search

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
462 stars 53 forks source link

Kibana update - directory name error #14

Closed Bloggzy closed 1 year ago

Bloggzy commented 1 year ago

Firstly, just wanted to say, great work with this project, please keep it, it's really useful, thank you.

I've noticed a minor issue with v0.6 - specifically with the Kibana update, where it threw the following error:

Rename-Item : Cannot rename because item at 'C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\Tools\kibana-7.17.7' does not exist. At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:762 char:9 + Rename-Item "$SCRIPT_DIR\Tools\kibana-$LatestRelease" "$SCRIP ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand

Looking at the code (line: 762), the Rename-Item fails as the (real) directory is called: "kibana-7.17.7-windows-x86_64" but the code tries to rename a directory called "kibana-7.17.7" (missing the "-windows-x86_64" suffix).

The path is constructed using the variable: "$LatestRelease" and $LatestRelease = "7.17.7", not "7.17.7-windows-x86_64".

Maybe use "$DestinationPath" instead?

evild3ad commented 1 year ago

Thanks for the feedback! I will keep it alive....it will become also part of the new SANS FOR532.

The "Updater" function is hard to maintain, because repo owners are changing the syntax of their assets quite often.

I recommend to download always the MemProcFS-Analyzer archive (e.g. MemProcFS-Analyzer-v0.6.zip). Note: It is not enough to replace only the PowerShell script.

The "Updater" function of a new release works and should be disabled after the first run...it is the easiest way to have a stable install.

In your case you can simply delete all files in your Elasticsearch and Kibana directories and use the "Updater" function to auto-install the newest versions.

"$SCRIPT_DIR\Tools\Elasticsearch" "$SCRIPT_DIR\Tools\Kibana"

MemProcFS-Analyzer v0.7 is nearly finished and will be released (hopefully) in the next 2-3 weeks...again with a lot of new nice features. I think I will add "MemProcFS-Analyzer.ps1" to the repo after this release, so that I can quickly update/fix small things.

Bloggzy commented 1 year ago

That's excellent news, I'll have to re-mortgage my house, so that I can go on the SANS course ;)

I can imagine! You build a script around a particular format or pattern, and then that changes... annoying.

I was playing with extracting the version number using: Select-String -pattern '\d{1,3}\.\d{1,3}\.\d{1,3}'

For your info, I downloaded and extracted the MemProcFS-Analyzer-v0.6.zip into a new directory, so there were no existing files or folders to conflict.

Looking forward to v0.7, keep up the excellent work!

evild3ad commented 1 year ago

Thank you!