Dokany File System Library NOT found

[antmar904]

Hi I am trying to run MemProcFS-Analyzer on my Windows 10 VM however I received the above mentioned error. So I installed Dokany 0.7.4 for Windows 10 (https://github.com/dokan-dev/dokany/releases/tag/v0.7.4) ran MemProcFS-Analyzer again and I keep getting the following error:

[Info] Dokany File System Library NOT found. [Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01) [Info] Please download/install the latest release of Dokany File System Library manually: https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)

Can you please update Analyzer to support the latest version of Dokany for Windows 10?

[evild3ad]

Hi,

you need to install the correct Dokany File System Library (Redistributable packaged version):

https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)

This version will also install the required Microsoft Visual C++ Redistributables for Visual Studio 2019.

It's a dependency of MemProcFS...please check out installing info for more details if needed: https://github.com/ufrisk/MemProcFS

You need to uninstall your version and restart your VM before you can install the mentioned DokanSetup_redist.exe.

I hope this information helps you.

Cheers! -Martin-

[antmar904]

thank you.

i installed the appropriate pre-req and i am currently running it again. question: am i suppose to see the virtual drive mounted as x? because I am not seeing it.

[evild3ad]

Yes, the default drive letter is X: ...as a network shared drive.

[antmar904]

ah ok i am not seeing it being mounted which is probably why whenever I run the tool it get stuck here:

[Info] Mounting the Physical Memory Dump file as X: ... [Info] Physical Memory Dump File Size: 11.43 GB [Info] MemProcFS Forensic Analysis initiated ... [Info] Processing E:_DATA\Server\MEMORY DUMP\fullmemdump051921.dmp [approx. 1-2 min] ...

[evild3ad]

Which VM app are you using?

[antmar904]

VMWare Workstation

[evild3ad]

Have you restarted your VM after the installation of Dokany?

[evild3ad]

I have VMware Workstation, but no Windows VM yet...very new computer...

[antmar904]

Have you restarted your VM after the installation of Dokany?

Yes I have. Ill have to dig into a little bit more later on it the day and will post my findings. Thank you!

[evild3ad]

Please check the minimized window of MemProcFS for any errors.

[antmar904]

I have two minimized ps windows. here are the last line shown for each window: this is basically where I get stuck all the time.

window 1:

[2021-06-02T10:27:49,200][INFO ][o.e.t.LoggingTaskListener] [DESKTOP-NC0UPK6] 149 finished with response BulkByScrollResponse[took=1.9s,timed_out=false,sliceId=null,updated=12,created=0,deleted=0,batches=1,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]

window 2:

log [10:27:59.271] [info][plugins][securitySolution] Dependent plugin setup complete - Starting ManifestTask

[evild3ad]

These two PowerShell windows are related to Elasticsearch and Kibana...so it seems that MemProcFS is not running...should be a minimized cmd.exe window.

[antmar904]

i've never seen a minimized cmd windows when running the MemProcFS-Analyzer.ps1

[evild3ad]

You can start a terminal with admin rights and navigate to MemProcFS in the Tools directory of MemProcFS-Analyzer: memprocfs.exe -device c:\temp\win10x64-dump.raw

[antmar904]

awesome ill try that now

[antmar904]

memprocfs crashes. I have python 3.9 installed

Initialized 64-bit Windows 10.0.17763 PluginManager: Python initialization failed. Python 3.6 or later not found.

=============== MemProcFS - THE MEMORY PROCESS FILE SYSTEM ===============

• Author: Ulf Frisk - pcileech@frizk.net
• Info: https://github.com/ufrisk/MemProcFS

• License: GNU Affero General Public License v3.0

  MemProcFS is free open source software. If you find it useful please become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)

• Version: 4.0.3 (Windows)
• Mount Point: M:\
• Tag: 17763_2095e679

• Operating System: Windows 10.0.17763 (X64)

MOUNT: Failed. Status Code: -3

[evild3ad]

I will forward the issue to Ulf. I nearly finished the install of a Windows 10 VM...will have a look, too.

[ufrisk]

It fails to mount the virtual drive with a dokan error code of -3 which means: #define DOKAN_DRIVER_INSTALL_ERROR -3

Please uninstall any previous versions of dokan, reboot the machine, and then install latest dokan version 1.5.0.3000 from https://github.com/dokan-dev/dokany/releases and then reboot the machine once again; or if you have the ability do do so please roll back the VM before you installed that ancient 0.7.4 version of dokany and try again but with the latest release.

[evild3ad]

But there is no redist version!?

[ufrisk]

It's not required anymore I guess; latest MemProcFS version with latest dokany installs fine on clean VM 20.04 release. Hyper-V though; but I hardly think that should affect this. My best guess is that something happened when that very old dokany version was installed; but I don't know.

[antmar904]

It's not required anymore I guess; latest MemProcFS version with latest dokany installs fine on clean VM 20.04 release. Hyper-V though; but I hardly think that should affect this. My best guess is that something happened when that very old dokany version was installed; but I don't know.

ok reinstalling now

[antmar904]

ok looks like that worked. it is now mounted to M: Should I now run MemProcFS-Analyzer.ps1 or cancel everything and only run MemProcFS-Analyzer.ps1 ?

[evild3ad]

Yes...cancel it. You can manually stop MemProcFS with Ctrl+C.

[antmar904]

looks great. just have to learn what type of data gets extracted and how from memory. when i close out of the "happy elk hunting" message box does everything close? also is the extracted data saved anywhere so i can search on it again?

[evild3ad]

Please check out README.md and the MemProcFS wiki: https://github.com/ufrisk/MemProcFS/wiki