Drive letter error

[belveruski]

Hi, i have an error with the script during the drive creation.

Content of the log file:

**********************
Windows PowerShell transcript start
Start time: 20221204065248
Username: COMMANDO\user
RunAs User: COMMANDO\user
Configuration Name: 
Machine: COMMANDO (Microsoft Windows NT 10.0.19043.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 4408
PSVersion: 5.1.19041.1682
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682
BuildVersion: 10.0.19041.1682
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\2022-12-04T145237-dump.txt

██╗     ███████╗████████╗██╗  ██╗ █████╗ ██╗      ███████╗ ██████╗ ██████╗ ███████╗███╗   ██╗███████╗██╗ ██████╗███████╗
██║     ██╔════╝╚══██╔══╝██║  ██║██╔══██╗██║      ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗  ██║██╔════╝██║██╔════╝██╔════╝
██║     █████╗     ██║   ███████║███████║██║█████╗█████╗  ██║   ██║██████╔╝█████╗  ██╔██╗ ██║███████╗██║██║     ███████╗
██║     ██╔══╝     ██║   ██╔══██║██╔══██║██║╚════╝██╔══╝  ██║   ██║██╔══██╗██╔══╝  ██║╚██╗██║╚════██║██║██║     ╚════██║
███████╗███████╗   ██║   ██║  ██║██║  ██║███████╗ ██║     ╚██████╔╝██║  ██║███████╗██║ ╚████║███████║██║╚██████╗███████║
╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝

MemProcFS-Analyzer v0.7 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2022 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2022-12-04 14:52:37 UTC

[Info]  Current Version: MemProcFS v5.2.2
[Info]  Latest Release:  MemProcFS v5.2.2 (2022-11-16)
[Info]  You are running the most recent version of MemProcFS.
[Info]  Current Version: Dokany File System Library v2.0.6.1000 (2022-10-02)
[Info]  Latest Release:  Dokany File System Library v2.0.6.1000 (2022-10-02)
[Info]  You are running the most recent version of Dokany File System Library.
[Info]  Current Version: Elasticsearch v8.5.2
[Info]  Latest Release:  Elasticsearch v8.5.2 (2022-11-22)
[Info]  You are running the most recent version of Elasticsearch.
[Info]  Current Version: Kibana v8.5.2
[Info]  Latest Release:  Kibana v8.5.2 (2022-11-22)
[Info]  You are running the most recent version of Kibana.
[Info]  Current Version: AmcacheParser v1.5.1.0
[Info]  You are running the most recent version of AmcacheParser.
[Info]  Current Version: AppCompatCacheParser v1.5.0.0
[Info]  You are running the most recent version of AppCompatCacheParser.
[Info]  Current Version: entropy v1.0 (2022-02-04)
[Info]  Latest Release:  entropy v1.0 (2022-02-04)
[Info]  You are running the most recent version of entropy.
[Info]  Current Version: EvtxECmd v1.0.0.0
[Info]  You are running the most recent version of EvtxECmd.
[Info]  Current Version: ImportExcel v7.8.3
[Info]  Latest Release:  ImportExcel v7.8.3 (2022-11-20)
[Info]  You are running the most recent version of ImportExcel.
[Info]  Current Version: IPinfo CLI v2.10.0 (2022-09-28)
[Info]  Latest Release:  IPinfo CLI v2.10.0 (2022-09-28)
[Info]  You are running the most recent version of IPinfo CLI.
[Info]  Current Version: lnk_parser v0.2.0 (2022-12-04)
[Info]  Latest Release:  lnk_parser v0.2.0 (2022-08-10)
[Info]  You are running the most recent version of lnk_parser.
[Info]  Current Version: RECmd v2.0.0.0
[Info]  You are running the most recent version of RECmd.
[Info]  Current Version: SBECmd v2.0.0.0
[Info]  You are running the most recent version of SBECmd.
[Info]  Current Version: xsv v0.13.0 (2018-05-12)
[Info]  Latest Release:  xsv v0.13.0 (2018-05-12)
[Info]  You are running the most recent version of xsv.
[Info]  Current Version: YARA v4.2.3 (2022-08-08)
[Info]  Latest Release:  YARA v4.2.3 (2022-08-09)
[Info]  You are running the most recent version of YARA.
[Info]  Current Version: Zircolite v2.9.7
[Info]  Latest Release:  Zircolite v2.9.7 (2022-10-08)
[Info]  You are running the most recent version of Zircolite.
[Info]  Mounting the Physical Memory Dump file as X: ...
[Info]  Physical Memory Dump File Size: 1.02 GB
[Info]  MemProcFS Forensic Analysis initiated ...
[Info]  Processing C:\Users\user\Desktop\dump.raw [approx. 1-10 min] ...
COMMANDO TerminatingError(Select-String): "Cannot find drive. A drive with the name 'X' does not exist."
Select-String : Cannot find drive. A drive with the name 'X' does not exist.
At C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\MemProcFS-Analyzer.ps1:2197 char:18
+ ...    while (!(Select-String -Pattern "100" -Path "$DriveLetter\forensic ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (X:String) [Select-String], DriveNotFoundException
    + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.SelectStringCommand
Select-String : Cannot find drive. A drive with the name 'X' does not exist.
At C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\MemProcFS-Analyzer.ps1:2197 char:18
+ ...    while (!(Select-String -Pattern "100" -Path "$DriveLetter\forensic ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (X:String) [Select-String], DriveNotFoundException
    + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.SelectStringCommand

