.2-windows-x86_64' does not exist.
At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:514 char:9
+         Rename-Item "$SCRIPT_DIR\Tools\kibana-$LatestRelease-windows- ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand
 
[Info]  Current Version: EvtxECmd v1.0.0.0
Invoke-WebRequest : The remote server returned an error: (404) Not Found.
At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:551 char:17
+ ... $Headers = (Invoke-WebRequest -Uri $URL -UseBasicParsing -Method Head ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
 
Cannot index into a null array.
At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:552 char:5
+     $LatestSHA1 = $Headers["x-bz-content-sha1"]
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray
 
[Info]  Dowloading Latest Release ...
Invoke-WebRequest : { "code": "not_found", "message": "File with such name does not exist.", "status": 404 }
At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:568 char:5
+     Invoke-WebRequest -Uri $URL -OutFile "$SCRIPT_DIR\Tools\$Zip"
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
[Info]  Current Version: AmcacheParser v1.5.1.0
[Info]  You are running the most recent version of AmcacheParser.
[Info]  Current Version: AppCompatCacheParser v1.5.0.0
[Info]  You are running the most recent version of AppCompatCacheParser.
[Info]  Current Version: ImportExcel v7.5.2
[Info]  Latest Release:  ImportExcel v7.5.3 (2022-05-30)
[Info]  Dowloading ImportExcel v7.5.3 ...
WARNING: The version '7.5.2' of module 'ImportExcel' is currently in use. Retry the operation after closing the applications.
[Info]  Current Version: IPinfo CLI v2.8.0 (2022-03-22)
[Info]  Latest Release:  IPinfo CLI v2.8.0 (2022-03-21)
[Info]  You are running the most recent version of IPinfo CLI.
[Info]  Starting Elasticsearch ... 
[Info]  Starting Kibana ... 

Hi There,
Thanks a lot for creating such an awesome tool. While running, it is throwing below error-

[Error] github.com is NOT reachable. Please check your network connection and try again.

My internet connection is working fine. Could you please let me know how to resolve this issue?

Hi.
When running the script here is the output I am getting with Kibana and EvtxECmd:

MemProcFS-Analyzer v0.2 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021 Martin Willing (https://evild3ad.com/)

Analysis date: 2022-05-04 11:20:27 UTC

[Info] Current Version: MemProcFS v4.7 (2022-04-26)
[Info] Latest Release: MemProcFS v4.7 (2022-01-30)
[Info] You are running the most recent version of MemProcFS.
[Info] Dokany File System Library NOT found.
[Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01)
[Info] Please download/install the latest release of Dokany File System Library manually:
https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)
[Info] Current Version: Elasticsearch v8.1.3
[Info] Latest Release: Elasticsearch v8.2.0 (2022-05-03)
[Info] Dowloading Latest Release ...
[Info] Extracting Files ...
[Info] Kibana NOT found.
[Info] Latest Release: Kibana v8.2.0 (2022-05-03)
[Info] Dowloading Latest Release ...
[Info] Extracting Files ...
Rename-Item : Cannot rename because item at 'E:\Tools\MemProcFS-Analyzer-v0.2\Tools\kibana-8.2.0-windows-x86_64' does not exist.
At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:512 char:9

•     Rename-Item "$SCRIPT_DIR\Tools\kibana-$LatestRelease-windows- ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException
  • FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand

[Info] EvtxECmd NOT found.
[Info] Dowloading Latest Release ...
Invoke-WebRequest : { "code": "not_found", "message": "File with such name does not exist.", "status": 404 }
At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:566 char:5

• Invoke-WebRequest -Uri $URL -OutFile "$SCRIPT_DIR\Tools\$Zip"
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    [Info] Current Version: AmcacheParser v1.5.1.0
    [Info] You are running the most recent version of AmcacheParser.
    [Info] Current Version: AppCompatCacheParser v1.5.0.0
    [Info] You are running the most recent version of AppCompatCacheParser.
    [Info] Current Version: ImportExcel v7.4.2
    [Info] Latest Release: ImportExcel v7.5.1 (2022-05-03)
    [Info] Dowloading ImportExcel v7.5.1 ...
    [Info] Current Version: IPinfo CLI v2.8.0 (2022-03-22)
    [Info] Latest Release: IPinfo CLI v2.8.0 (2022-03-21)
    [Info] You are running the most recent version of IPinfo CLI.
    [Info] Starting Elasticsearch ...
    [Info] Starting Kibana ...

