evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

Home Page:https://evild3ad.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

MemProcFS-Analyzer

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to assist with the memory analysis workflow.

MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS

Features:

  • Auto-Install of MemProcFS, Elasticsearch, Kibana, EvtxECmd, AmcacheParser, AppCompatCacheParser, RECmd, SBECmd, ImportExcel, and IPinfo CLI
  • Auto-Update of MemProcFS, Elasticsearch, Kibana, ClamAV Virus Databases (CVD), EvtxECmd (incl. Maps), AmcacheParser, AppCompactCacheParser, RECmd, SBECmd, Import-Excel, and IPinfo CLI
  • Update-Info when there's a new version of ClamAV or a new Redistributable packaged Dokany Library Bundle available
  • Multi-Threaded scan w/ ClamAV for Windows
  • OS Fingerprinting
  • Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
  • Extracting IPv4/IPv6
  • IP2ASN Mapping and GeoIP w/ IPinfo CLI
  • Checking for Unusual Parent-Child Relationships and Number of Instances
  • Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
  • Analyzing extracted Amcache.hve w/ Amcacheparser (EZTools by Eric Zimmerman)
  • Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
  • Analyzing Syscache w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing ShellBags Artifacts w/ RECmd (EZTools by Eric Zimmerman)
  • Extracting Auto-Start Extensibility Points (ASEPs) w/ RECmd (EZTools by Eric Zimmerman)
  • Integration of PowerShell module ImportExcel by Doug Finke
  • Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)

Download

Download the latest version of MemProcFS-Analyzer from the Releases section.

Usage

Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.

File-Browser
Fig 1: Select your Raw Physical Memory Dump (File Browser)

Auto-Install
Fig 2: MemProcFS-Analyzer auto-installs dependencies (First Run)

Microsoft-Internet-Symbol-Store
Fig 3: Accept Terms of Use (First Run)

MemProcFS
Fig 4: If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk

Auto-Update
Fig 5: MemProcFS-Analyzer checks for updates (Second Run)

ClamAV-Scan
Fig 6: Multi-Threaded ClamAV Scan

IPinfo
Fig 7: GeoIP w/ IPinfo.io

IPinfo
Fig 8: Map IPs w/ IPinfo.io

Elasticsearch
Fig 9: Processing Windows Event Logs (EVTX)

Amcache
Fig 10: Processing extracted Amcache.hve → XLSX

ShimCache
Fig 11: Processing ShimCache → XLSX

ELK-Import
Fig 12: ELK Import

ELK-Timeline
Fig 13: Happy ELK Hunting!

Secure-Archive-Container
Fig 14: ClamAV Scan found 29 infected file(s)

Message-Box
Fig 15: Press OK to shutdown MemProcFS and Elastisearch/Kibana

Output
Fig 16: Secure Archive Container (PW: MemProcFS)

Prerequisites

  1. Download and install the latest Dokany Library Bundle (Redistributable packaged) → DokanSetup_redist.exe
    The Dokany installer will also install the required Microsoft Visual C++ Redistributables for Visual Studio 2019.
    https://github.com/dokan-dev/dokany/releases/latest

  2. Download and install the latest Windows package of ClamAV.
    https://www.clamav.net/downloads

  3. First Time Set-Up of ClamAV
    Launch Windows PowerShell console as Administrator.
    cd "C:\Program Files\clamav"
    copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
    copy .\conf_examples\clamd.conf.sample .\clamd.conf
    write.exe .\freshclam.conf → Comment or remove the line that says “Example”.
    write.exe .\clamd.conf → Comment or remove the line that says “Example”.
    https://www.clamav.net/documents/installing-clamav-on-windows

  4. Create your free IPinfo account [approx. 1-2 min]
    https://ipinfo.io/signup?ref=cli
    Open "MemProcFS-Analyzer.ps1" with your text editor, search for "access_token" and copy/paste your access token.

  5. Install the NuGet package provider for PowerShell
    Check if NuGet is available in the package providers by running the following command:
    Get-PackageProvider -ListAvailable
    If NuGet is not installed on your system yet, you have to install it.
    Install-PackageProvider -Name NuGet -Force

  6. Done! 😃

Dependencies

7-Zip 9.20 Command Line Version (2010-11-18)
https://www.7-zip.org/download.html

AmcacheParser v1.4.0.0 (2021-03-20)
https://binaryforay.blogspot.com/

AppCompatCacheParser v1.4.4.0 (2021-03-20)
https://binaryforay.blogspot.com/

ClamAV - Windows Packages → Win64 → ClamAV-0.103.2.exe (2021-04-07)
https://www.clamav.net/downloads
https://www.clamav.net/documents/installing-clamav-on-windows → First Time Set-Up

Dokany Library Bundle v1.4.0.1000 x64 (2020-06-01)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup_redist.exe

Elasticsearch 7.13.2 (2021-06-14)
https://www.elastic.co/downloads/elasticsearch

EvtxECmd v0.6.5.0 (2020-12-21)
https://binaryforay.blogspot.com/

ImportExcel 7.1.2 (2020-05-08)
https://github.com/dfinke/ImportExcel

Ipinfo CLI 2.0.0 (2021-05-26)
https://github.com/ipinfo/cli

Kibana 7.13.2 (2021-06-14)
https://www.elastic.co/downloads/kibana

MemProcFS v4.1.0 - The Memory Process File System (2021-06-13)
https://github.com/ufrisk/MemProcFS

Microsoft Visual C++ Redistributables for Visual Studio 2019
https://go.microsoft.com/fwlink/?LinkId=746572 → VC_redist.x64.exe

Registry Explorer/RECmd v1.6.0.0 (2021-06-08)
https://binaryforay.blogspot.com/

ShellBags Explorer v1.4.0.0 (2021-05-24)
https://binaryforay.blogspot.com/

Links

MemProcFS
Demo of MemProcFS with Elasticsearch
Sponsor MemProcFS project
MemProcFSHunter

ezoic increase your site revenue

About

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

https://evild3ad.com/

License:GNU General Public License v3.0