Giters

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

Home Page:https://lethal-forensics.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

WinPmemDump.Raw don't work

madeonukraine opened this issue · comments

commented

I made a RAM dump in the .RAW format and when I run the analysis it does not give an error, but it does not load the system and no files appeared in the directory during the day, I checked it on different systems, it works fine with the .mem format, tell me how to solve it and is it possible somehow convert .raw to .mem format?

commented

MemProcFS supports Raw Physical Memory Dumps and Microsoft Crash Dumps. When a memory capture tool uses for example the file extension ".raw" that doesn't mean it is in the Raw Physical Memory Dump Format. When you have used a WinPmem version it is possibly AFF4, you can check it in a hex editor.

WinPMEM 4.0 RC2 is still the newest version and should write a Raw Physical Memory Dump by default:
https://github.com/Velocidex/WinPmem/releases

You can also check out my Collect-MemoryDump PowerShell script:
https://github.com/evild3ad/Collect-MemoryDump

commented

this time I made a .mem format dump via FTK and again I see that the program is working but no load on the system or new files appear in the output folder, I don’t know how to solve it.
a couple of months ago with one of the dumps it worked and I saw in real time that the system was loading and artifact files were appearing, so I can say that the program was configured correctly

commented

There is no .mem format...you can name the file extension like you want...it is a Raw Physical Memory Dump when using FTK Imager. Please navigate via PowerShell console to the "MemProcFS" directory in the "Tools" directory and launch MemProcFS against your memory dump and check for errors:

memprocfs.exe -device <path_to_your_memory_dump> -v

commented

C:\MemProcFS-Analyzer-v0.9\Tools\MemProcFS>MemProcFS.exe -device memdump.mem -v
DEVICE OPEN: file
DEVICE: Successfully opened file: 'memdump.mem' as RAW Memory Dump.
[INFODB] INIT: FAIL: va=0xfffff80026c01000
[SYMBOL] Initialized symbol subsystem (Microsoft).
Initialized 64-bit Windows 6.3.9600
[PLUGIN] LOAD: built-in module: ''
[PLUGIN] LOAD: built-in module: ''
[PLUGIN] LOAD: built-in module: '\forensic'
[PLUGIN] LOAD: built-in module: '\files\handles'
[PLUGIN] LOAD: built-in module: '\files\vads'
[PLUGIN] LOAD: built-in module: '\files\modules'
[PLUGIN] LOAD: built-in module: '\phys2virt'
[PLUGIN] LOAD: built-in module: '\misc\phys2virt'
[PLUGIN] LOAD: built-in module: '\handles'
[PLUGIN] LOAD: built-in module: '\heaps'
[PLUGIN] LOAD: built-in module: '\modules'
[PLUGIN] LOAD: built-in module: '\memmap'
[PLUGIN] LOAD: built-in module: '\minidump'
[PLUGIN] LOAD: built-in module: '\threads'
[PLUGIN] LOAD: built-in module: '\token'
[PLUGIN] LOAD: built-in module: '\search\bin'
[PLUGIN] LOAD: built-in module: '\misc\search\bin'
[PLUGIN] LOAD: built-in module: '\search\yara'
[PLUGIN] LOAD: built-in module: '\misc\search\yara'
[PLUGIN] LOAD: built-in module: '\virt2phys'
[PLUGIN] LOAD: built-in module: '\misc\bitlocker'
[PLUGIN] LOAD: built-in module: '\conf'
[PLUGIN] LOAD: built-in module: '\misc\procinfo'
[PLUGIN] LOAD: built-in module: '\misc\view'
[PLUGIN] LOAD: built-in module: '\sys'
[PLUGIN] LOAD: built-in module: '\sys\drivers'
[PLUGIN] LOAD: built-in module: '\sys\memory'
[PLUGIN] LOAD: built-in module: '\sys\net'
[PLUGIN] LOAD: built-in module: '\sys\objects'
[PLUGIN] LOAD: built-in module: '\sys\pool'
[PLUGIN] LOAD: built-in module: '\sys\proc'
[PLUGIN] LOAD: built-in module: '\sys\services'
[PLUGIN] LOAD: built-in module: '\sys\syscall'
[PLUGIN] LOAD: built-in module: '\sys\tasks'
[PLUGIN] LOAD: built-in module: '\sys\users'
[PLUGIN] LOAD: built-in module: '\registry'
[PLUGIN] LOAD: built-in module: '\forensic\csv'
[PLUGIN] LOAD: built-in module: '\forensic\files'
[PLUGIN] LOAD: built-in module: '\forensic\findevil'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\handles'
[PLUGIN] LOAD: built-in module: '\forensic\json'
[PLUGIN] LOAD: built-in module: '\forensic\timeline'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\module'
[PLUGIN] LOAD: built-in module: '\forensic\ntfs'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\proc'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\registry'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\sys'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\thread'
[PLUGIN] LOAD: built-in module: '\forensic\web'
[PLUGIN] LOAD: built-in module: '\forensic\yara'
[PLUGIN] LOAD: built-in module: '\findevil\EvKRNL1'
[PLUGIN] LOAD: built-in module: '\findevil\EvKERNPROC1'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC1'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC2'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC3'
[PLUGIN] LOAD: built-in module: '\findevil\EvTHRD1'
[PLUGIN] LOAD: built-in module: '\findevil\EvAV1'
[PLUGIN] LOAD: built-in module: '\sys\certificates'
[PLUGIN] LOAD: native module: '\vmemd'
VmmPyPlugin: Loaded 'plugins.pym_pluginupdater'
VmmPyPlugin: Loaded 'plugins.pym_procstruct'
VmmPyPluginLight: Register 'reg/net/bth_devices.txt'
VmmPyPluginLight: Register 'reg/net/tcpip_interfaces.txt'
VmmPyPluginLight: Register 'reg/usb/usb_devices.txt'
VmmPyPluginLight: Register 'reg/usb/usb_storage.txt'
VmmPyPluginLight: Register 'by-user/reg/user/wallpaper.txt'
[PLUGIN] LOAD: native module: 'py'
[PLUGIN] PluginManager: Python plugin loaded.