Hey there,

I'm relatively new to all this. I'm getting this message when running MemProcFS-Analyser in the MemProcFS Window: [PLUGIN] Python initialization failed. Python 3.6 or later not found.

Python 3.6.8 is installed for every user.

Thanks for the help.

During the script procedure, Microsoft Defender detected: backdoor:ASP/webshell.X. Everytime I ran the procedure, I got the same detection but the detection disappeared almost instantly after. I was wondering what was generating this alert??

Firstly, just wanted to say, great work with this project, please keep it, it's really useful, thank you.

I've noticed a minor issue with v0.6 - specifically with the Kibana update, where it threw the following error:

Rename-Item : Cannot rename because item at 'C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\Tools\kibana-7.17.7' does not exist. At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:762 char:9 + Rename-Item "$SCRIPT_DIR\Tools\kibana-$LatestRelease" "$SCRIP ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand

Looking at the code (line: 762), the Rename-Item fails as the (real) directory is called: "kibana-7.17.7-windows-x86_64" but the code tries to rename a directory called "kibana-7.17.7" (missing the "-windows-x86_64" suffix).

The path is constructed using the variable: "$LatestRelease" and $LatestRelease = "7.17.7", not "7.17.7-windows-x86_64".

Maybe use "$DestinationPath" instead?

Hi.

I performed (3) different memory analysis and I've been getting the following error in the "ClamAV\LogFile.txt" file:

ERROR: Could not connect to clamd on 127.0.0.1: Connection refused

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 2.047 sec (0 m 2 s)
Start Date: 2021:06:04 06:42:53
End Date: 2021:06:04 06:42:56

Just wanted to make sure that it is successfully scanning the files.

I made a RAM dump in the .RAW format and when I run the analysis it does not give an error, but it does not load the system and no files appeared in the directory during the day, I checked it on different systems, it works fine with the .mem format, tell me how to solve it and is it possible somehow convert .raw to .mem format?

Hi, i have an error with the script during the drive creation.

Content of the log file:

**********************
Windows PowerShell transcript start
Start time: 20221204065248
Username: COMMANDO\user
RunAs User: COMMANDO\user
Configuration Name: 
Machine: COMMANDO (Microsoft Windows NT 10.0.19043.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 4408
PSVersion: 5.1.19041.1682
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682
BuildVersion: 10.0.19041.1682
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\2022-12-04T145237-dump.txt

██╗     ███████╗████████╗██╗  ██╗ █████╗ ██╗      ███████╗ ██████╗ ██████╗ ███████╗███╗   ██╗███████╗██╗ ██████╗███████╗
██║     ██╔════╝╚══██╔══╝██║  ██║██╔══██╗██║      ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗  ██║██╔════╝██║██╔════╝██╔════╝
██║     █████╗     ██║   ███████║███████║██║█████╗█████╗  ██║   ██║██████╔╝█████╗  ██╔██╗ ██║███████╗██║██║     ███████╗
██║     ██╔══╝     ██║   ██╔══██║██╔══██║██║╚════╝██╔══╝  ██║   ██║██╔══██╗██╔══╝  ██║╚██╗██║╚════██║██║██║     ╚════██║
███████╗███████╗   ██║   ██║  ██║██║  ██║███████╗ ██║     ╚██████╔╝██║  ██║███████╗██║ ╚████║███████║██║╚██████╗███████║
╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝

MemProcFS-Analyzer v0.7 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2022 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2022-12-04 14:52:37 UTC

