MemProcFS-Analyzer does not work if a computer is behind a proxy or if ICMP is filtered by a firewall

Question

MemProcFS-Analyzer does not work if a computer is behind a proxy or if ICMP is filtered by a firewall

mnrkbys opened this issue 7 months ago · comments

MemProcFS-Analyzer doen't work if a computer is behind a proxy server like below.

Transcript started, output file is C:\tools\MemProcFS-Analyzer\2023-10-13T064208-data.txt

██╗     ███████╗████████╗██╗  ██╗ █████╗ ██╗      ███████╗ ██████╗ ██████╗ ███████╗███╗   ██╗███████╗██╗ ██████╗███████╗
██║     ██╔════╝╚══██╔══╝██║  ██║██╔══██╗██║      ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗  ██║██╔════╝██║██╔════╝██╔════╝
██║     █████╗     ██║   ███████║███████║██║█████╗█████╗  ██║   ██║██████╔╝█████╗  ██╔██╗ ██║███████╗██║██║     ███████╗
██║     ██╔══╝     ██║   ██╔══██║██╔══██║██║╚════╝██╔══╝  ██║   ██║██╔══██╗██╔══╝  ██║╚██╗██║╚════██║██║██║     ╚════██║
███████╗███████╗   ██║   ██║  ██║██║  ██║███████╗ ██║     ╚██████╔╝██║  ██║███████╗██║ ╚████║███████║██║╚██████╗███████║
╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝

MemProcFS-Analyzer v0.9 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2023-10-13 06:42:08 UTC

[Error] f001.backblazeb2.com is NOT reachable. Please check your network connection and try again.

This is because MemProcFS-Analyzer uses Test-Connection. It is using ping.
Therefore, if ICMP packets are filtered by a firewall, it will also not work.

Martin Willing · Answer 1 · Fri Oct 13 2023 16:29:36 GMT+0800 (China Standard Time)

Hi, is following command working for you?

((Test-NetConnection -ComputerName f001.backblazeb2.com -Port 443).TcpTestSucceeded)

Minoru Kobayashi · Answer 2 · Fri Oct 13 2023 18:10:30 GMT+0800 (China Standard Time)

It does not work.
Test-NetConnection is not able to specify a proxy server.

PS C:\Windows\system32> ((Test-NetConnection -ComputerName f001.backblazeb2.com -Port 443).TcpTestSucceeded)
WARNING: TCP connect to (104.153.233.181 : 443) failed
WARNING: Ping to 104.153.233.181 failed with status: TimedOut
False

Martin Willing · Answer 3 · Fri Oct 13 2023 18:47:12 GMT+0800 (China Standard Time)

Pleasy try:

$URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
(Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode

Minoru Kobayashi · Answer 4 · Mon Oct 16 2023 03:39:02 GMT+0800 (China Standard Time)

It's working.

PS C:\Windows\system32> $URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
PS C:\Windows\system32> (Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
200

Martin Willing · Answer 5 · Mon Oct 16 2023 13:13:25 GMT+0800 (China Standard Time)

Nice. I will implement it in the next release. The release of MemProcFS-Analyzer v1.0 is planned for the next 1-2 weeks.

Check if Backblaze B2 Platform is reachable

$URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
$StatusCode = (Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
if ($StatusCode -ne "200") 
{
    Write-Host "[Error] f001.backblazeb2.com is NOT reachable. Please check your network connection and try again." -ForegroundColor Red
    $Host.UI.RawUI.WindowTitle = "$DefaultWindowsTitle"
    Exit
}