[Error] Forensic Directory doesn't exist.
[Error] freshclam.conf is missing.
        https://docs.clamav.net/manual/Usage/Configuration.html#windows --> First Time Set-Up
**********************
Windows PowerShell transcript end
End time: 20221204065338
**********************

Thanks in advance for help.

[evild3ad]

It seems that the mounting of your memory dump is not working. You have to check Dokany, MemProcFS and your memory dump.

• You can simply try another memory dump
• You can try to mount your memory dump directly with MemProcFS and check for errors: MemProcFS.exe -mount x -device "path/to/your/memorydump" -forensic 4 MemProcFS.exe -device "path/to/your/memorydump" MemProcFS.exe -device "path/to/your/memorydump" -v

Please let me know how it works and if you see any failures/errors.

[belveruski]

Thanks for you reply, after several tests:

• .\MemProcFS.exe -device "C:\Users\user\Desktop\dump.raw" -vv -mount x → It's working, i can browse the share with no problems Logs:

  
  DEVICE OPEN: file
  DEVICE: Successfully opened file: 'C:\Users\user\Desktop\dump.raw' as ELF Core Dump.
  [INFODB]   INIT: SUCCESS: va=0x8282e000
  Initialized 32-bit Windows 6.1.7601
  [PLUGIN]   LOAD: built-in module: '\'
  [PLUGIN]   LOAD: built-in module: '\'
  [PLUGIN]   LOAD: built-in module: '\forensic'
  [PLUGIN]   LOAD: built-in module: '\files\handles'
  [PLUGIN]   LOAD: built-in module: '\files\vads'
  [PLUGIN]   LOAD: built-in module: '\files\modules'
  [PLUGIN]   LOAD: built-in module: '\phys2virt'
  [PLUGIN]   LOAD: built-in module: '\misc\phys2virt'
  [PLUGIN]   LOAD: built-in module: '\handles'
  [PLUGIN]   LOAD: built-in module: '\heaps'
  [PLUGIN]   LOAD: built-in module: '\modules'
  [PLUGIN]   LOAD: built-in module: '\memmap'
  [PLUGIN]   LOAD: built-in module: '\minidump'
  [PLUGIN]   LOAD: built-in module: '\threads'
  [PLUGIN]   LOAD: built-in module: '\token'
  [PLUGIN]   LOAD: built-in module: '\search'
  [PLUGIN]   LOAD: built-in module: '\misc\search'
  [PLUGIN]   LOAD: built-in module: '\virt2phys'
  [PLUGIN]   LOAD: built-in module: '\misc\bitlocker'
  [PLUGIN]   LOAD: built-in module: '\conf'
  [PLUGIN]   LOAD: built-in module: '\misc\view'
  [PLUGIN]   LOAD: built-in module: '\misc\web'
  [PLUGIN]   LOAD: built-in module: '\sys'
  [PLUGIN]   LOAD: built-in module: '\sys\drivers'
  [PLUGIN]   LOAD: built-in module: '\sys\memory'
  [PLUGIN]   LOAD: built-in module: '\sys\net'
  [PLUGIN]   LOAD: built-in module: '\sys\objects'
  [PLUGIN]   LOAD: built-in module: '\sys\pool'
  [PLUGIN]   LOAD: built-in module: '\sys\proc'
  [PLUGIN]   LOAD: built-in module: '\sys\services'
  [PLUGIN]   LOAD: built-in module: '\sys\users'
  [PLUGIN]   LOAD: built-in module: '\registry'
  [PLUGIN]   LOAD: built-in module: '\forensic\csv'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\handles'
  [PLUGIN]   LOAD: built-in module: '\forensic\json'
  [PLUGIN]   LOAD: built-in module: '\forensic\timeline'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\module'
  [PLUGIN]   LOAD: built-in module: '\forensic\ntfs'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\proc'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\registry'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\sys'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\thread'
  [PLUGIN]   LOAD: built-in module: '\sys\certificates'
  [PLUGIN]   LOAD: built-in module: '\sys\syscall'
  [PLUGIN]   LOAD:  native  module: '\vmemd'
  VmmPyPlugin: Loaded 'plugins.pym_procstruct'
  VmmPyPlugin: Loaded 'plugins.pym_pluginupdater'
  VmmPyPluginLight: Register 'reg/net/bth_devices.txt'
  VmmPyPluginLight: Register 'reg/net/tcpip_interfaces.txt'
  VmmPyPluginLight: Register 'reg/usb/usb_devices.txt'
  VmmPyPluginLight: Register 'reg/usb/usb_storage.txt'
  VmmPyPluginLight: Register 'by-user/reg/user/wallpaper.txt'
  [PLUGIN]   LOAD:  native  module: 'py'
  [PLUGIN]   PluginManager: Python plugin loaded.