[Info]  Current Version: MemProcFS v5.2.2
[Info]  Latest Release:  MemProcFS v5.2.2 (2022-11-16)
[Info]  You are running the most recent version of MemProcFS.
[Info]  Current Version: Dokany File System Library v2.0.6.1000 (2022-10-02)
[Info]  Latest Release:  Dokany File System Library v2.0.6.1000 (2022-10-02)
[Info]  You are running the most recent version of Dokany File System Library.
[Info]  Current Version: Elasticsearch v8.5.2
[Info]  Latest Release:  Elasticsearch v8.5.2 (2022-11-22)
[Info]  You are running the most recent version of Elasticsearch.
[Info]  Current Version: Kibana v8.5.2
[Info]  Latest Release:  Kibana v8.5.2 (2022-11-22)
[Info]  You are running the most recent version of Kibana.
[Info]  Current Version: AmcacheParser v1.5.1.0
[Info]  You are running the most recent version of AmcacheParser.
[Info]  Current Version: AppCompatCacheParser v1.5.0.0
[Info]  You are running the most recent version of AppCompatCacheParser.
[Info]  Current Version: entropy v1.0 (2022-02-04)
[Info]  Latest Release:  entropy v1.0 (2022-02-04)
[Info]  You are running the most recent version of entropy.
[Info]  Current Version: EvtxECmd v1.0.0.0
[Info]  You are running the most recent version of EvtxECmd.
[Info]  Current Version: ImportExcel v7.8.3
[Info]  Latest Release:  ImportExcel v7.8.3 (2022-11-20)
[Info]  You are running the most recent version of ImportExcel.
[Info]  Current Version: IPinfo CLI v2.10.0 (2022-09-28)
[Info]  Latest Release:  IPinfo CLI v2.10.0 (2022-09-28)
[Info]  You are running the most recent version of IPinfo CLI.
[Info]  Current Version: lnk_parser v0.2.0 (2022-12-04)
[Info]  Latest Release:  lnk_parser v0.2.0 (2022-08-10)
[Info]  You are running the most recent version of lnk_parser.
[Info]  Current Version: RECmd v2.0.0.0
[Info]  You are running the most recent version of RECmd.
[Info]  Current Version: SBECmd v2.0.0.0
[Info]  You are running the most recent version of SBECmd.
[Info]  Current Version: xsv v0.13.0 (2018-05-12)
[Info]  Latest Release:  xsv v0.13.0 (2018-05-12)
[Info]  You are running the most recent version of xsv.
[Info]  Current Version: YARA v4.2.3 (2022-08-08)
[Info]  Latest Release:  YARA v4.2.3 (2022-08-09)
[Info]  You are running the most recent version of YARA.
[Info]  Current Version: Zircolite v2.9.7
[Info]  Latest Release:  Zircolite v2.9.7 (2022-10-08)
[Info]  You are running the most recent version of Zircolite.
[Info]  Mounting the Physical Memory Dump file as X: ...
[Info]  Physical Memory Dump File Size: 1.02 GB
[Info]  MemProcFS Forensic Analysis initiated ...
[Info]  Processing C:\Users\user\Desktop\dump.raw [approx. 1-10 min] ...
COMMANDO TerminatingError(Select-String): "Cannot find drive. A drive with the name 'X' does not exist."
Select-String : Cannot find drive. A drive with the name 'X' does not exist.
At C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\MemProcFS-Analyzer.ps1:2197 char:18
+ ...    while (!(Select-String -Pattern "100" -Path "$DriveLetter\forensic ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (X:String) [Select-String], DriveNotFoundException
    + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.SelectStringCommand
Select-String : Cannot find drive. A drive with the name 'X' does not exist.
At C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\MemProcFS-Analyzer.ps1:2197 char:18
+ ...    while (!(Select-String -Pattern "100" -Path "$DriveLetter\forensic ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (X:String) [Select-String], DriveNotFoundException
    + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.SelectStringCommand

[Error] Forensic Directory doesn't exist.
[Error] freshclam.conf is missing.
        https://docs.clamav.net/manual/Usage/Configuration.html#windows --> First Time Set-Up
**********************
Windows PowerShell transcript end
End time: 20221204065338
**********************

Thanks in advance for help.

Hi, I am getting many ClamAV errors "WARNING: File path check failure".
Didn't I configure ClamAV correctly?

When analyzing the "Desktop" image (https://dfirmadness.com/case001/DESKTOP-SDN1RPT-memory.zip) from the Stolen Szechuan Sauce challenge (https://dfirmadness.com/the-stolen-szechuan-sauce/), I saw some errors being thrown as the TimeZoneInformation registry locations didn't exist.