============================== MemProcFS ==============================

MOUNT: Failed. Status Code: -3

commented

"Status Code: -3" means that there is a Dokany driver install error. Please uninstall, reboot, install Dokany again...and try it again.

commented

thank you, all works

commented

C:\MemProcFS-Analyzer-v1.0\Tools\MemProcFS>MemProcFS.exe -device "C:\MemProcFS-Analyzer-v1.0\pcileech.raw" -v
DEVICE OPEN: file
DEVICE: Successfully opened file: 'C:\MemProcFS-Analyzer-v1.0\pcileech.raw' as RAW Memory Dump.
[INFODB] INIT: SUCCESS: va=0xfffff80670600000
[SYMBOL] Initialized symbol subsystem (Microsoft).
Initialized 64-bit Windows 10.0.22621
[PLUGIN] LOAD: built-in module: ''
[PLUGIN] LOAD: built-in module: ''
[SYMBOL] Functionality may be limited. Extended debug information disabled.
[SYMBOL] Partial offline fallback symbols in use.
[SYMBOL] For additional information use startup option: -loglevel symbol:4
[SYMBOL] Reason: Unable to download kernel symbols to cache from Symbol Server.

[PLUGIN] LOAD: built-in module: '\forensic'
[PLUGIN] LOAD: built-in module: '\files\handles'
[PLUGIN] LOAD: built-in module: '\files\vads'
[PLUGIN] LOAD: built-in module: '\files\modules'
[PLUGIN] LOAD: built-in module: '\phys2virt'
[PLUGIN] LOAD: built-in module: '\misc\phys2virt'
[PLUGIN] LOAD: built-in module: '\handles'
[PLUGIN] LOAD: built-in module: '\heaps'
[PLUGIN] LOAD: built-in module: '\modules'
[PLUGIN] LOAD: built-in module: '\memmap'
[PLUGIN] LOAD: built-in module: '\minidump'
[PLUGIN] LOAD: built-in module: '\threads'
[PLUGIN] LOAD: built-in module: '\token'
[PLUGIN] LOAD: built-in module: '\search\bin'
[PLUGIN] LOAD: built-in module: '\misc\search\bin'
[PLUGIN] LOAD: built-in module: '\search\yara'
[PLUGIN] LOAD: built-in module: '\misc\search\yara'
[PLUGIN] LOAD: built-in module: '\virt2phys'
[PLUGIN] LOAD: built-in module: '\misc\bitlocker'
[PLUGIN] LOAD: built-in module: '\conf'
[PLUGIN] LOAD: built-in module: '\misc\eventlog'
[PLUGIN] LOAD: built-in module: '\misc\procinfo'
[PLUGIN] LOAD: built-in module: '\misc\view'
[PLUGIN] LOAD: built-in module: '\sys'
[PLUGIN] LOAD: built-in module: '\sys\drivers'
[PLUGIN] LOAD: built-in module: '\sys\memory'
[PLUGIN] LOAD: built-in module: '\sys\net'
[PLUGIN] LOAD: built-in module: '\sys\objects'
[PLUGIN] LOAD: built-in module: '\sys\pool'
[PLUGIN] LOAD: built-in module: '\sys\proc'
[PLUGIN] LOAD: built-in module: '\sys\services'
[PLUGIN] LOAD: built-in module: '\sys\syscall'
[PLUGIN] LOAD: built-in module: '\sys\sysinfo'
[PLUGIN] LOAD: built-in module: '\sys\tasks'
[PLUGIN] LOAD: built-in module: '\sys\users'
[PLUGIN] LOAD: built-in module: '\registry'
[PLUGIN] LOAD: built-in module: '\forensic\csv'
[PLUGIN] LOAD: built-in module: '\forensic\files'
[PLUGIN] LOAD: built-in module: '\forensic\findevil'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\handles'
[PLUGIN] LOAD: built-in module: '\forensic\json'
[PLUGIN] LOAD: built-in module: '\forensic\timeline'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\module'
[PLUGIN] LOAD: built-in module: '\forensic\ntfs'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\proc'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\registry'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\sys'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\thread'
[PLUGIN] LOAD: built-in module: '\forensic\web'
[PLUGIN] LOAD: built-in module: '\forensic\yara'
[PLUGIN] LOAD: built-in module: '\findevil\EvKRNL1'
[PLUGIN] LOAD: built-in module: '\findevil\EvKERNPROC1'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC1'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC2'
[PLUGIN] LOAD: built-in module: '\findevil\EvPROC3'
[PLUGIN] LOAD: built-in module: '\findevil\EvTHRD1'
[PLUGIN] LOAD: built-in module: '\findevil\EvAV1'
[PLUGIN] LOAD: built-in module: '\sys\certificates'
[PLUGIN] LOAD: native module: '\vmemd'
[PROCESS] BAD DTB: PID=5500 DTB=00000001da9c5000
[PROCESS] BAD DTB: PID=11140 DTB=000000010cef1000
[PLUGIN] Python initialization failed. Python 3.6 or later not found.

============================== MemProcFS ==============================