evild3ad
commented
1 year ago - Delete the content of "Elasticsearch" and "Kibana" in the "Tools" directory
- Check if the "Updater" in the Main at the bottom of the script is enabled
- Simply replace the Elasticsearch function --> Search for: "Function Elasticsearch"
Function Elasticsearch {
# Launch Elasticsearch (PowerShell.exe)
Write-Output "[Info] Starting Elasticsearch ... "
$Elasticsearch_Process = Start-Process powershell.exe "& $Elasticsearch" -WindowStyle Minimized -PassThru
$Elasticsearch_Id = $Elasticsearch_Process.Id
$script:Elasticsearch_Termination = Get-Process | Where-Object {$_.Id -eq $Elasticsearch_Id}
$ProgressPreference = 'SilentlyContinue'
do {
Start-Sleep 3
$ProgressPreference = 'SilentlyContinue'
} until( Test-NetConnection 127.0.0.1 -Port 9200 -InformationLevel Quiet -ErrorAction SilentlyContinue -WarningAction SilentlyContinue)
# Launch Kibana (PowerShell.exe)
Write-Output "[Info] Starting Kibana ... "
$Kibana_Process = Start-Process powershell.exe "& $Kibana" -WindowStyle Minimized -PassThru
$Kibana_Id = $Kibana_Process.Id
$script:Kibana_Termination = Get-Process | Where-Object {$_.Id -eq $Kibana_Id}
$ProgressPreference = 'SilentlyContinue'
do {
Start-Sleep 3
$ProgressPreference = 'SilentlyContinue'
} until(Test-NetConnection localhost -Port 5601 -InformationLevel Quiet -ErrorAction SilentlyContinue -WarningAction SilentlyContinue)
Start-Sleep 2
}Tested successfully on my side. Please let me know if it works for you, too!
https://github.com/evild3ad/MemProcFS-Analyzer/wiki/Elasticsearch
antmar904
Hello.
I'm trying v0.6 and it's stuck at Starting Elasticsearch.
Here is the transcript output:
Windows PowerShell transcript start Start time: 20221020144917 Username: Win11Test\Test RunAs User: Win11Test\Test Configuration Name: Machine: WIN11TEST (Microsoft Windows NT 10.0.22000.0) Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe Process ID: 2824 PSVersion: 5.1.22000.832 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22000.832 BuildVersion: 10.0.22000.832 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1
Transcript started, output file is E:\Tools\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer-v0.6\2022-10-20T184911-dump.txt
██╗ ███████╗████████╗██╗ ██╗ █████╗ ██╗ ███████╗ ██████╗ ██████╗ ███████╗███╗ ██╗███████╗██╗ ██████╗███████╗ ██║ ██╔════╝╚══██╔══╝██║ ██║██╔══██╗██║ ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗ ██║██╔════╝██║██╔════╝██╔════╝ ██║ █████╗ ██║ ███████║███████║██║█████╗█████╗ ██║ ██║██████╔╝█████╗ ██╔██╗ ██║███████╗██║██║ ███████╗ ██║ ██╔══╝ ██║ ██╔══██║██╔══██║██║╚════╝██╔══╝ ██║ ██║██╔══██╗██╔══╝ ██║╚██╗██║╚════██║██║██║ ╚════██║ ███████╗███████╗ ██║ ██║ ██║██║ ██║███████╗ ██║ ╚██████╔╝██║ ██║███████╗██║ ╚████║███████║██║╚██████╗███████║ ╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝
MemProcFS-Analyzer v0.6 - Automated Forensic Analysis of Windows Memory Dumps for DFIR (c) 2021-2022 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)
Analysis date: 2022-10-20 18:49:11 UTC
[Info] Current Version: MemProcFS v5.1.3 [Info] Latest Release: MemProcFS v5.1.3 (2022-09-26) [Info] You are running the most recent version of MemProcFS. [Info] Current Version: Dokany File System Library v2.0.4.1000 (2022-04-30) [Info] Latest Release: Dokany File System Library v2.0.6.1000 (2022-10-02) [Error] Please download/install the latest release of Dokany File System Library manually: https://github.com/dokan-dev/dokany/releases/latest (DokanSetup.exe) [Info] Current Version: Elasticsearch v8.4.3 [Info] Latest Release: Elasticsearch v8.4.3 (2022-10-05) [Info] You are running the most recent version of Elasticsearch. [Info] Current Version: Kibana v8.4.3 [Info] Latest Release: Kibana v8.4.3 (2022-10-05) [Info] You are running the most recent version of Kibana. [Info] Current Version: AmcacheParser v1.5.1.0 [Info] You are running the most recent version of AmcacheParser. [Info] Current Version: AppCompatCacheParser v1.5.0.0 [Info] You are running the most recent version of AppCompatCacheParser. [Info] Current Version: entropy v1.0 (2022-02-04) [Info] Latest Release: entropy v1.0 (2022-02-04) [Info] You are running the most recent version of entropy. [Info] Current Version: EvtxECmd v1.0.0.0 [Info] You are running the most recent version of EvtxECmd. [Info] Current Version: ImportExcel v7.8.1 [Info] Latest Release: ImportExcel v7.8.2 (2022-10-15) [Info] Current Version: IPinfo CLI v2.10.0 (2022-09-28) [Info] Latest Release: IPinfo CLI v2.10.0 (2022-09-28) [Info] You are running the most recent version of IPinfo CLI. [Info] Current Version: lnk_parser v0.2.0 (2022-10-20) [Info] Latest Release: lnk_parser v0.2.0 (2022-08-10) [Info] You are running the most recent version of lnk_parser. [Info] Current Version: RECmd v2.0.0.0 [Info] You are running the most recent version of RECmd. [Info] Current Version: SBECmd v2.0.0.0 [Info] You are running the most recent version of SBECmd. [Info] Current Version: xsv v0.13.0 (2018-05-12) [Info] Latest Release: xsv v0.13.0 (2018-05-12) [Info] You are running the most recent version of xsv. [Info] Current Version: YARA v4.2.3 (2022-08-08) [Info] Latest Release: YARA v4.2.3 (2022-08-09) [Info] You are running the most recent version of YARA. [Info] Starting Elasticsearch ...