Get-Content : Cannot find path 'X:\registry\HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\TimeZoneKeyName.txt' because it does not exist.
At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:1880 char:28
Get-Content : Cannot find path 'X:\registry\HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\(_Key_).txt' because it does not exist.
At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:1881 char:26
Get-Content : Cannot find path 'X:\registry\HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\ActiveTimeBias.txt' because it does not exist.
At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:1882 char:27

In the analyzer script (v0.6) under the "# Timezone Information" section (lines: 1879-1882) you could possibly include a few checks and handle it in case those files don't exist?

e.g. if (Test-Path "") or similar?

C:\Users\Admin\Downloads\MemProcFS-Analyzer-v0.9\MemProcFS-Analyzer-v0.9\MemProcFS-Analyzer.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
i write "R" and after

installed the necessary dependencies that are indicated in your branch, I run the script on behalf of the admin, there is a check for the presence of software, after everything is fine, the program writes that the process will take from 1 to 10 minutes but does not even load the PC, waited 15 hours with a training 500mb RAM dump, as well as my own, tried it on different PCs and clean virtual machines, writes that the disk mount but it is not even in the hard disk manager, tell me what am I doing wrong?

Only a few amount of all processes are shown in process tree and there are many error messages shown in the logs.

I'd like to propose adding to the Get-YaraCustomRules function to pull the latest Yara Forge ruleset (https://github.com/YARAHQ/yara-forge/releases/), or set up a job to sync this ruleset to your defined repo at https://github.com/evild3ad/yara/. This should greatly extend the library of Yara rules for scanning with this tool. Thank you for your work on this!

All looks normal until the step "Starting ClamAV Daemon" when I get endless connection attempts to 127.0.0.1

I've recently been introduced to MemProcFS-Analyzer and love how powerful it is. One issue I'm having though is that, in order to use the tool, a valid internet connection is required.

While I can understand this from the Microsoft Internet Symbol Store perspective, I believe that, if the rest of the requirements are installed (Kibana, Elasticsearch, Zimmerman tools, et al), the tool should still be able to function, as long as a minimum version of each is installed.

Would you consider an option to determine if the accepted minimums are installed, then continue functioning, otherwise inform the user that updates are required?

Another way to do this would be to add an "Install" param, so that the user can "Install" MemProcFS-Analyzer with all components on an online system (without needing to load a memory dump first) then transfer the folder offline. The user then only needs to get the Symbols for their analysis and, if already installed, can run fully functional in an offline mode.

If this is something you would consider, I would be interested in assisting.

Cheers, and thanks!

If either of the following ClamAV conf files are missing, the on-screen user feedback points the user to a URL that is possibly out of date?

Example, if either of these events happen:

• [Error] freshclam.conf is missing. (Line 4931)
• [Error] clamd.conf is missing. (Line: 4941)

Then the user gets a message on screen, pointing them to this URL:
"https://www.clamav.net/documents/installing-clamav-on-windows --> First Time Set-Up"

But that URL, redirects to the main ClamAV docs site (https://docs.clamav.net/) and isn't very helpful. A better URL to display would be:
"https://docs.clamav.net/manual/Usage/Configuration.html#windows" ?

This URL is referenced in the script comments, so you may wish to update the console messages to point to the same URL as well?

The ElasticSearch start and data import function was commented in main branch.

Hello.

I'm trying v0.6 and it's stuck at Starting Elasticsearch.

Here is the transcript output:

Windows PowerShell transcript start
Start time: 20221020144917
Username: Win11Test\Test
RunAs User: Win11Test\Test
Configuration Name:
Machine: WIN11TEST (Microsoft Windows NT 10.0.22000.0)
Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
Process ID: 2824
PSVersion: 5.1.22000.832
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22000.832
BuildVersion: 10.0.22000.832
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1

Transcript started, output file is E:\Tools\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer-v0.6\2022-10-20T184911-dump.txt