=============== MemProcFS - THE MEMORY PROCESS FILE SYSTEM ===============

• Author: Ulf Frisk - pcileech@frizk.net
• Info: https://github.com/ufrisk/MemProcFS

• License: GNU Affero General Public License v3.0

  MemProcFS is free open source software. If you find it useful please become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)

• Version: 5.2.2 (Windows)
• Mount Point: X:\
• Tag: 7601_557c0fc9

• Operating System: Windows 6.1.7601 (X86)

• .\MemProcFS.exe -device "C:\Users\user\Desktop\dump.raw" -forensic 4 -vv -mount x → Not working, during the init process, the mounted share kills itself. Logs:

  
  Initialized 32-bit Windows 6.1.7601
  [PLUGIN]   LOAD: built-in module: '\'
  [PLUGIN]   LOAD: built-in module: '\'
  [PLUGIN]   LOAD: built-in module: '\forensic'
  [PLUGIN]   LOAD: built-in module: '\files\handles'
  [PLUGIN]   LOAD: built-in module: '\files\vads'
  [PLUGIN]   LOAD: built-in module: '\files\modules'
  [PLUGIN]   LOAD: built-in module: '\phys2virt'
  [PLUGIN]   LOAD: built-in module: '\misc\phys2virt'
  [PLUGIN]   LOAD: built-in module: '\handles'
  [PLUGIN]   LOAD: built-in module: '\heaps'
  [PLUGIN]   LOAD: built-in module: '\modules'
  [PLUGIN]   LOAD: built-in module: '\memmap'
  [PLUGIN]   LOAD: built-in module: '\minidump'
  [PLUGIN]   LOAD: built-in module: '\threads'
  [PLUGIN]   LOAD: built-in module: '\token'
  [PLUGIN]   LOAD: built-in module: '\search'
  [PLUGIN]   LOAD: built-in module: '\misc\search'
  [PLUGIN]   LOAD: built-in module: '\virt2phys'
  [PLUGIN]   LOAD: built-in module: '\misc\bitlocker'
  [PLUGIN]   LOAD: built-in module: '\conf'
  [PLUGIN]   LOAD: built-in module: '\misc\view'
  [PLUGIN]   LOAD: built-in module: '\misc\web'
  [PLUGIN]   LOAD: built-in module: '\sys'
  [PLUGIN]   LOAD: built-in module: '\sys\drivers'
  [PLUGIN]   LOAD: built-in module: '\sys\memory'
  [PLUGIN]   LOAD: built-in module: '\sys\net'
  [PLUGIN]   LOAD: built-in module: '\sys\objects'
  [PLUGIN]   LOAD: built-in module: '\sys\pool'
  [PLUGIN]   LOAD: built-in module: '\sys\proc'
  [PLUGIN]   LOAD: built-in module: '\sys\services'
  [PLUGIN]   LOAD: built-in module: '\sys\users'
  [PLUGIN]   LOAD: built-in module: '\registry'
  [PLUGIN]   LOAD: built-in module: '\vm'
  [PLUGIN]   LOAD: built-in module: '\forensic\csv'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\handles'
  [PLUGIN]   LOAD: built-in module: '\forensic\json'
  [PLUGIN]   LOAD: built-in module: '\forensic\timeline'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\module'
  [PLUGIN]   LOAD: built-in module: '\forensic\ntfs'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\proc'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\registry'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\sys'
  [PLUGIN]   LOAD: built-in module: '\forensic\hidden\thread'
  [PLUGIN]   LOAD: built-in module: '\sys\certificates'
  [PLUGIN]   LOAD: built-in module: '\sys\syscall'
  [PLUGIN]   Load DLL: 'm_vmemd.dll'
  [PLUGIN]   LOAD:  native  module: '\vmemd'
  [PLUGIN]   PYTHON_PATH: C:\Python311\
  [PYTHON]   PythonPath: C:\Python311\;C:\Python311\python311.zip;C:\Python311\DLLs\;C:\Python311\Lib\;C:\Python311\Lib\site-packages\;C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\Tools\MemProcFS\;C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\Tools\MemProcFS\pylib\
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00056000 Sig=00310046
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00057000 Sig=34004400
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00058000 Sig=42002d00
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00059000 Sig=25007200
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005a000 Sig=6e006c00
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005b000 Sig=2e003200
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005d000 Sig=00000001
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005e000 Sig=6d006500
  [REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005f000 Sig=69004d00
  [PLUGIN]   LOAD:  native  module: 'py'
  [PLUGIN]   PluginManager: Python plugin loaded.
  [FORENSIC] INIT START
  [FORENSIC] INIT 0% time=0s

