MemProcFS-Analyzer does not work if a computer is behind a proxy or if ICMP is filtered by a firewall
mnrkbys opened this issue · comments
Minoru Kobayashi commented
MemProcFS-Analyzer doen't work if a computer is behind a proxy server like below.
Transcript started, output file is C:\tools\MemProcFS-Analyzer\2023-10-13T064208-data.txt
██╗ ███████╗████████╗██╗ ██╗ █████╗ ██╗ ███████╗ ██████╗ ██████╗ ███████╗███╗ ██╗███████╗██╗ ██████╗███████╗
██║ ██╔════╝╚══██╔══╝██║ ██║██╔══██╗██║ ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗ ██║██╔════╝██║██╔════╝██╔════╝
██║ █████╗ ██║ ███████║███████║██║█████╗█████╗ ██║ ██║██████╔╝█████╗ ██╔██╗ ██║███████╗██║██║ ███████╗
██║ ██╔══╝ ██║ ██╔══██║██╔══██║██║╚════╝██╔══╝ ██║ ██║██╔══██╗██╔══╝ ██║╚██╗██║╚════██║██║██║ ╚════██║
███████╗███████╗ ██║ ██║ ██║██║ ██║███████╗ ██║ ╚██████╔╝██║ ██║███████╗██║ ╚████║███████║██║╚██████╗███████║
╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝
MemProcFS-Analyzer v0.9 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)
Analysis date: 2023-10-13 06:42:08 UTC
[Error] f001.backblazeb2.com is NOT reachable. Please check your network connection and try again.
This is because MemProcFS-Analyzer uses Test-Connection. It is using ping.
Therefore, if ICMP packets are filtered by a firewall, it will also not work.
Martin Willing commented
Hi, is following command working for you?
((Test-NetConnection -ComputerName f001.backblazeb2.com -Port 443).TcpTestSucceeded)
Minoru Kobayashi commented
It does not work.
Test-NetConnection is not able to specify a proxy server.
PS C:\Windows\system32> ((Test-NetConnection -ComputerName f001.backblazeb2.com -Port 443).TcpTestSucceeded)
WARNING: TCP connect to (104.153.233.181 : 443) failed
WARNING: Ping to 104.153.233.181 failed with status: TimedOut
False
Martin Willing commented
Pleasy try:
$URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
(Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
Minoru Kobayashi commented
It's working.
PS C:\Windows\system32> $URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
PS C:\Windows\system32> (Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
200
Martin Willing commented
Nice. I will implement it in the next release. The release of MemProcFS-Analyzer v1.0 is planned for the next 1-2 weeks.
Check if Backblaze B2 Platform is reachable
$URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
$StatusCode = (Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
if ($StatusCode -ne "200")
{
Write-Host "[Error] f001.backblazeb2.com is NOT reachable. Please check your network connection and try again." -ForegroundColor Red
$Host.UI.RawUI.WindowTitle = "$DefaultWindowsTitle"
Exit
}