██╗ ███████╗████████╗██╗ ██╗ █████╗ ██╗ ███████╗ ██████╗ ██████╗ ███████╗███╗ ██╗███████╗██╗ ██████╗███████╗
██║ ██╔════╝╚══██╔══╝██║ ██║██╔══██╗██║ ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗ ██║██╔════╝██║██╔════╝██╔════╝
██║ █████╗ ██║ ███████║███████║██║█████╗█████╗ ██║ ██║██████╔╝█████╗ ██╔██╗ ██║███████╗██║██║ ███████╗
██║ ██╔══╝ ██║ ██╔══██║██╔══██║██║╚════╝██╔══╝ ██║ ██║██╔══██╗██╔══╝ ██║╚██╗██║╚════██║██║██║ ╚════██║
███████╗███████╗ ██║ ██║ ██║██║ ██║███████╗ ██║ ╚██████╔╝██║ ██║███████╗██║ ╚████║███████║██║╚██████╗███████║
╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝

MemProcFS-Analyzer v0.6 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2022 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2022-10-20 18:49:11 UTC

[Info] Current Version: MemProcFS v5.1.3
[Info] Latest Release: MemProcFS v5.1.3 (2022-09-26)
[Info] You are running the most recent version of MemProcFS.
[Info] Current Version: Dokany File System Library v2.0.4.1000 (2022-04-30)
[Info] Latest Release: Dokany File System Library v2.0.6.1000 (2022-10-02)
[Error] Please download/install the latest release of Dokany File System Library manually:
https://github.com/dokan-dev/dokany/releases/latest (DokanSetup.exe)
[Info] Current Version: Elasticsearch v8.4.3
[Info] Latest Release: Elasticsearch v8.4.3 (2022-10-05)
[Info] You are running the most recent version of Elasticsearch.
[Info] Current Version: Kibana v8.4.3
[Info] Latest Release: Kibana v8.4.3 (2022-10-05)
[Info] You are running the most recent version of Kibana.
[Info] Current Version: AmcacheParser v1.5.1.0
[Info] You are running the most recent version of AmcacheParser.
[Info] Current Version: AppCompatCacheParser v1.5.0.0
[Info] You are running the most recent version of AppCompatCacheParser.
[Info] Current Version: entropy v1.0 (2022-02-04)
[Info] Latest Release: entropy v1.0 (2022-02-04)
[Info] You are running the most recent version of entropy.
[Info] Current Version: EvtxECmd v1.0.0.0
[Info] You are running the most recent version of EvtxECmd.
[Info] Current Version: ImportExcel v7.8.1
[Info] Latest Release: ImportExcel v7.8.2 (2022-10-15)
[Info] Current Version: IPinfo CLI v2.10.0 (2022-09-28)
[Info] Latest Release: IPinfo CLI v2.10.0 (2022-09-28)
[Info] You are running the most recent version of IPinfo CLI.
[Info] Current Version: lnk_parser v0.2.0 (2022-10-20)
[Info] Latest Release: lnk_parser v0.2.0 (2022-08-10)
[Info] You are running the most recent version of lnk_parser.
[Info] Current Version: RECmd v2.0.0.0
[Info] You are running the most recent version of RECmd.
[Info] Current Version: SBECmd v2.0.0.0
[Info] You are running the most recent version of SBECmd.
[Info] Current Version: xsv v0.13.0 (2018-05-12)
[Info] Latest Release: xsv v0.13.0 (2018-05-12)
[Info] You are running the most recent version of xsv.
[Info] Current Version: YARA v4.2.3 (2022-08-08)
[Info] Latest Release: YARA v4.2.3 (2022-08-09)
[Info] You are running the most recent version of YARA.
[Info] Starting Elasticsearch ...

Hi.
When trying to analyze a different complete memory dump the script stops at:
[Info] 3 IPv4 address found (269).

It's hard to say if the script is frozen, a process is stuck or the analyzer is still working.

It's been in this state for 5 hrs now and I'm not sure if that is normal as there is no progress type bar.

MemProcFS-Analyzer doen't work if a computer is behind a proxy server like below.

