MemProcFS-Analyzer

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.

MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS

Features:

• Fast and easy memory analysis!
• You can mount a Raw Physical Memory Dump like a disk image and handle the memory compression feature on Windows
• Auto-Install of MemProcFS, Elasticsearch, Kibana, EvtxECmd, AmcacheParser, AppCompatCacheParser, RECmd, SBECmd, ImportExcel, IPinfo CLI, and xsv
• Auto-Update of MemProcFS, Elasticsearch, Kibana, ClamAV Virus Databases (CVD), EvtxECmd (incl. Maps), AmcacheParser, AppCompactCacheParser, RECmd, SBECmd, Import-Excel, IPinfo CLI, and xsv
• Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
• Multi-Threaded scan w/ ClamAV for Windows
• OS Fingerprinting
• Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
• Extracting IPv4/IPv6
• IP2ASN Mapping and GeoIP w/ IPinfo CLI → Get your token for free at https://ipinfo.io/signup
• Checking Processes for Unusual Parent-Child Relationships and Number of Instances
• Web Browser History (Google Chrome, Microsoft Edge and Firefox)
• Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
• Analyzing extracted Amcache.hve w/ Amcacheparser (EZTools by Eric Zimmerman)
• Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
• Analyzing Syscache w/ RECmd (EZTools by Eric Zimmerman)
• Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)
• Analyzing ShellBags Artifacts w/ RECmd (EZTools by Eric Zimmerman)
• Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd (EZTools by Eric Zimmerman)
• Analyzing RecentDocs, Office Trusted Document w/ RECmd (EZTools by Eric Zimmerman)
• Integration of PowerShell module ImportExcel by Doug Finke
• CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)
• Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)

Download

Download the latest version of MemProcFS-Analyzer from the Releases section.

Usage

Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.

Fig 1: Select your Raw Physical Memory Dump (File Browser)

Fig 2: MemProcFS-Analyzer auto-installs dependencies (First Run)

Fig 3: Accept Terms of Use (First Run)

Fig 4: If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk

Fig 5: You can investigate the mounted memory dump by exploring drive letter X:

Fig 6: MemProcFS-Analyzer checks for updates (Second Run)

Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.

Fig 7: FindEvil feature and additional analytics

Fig 8: GeoIP w/ IPinfo.io

Fig 9: Map IPs w/ IPinfo.io

Fig 10: Processing Windows Event Logs (EVTX)

Fig 11: Processing extracted Amcache.hve → XLSX

Fig 12: Processing ShimCache → XLSX

Fig 13: Analyze CSV output w/ Timeline Explorer (TLE)

Fig 14: ELK Import

Fig 15: Happy ELK Hunting!

Fig 16: Multi-Threaded ClamAV Scan to help you finding evil! ;-)

Fig 17: Press OK to shutdown MemProcFS and Elastisearch/Kibana

Fig 18: Secure Archive Container (PW: MemProcFS)

Introduction MemProcFS and Memory Forensics

Check out Super Easy Memory Forensics by Hiroshi Suzuki and Hisao Nashiwa.

Prerequisites

1. Download and install the latest Dokany Library Bundle → DokanSetup.exe
   https://github.com/dokan-dev/dokany/releases/latest

2. Download and install the latest .NET 6 Desktop Runtime (Requirement for EZTools)
   https://dotnet.microsoft.com/en-us/download/dotnet/6.0

3. Download and install the latest Windows package of ClamAV.
   https://www.clamav.net/downloads#otherversions

4. First Time Set-Up of ClamAV
   Launch Windows PowerShell console as Administrator.
   cd "C:\Program Files\clamav"
copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
copy .\conf_examples\clamd.conf.sample .\clamd.conf
write.exe .\freshclam.conf → Comment or remove the line that says “Example”.
   write.exe .\clamd.conf → Comment or remove the line that says “Example”.
   https://docs.clamav.net/manual/Usage/Configuration.html#windows

5. Create your free IPinfo account [approx. 1-2 min]
   https://ipinfo.io/signup?ref=cli
   Open "MemProcFS-Analyzer.ps1" with your text editor, search for "<access_token>" and copy/paste your access token.

6. Install the NuGet package provider for PowerShell
   Check if NuGet is available in the package providers by running the following command:
   Get-PackageProvider -ListAvailable
   If NuGet is not installed on your system yet, you have to install it.
   Install-PackageProvider -Name NuGet -Force

7. Done! :smiley:

Notes:

• Turn off your antivirus protection temporarily or better exclude your MemProcFS-Analyzer directory from scanning.
• Elasticsearch Tips

Dependencies

7-Zip 22.00 Standalone Console (2022-06-15)
https://www.7-zip.org/download.html

AmcacheParser v1.5.1.0 (.NET 6)
https://ericzimmerman.github.io/

AppCompatCacheParser v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/

ClamAV - Alternate Versions → Windows Packages → Win64 → clamav-0.105.0.win.x64.msi (2022-05-03)
https://www.clamav.net/downloads#otherversions

Dokany Library Bundle v2.0.5.1000 (2022-07-04)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe

Elasticsearch 8.3.1 (2022-06-30)
https://www.elastic.co/downloads/elasticsearch

EvtxECmd v1.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

ImportExcel 7.7.0 (2022-07-04)
https://github.com/dfinke/ImportExcel

Ipinfo CLI 2.8.0 (2022-03-21)
https://github.com/ipinfo/cli

Kibana 8.3.1 (2022-06-30)
https://www.elastic.co/downloads/kibana

MemProcFS v4.9.3 - The Memory Process File System (2022-06-15)
https://github.com/ufrisk/MemProcFS

RECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

SBECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

xsv v0.13.0 (2018-05-12)
https://github.com/BurntSushi/xsv

Links

MemProcFS
Demo of MemProcFS with Elasticsearch
Sponsor MemProcFS Project
MemProcFSHunter
MemProcFS-Plugins