Transcript started, output file is C:\tools\MemProcFS-Analyzer\2023-10-13T064208-data.txt

██╗     ███████╗████████╗██╗  ██╗ █████╗ ██╗      ███████╗ ██████╗ ██████╗ ███████╗███╗   ██╗███████╗██╗ ██████╗███████╗
██║     ██╔════╝╚══██╔══╝██║  ██║██╔══██╗██║      ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗  ██║██╔════╝██║██╔════╝██╔════╝
██║     █████╗     ██║   ███████║███████║██║█████╗█████╗  ██║   ██║██████╔╝█████╗  ██╔██╗ ██║███████╗██║██║     ███████╗
██║     ██╔══╝     ██║   ██╔══██║██╔══██║██║╚════╝██╔══╝  ██║   ██║██╔══██╗██╔══╝  ██║╚██╗██║╚════██║██║██║     ╚════██║
███████╗███████╗   ██║   ██║  ██║██║  ██║███████╗ ██║     ╚██████╔╝██║  ██║███████╗██║ ╚████║███████║██║╚██████╗███████║
╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝

MemProcFS-Analyzer v0.9 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2023-10-13 06:42:08 UTC

[Error] f001.backblazeb2.com is NOT reachable. Please check your network connection and try again.

This is because MemProcFS-Analyzer uses Test-Connection. It is using ping.
Therefore, if ICMP packets are filtered by a firewall, it will also not work.

I've found that a number of features in v0.6 are being hampered by this error:

[Error] github.com is NOT reachable...

Github.com is in fact reachable, but the test-connection is failing for some reason?

To replicate, I ran:

Test-Connection -ComputerName github.com -Count 1 -Quiet

I tried this from a number of different computers, and get a "false" returned from all of them. Where as something like:

Test-Connection -ComputerName google.com -Count 1 -Quiet

Returns "true".

Not sure what the cause is, but some parts of the script are not currently working, as they're failing this connection test.

Hi @evild3ad

I wanted to warn you about the fact that you let your personal IPInfo Access Token into your code, on this line.

Instead, what do you think of using, as an example, the one provided into the official documentation?

RECmd version 1.6.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces (and all RegEx) with double quotes

Command line: -d E:\MemProcFS-Analyzer-v0.2\2021-06-19T115429-complete\Registry\Registry --bn E:\MemProcFS-Analyzer-v0.2\Tools\RECmd_BatchFiles\RegistryASEPs.reb --csv E:\MemProcFS-Analyzer-v0.2\2021-06-19T115429-complete\Registry\RegistryASEPs\CSV --csvf RegistryASEPs.csv

Batch file 'E:\MemProcFS-Analyzer-v0.2\Tools\RECmd_BatchFiles\RegistryASEPs.reb' does not exist.

if you run it like this, then the extended disk appears, but if you run a full-fledged script through powershell, nothing happens

good > C:\MemProcFS-Analyzer-v1.0\Tools\MemProcFS>MemProcFS.exe -device "C:\MemProcFS-Analyzer-v1.0\pcileech.raw" -v
not good > PS C:\MemProcFS-Analyzer-v1.0> .\MemProcFS-Analyzer.ps1

C:\MemProcFS-Analyzer-v1.0\Tools\MemProcFS>MemProcFS.exe -device "C:\MemProcFS-Analyzer-v1.0\pcileech.raw" -v
DEVICE OPEN: file
DEVICE: Successfully opened file: 'C:\MemProcFS-Analyzer-v1.0\pcileech.raw' as RAW Memory Dump.
[INFODB] INIT: SUCCESS: va=0xfffff80670600000
[SYMBOL] Initialized symbol subsystem (Microsoft).
Initialized 64-bit Windows 10.0.22621
[PLUGIN] LOAD: built-in module: ''
[PLUGIN] LOAD: built-in module: ''
[SYMBOL] Functionality may be limited. Extended debug information disabled.
[SYMBOL] Partial offline fallback symbols in use.
[SYMBOL] For additional information use startup option: -loglevel symbol:4
[SYMBOL] Reason: Unable to download kernel symbols to cache from Symbol Server.

[PLUGIN] LOAD: built-in module: '\forensic'
[PLUGIN] LOAD: built-in module: '\files\handles'
[PLUGIN] LOAD: built-in module: '\files\vads'
[PLUGIN] LOAD: built-in module: '\files\modules'
[PLUGIN] LOAD: built-in module: '\phys2virt'
[PLUGIN] LOAD: built-in module: '\misc\phys2virt'
[PLUGIN] LOAD: built-in module: '\handles'
[PLUGIN] LOAD: built-in module: '\heaps'
[PLUGIN] LOAD: built-in module: '\modules'
[PLUGIN] LOAD: built-in module: '\memmap'
[PLUGIN] LOAD: built-in module: '\minidump'
[PLUGIN] LOAD: built-in module: '\threads'
[PLUGIN] LOAD: built-in module: '\token'
[PLUGIN] LOAD: built-in module: '\search\bin'
[PLUGIN] LOAD: built-in module: '\misc\search\bin'
[PLUGIN] LOAD: built-in module: '\search\yara'
[PLUGIN] LOAD: built-in module: '\misc\search\yara'
[PLUGIN] LOAD: built-in module: '\virt2phys'
[PLUGIN] LOAD: built-in module: '\misc\bitlocker'
[PLUGIN] LOAD: built-in module: '\conf'
[PLUGIN] LOAD: built-in module: '\misc\eventlog'
[PLUGIN] LOAD: built-in module: '\misc\procinfo'
[PLUGIN] LOAD: built-in module: '\misc\view'
[PLUGIN] LOAD: built-in module: '\sys'
[PLUGIN] LOAD: built-in module: '\sys\drivers'
[PLUGIN] LOAD: built-in module: '\sys\memory'
[PLUGIN] LOAD: built-in module: '\sys\net'
[PLUGIN] LOAD: built-in module: '\sys\objects'
[PLUGIN] LOAD: built-in module: '\sys\pool'
[PLUGIN] LOAD: built-in module: '\sys\proc'
[PLUGIN] LOAD: built-in module: '\sys\services'
[PLUGIN] LOAD: built-in module: '\sys\syscall'
[PLUGIN] LOAD: built-in module: '\sys\sysinfo'
[PLUGIN] LOAD: built-in module: '\sys\tasks'
[PLUGIN] LOAD: built-in module: '\sys\users'
[PLUGIN] LOAD: built-in module: '\registry'
[PLUGIN] LOAD: built-in module: '\forensic\csv'
[PLUGIN] LOAD: built-in module: '\forensic\files'
[PLUGIN] LOAD: built-in module: '\forensic\findevil'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\handles'
[PLUGIN] LOAD: built-in module: '\forensic\json'
[PLUGIN] LOAD: built-in module: '\forensic\timeline'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\module'
[PLUGIN] LOAD: built-in module: '\forensic\ntfs'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\proc'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\registry'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\sys'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\thread'
[PLUGIN] LOAD: built-in module: '\forensic\web'
[PLUGIN] LOAD: built-in module: '\forensic\yara'
[PLUGIN] LOAD: built-in module: '\findevil\EvKRNL1'
[PLUGIN] LOAD: built-in module: '\findevil\EvKERNPROC1'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC1'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC2'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC3'
[PLUGIN] LOAD: built-in module: '\findevil\EvTHRD1'
[PLUGIN] LOAD: built-in module: '\findevil\EvAV1'
[PLUGIN] LOAD: built-in module: '\sys\certificates'
[PLUGIN] LOAD: native module: '\vmemd'
[PROCESS] BAD DTB: PID=5500 DTB=00000001da9c5000
[PROCESS] BAD DTB: PID=11140 DTB=000000010cef1000
[PLUGIN] Python initialization failed. Python 3.6 or later not found.

============================== MemProcFS ==============================

• Author: Ulf Frisk - [email protected]
• Info: https://github.com/ufrisk/MemProcFS
• Discord: https://discord.gg/pcileech

• License: GNU Affero General Public License v3.0

  MemProcFS is free open source software. If you find it useful please
  become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)

• Version: 5.9.12 (Windows)
• Mount Point: M:\
• Tag: 22621_b81dfe60
• Operating System: Windows 10.0.22621 (X64)
  ==========================================================================

not good > PS C:\MemProcFS-Analyzer-v1.0> .\MemProcFS-Analyzer.ps1

MemProcFS-Analyzer v1.0 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2024-05-05 13:55:07 UTC

[Info] Current Version: MemProcFS v5.9.12
[Info] Latest Release: MemProcFS v5.9.12 (2024-03-03)
[Info] You are running the most recent version of MemProcFS.
[Info] Current Version of YARA Custom Rules: 2024-04-03
[Info] Latest Update: 2024-04-03
[Info] You are running the most recent YARA Custom Rules.
[Info] Current Version: Dokany File System Library v2.0.6.1000 (2022-10-02)
[Info] Latest Release: Dokany File System Library v2.1.0.1000 (2023-12-22)
[Error] Please download/install the latest release of Dokany File System Library manually:
https://github.com/dokan-dev/dokany/releases/latest (DokanSetup.exe)
[Info] Current Version: Elasticsearch v8.9.2
[Info] Latest Release: Elasticsearch v8.9.2 (2023-09-06)
[Info] You are running the most recent version of Elasticsearch.
[Info] Current Version: Kibana v8.9.2
[Info] Latest Release: Kibana v8.9.2 (2023-09-06)
[Info] You are running the most recent version of Kibana.
[Info] Current Version: AmcacheParser v1.5.1.0
[Info] You are running the most recent version of AmcacheParser.
[Info] Current Version: AppCompatCacheParser v1.5.0.0
[Info] You are running the most recent version of AppCompatCacheParser.
[Info] Current Version: entropy v1.1 (2023-07-28)
[Info] Latest Release: entropy v1.1 (2023-07-28)
[Info] You are running the most recent version of entropy.
[Info] Current Version: EvtxECmd v1.5.0.0
[Info] You are running the most recent version of EvtxECmd.
[Info] Current Version: ImportExcel v7.8.6
[Info] Latest Release: ImportExcel v7.8.6 (2023-10-12)
[Info] You are running the most recent version of ImportExcel.
[Info] Current Version: IPinfo CLI v3.3.0 (2024-01-01)
[Info] Latest Release: IPinfo CLI v3.3.0 (2024-01-01)
[Info] You are running the most recent version of IPinfo CLI.
[Info] Current Version: jq v1.7.1
[Info] Latest Release: jq v1.7.1 (2023-12-13)
[Info] You are running the most recent version of jq.
[Info] Current Version: lnk_parser v0.2.0 (2024-05-04)
[Info] Latest Release: lnk_parser v0.2.0 (2022-08-10)
[Info] You are running the most recent version of lnk_parser.
[Info] Current Version: RECmd v2.0.0.0
[Info] You are running the most recent version of RECmd.
[Info] Current Version: SBECmd v2.0.0.0
[Info] You are running the most recent version of SBECmd.
[Info] Current Version: xsv v0.13.0 (2018-05-12)
[Info] Latest Release: xsv v0.13.0 (2018-05-12)
[Info] You are running the most recent version of xsv.
[Info] Current Version: YARA v4.5.0 (2024-02-13)
[Info] Latest Release: YARA v4.5.0 (2024-02-13)
[Info] You are running the most recent version of YARA.
[Info] Zircolite NOT found.
[Info] Latest Release: Zircolite v2.20.0 (2024-03-29)
[Info] Dowloading Latest Release ...
PS C:\MemProcFS-Analyzer-v1.0> TerminatingError(Invoke-WebRequest): "Invalid URI: The hostname could not be parsed."
Invoke-WebRequest : Invalid URI: The hostname could not be parsed.
At C:\MemProcFS-Analyzer-v1.0\MemProcFS-Analyzer.ps1:2367 char:5

• Invoke-WebRequest -Uri $Download -OutFile "$SCRIPT_DIR\Tools\$7Zi ...
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], UriFormatException
  • FullyQualifiedErrorId : System.UriFormatException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    Invoke-WebRequest : Invalid URI: The hostname could not be parsed.
    At C:\MemProcFS-Analyzer-v1.0\MemProcFS-Analyzer.ps1:2367 char:5

• Invoke-WebRequest -Uri $Download -OutFile "$SCRIPT_DIR\Tools\$7Zi ...
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], UriFormatException
  • FullyQualifiedErrorId : System.UriFormatException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

[Info] Mounting the Physical Memory Dump file as D: ...
[Info] Physical Memory Dump File Size: 33.99 GB
[Info] MemProcFS Forensic Analysis initiated ...
[Info] Processing C:\MemProcFS-Analyzer-v1.0\pcileech.raw [approx. 1-10 min] ...
PS C:\MemProcFS-Analyzer-v1.0> TerminatingError(): "The pipeline has been stopped."