=============== MemProcFS - THE MEMORY PROCESS FILE SYSTEM ===============

• Author: Ulf Frisk - pcileech@frizk.net
• Info: https://github.com/ufrisk/MemProcFS

• License: GNU Affero General Public License v3.0

  MemProcFS is free open source software. If you find it useful please become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)

• Version: 5.2.2 (Windows)
• Mount Point: X:\
• Tag: 7601_557c0fc9

• Operating System: Windows 6.1.7601 (X86)

[REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00461000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=007a9000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00b2e000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00c76000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00cc4000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00d6f000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00e0b000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00e8d000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00eb5000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00f39000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00f7e000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00f8c000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00fc2000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00feb000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01040000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01041000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01099000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0118f000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01192000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=011e6000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0123f000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01290000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01297000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0145f000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=014c0000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0161e000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=016d5000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0176d000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=017d4000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01823000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=018d7000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01cd8000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cb000 Sig=00310030 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cc000 Sig=1000000c [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cd000 Sig=00200065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000ce000 Sig=6e616840 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cf000 Sig=006e0069 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d0000 Sig=76657250 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d1000 Sig=ffffffe0 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d2000 Sig=ffffffe0 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d3000 Sig=00680020 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d4000 Sig=003a0064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d5000 Sig=006f0053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d6000 Sig=006e0065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d7000 Sig=00640065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d8000 Sig=ffffffd8 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d9000 Sig=006f0053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000da000 Sig=646e6942 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00211000 Sig=00690074 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00212000 Sig=00720065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00213000 Sig=006f006c [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00214000 Sig=00720065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00215000 Sig=006b0063 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00216000 Sig=0063006e [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00217000 Sig=006e0069 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00218000 Sig=00700050 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00219000 Sig=00500074 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021a000 Sig=0046006e [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021b000 Sig=00540064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021c000 Sig=00450053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021d000 Sig=00730072 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060b000 Sig=00590045 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060c000 Sig=0044005f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060d000 Sig=00640064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060e000 Sig=004f004f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060f000 Sig=0051005f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00610000 Sig=002e005f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00611000 Sig=0030002d [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00612000 Sig=00340030 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00613000 Sig=00720050 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00614000 Sig=0046006e [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00615000 Sig=00540064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00616000 Sig=00450053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00617000 Sig=00730072 [FORENSIC] INIT 10% time=8s

[ufrisk]

@belveruski can you please try the most recent MemProcFS revision 5.2.3 from https://github.com/ufrisk/MemProcFS/releases/tag/v5.2

If the error persists are you able to share this memory dump file so that I may look into the issue and resolve it? If it's not possible I understand that as well. But if the error persists and you're able to share it please zip it, upload it and email me the link at pcileech@frizk.net

Many thanks in advance,

[mikal70]

I have the same problem, and I have updated my MemProcFS to revision 5.2.3. if the argument with "-forensic #"('#' means 1/2/3/4), the drive X missed.

[evild3ad]

@belveruski and @mikal70 It would be very helpful if you would be able to share these memory dumps with @ufrisk. You can zip the memory dump, upload it, and email @ufrisk the download link via email. If it is needed I can also send you an upload link to my private cloud if needed. Thank you!

Your issue seems to be more specific. I am working on MemProcFS-Analyzer v0.8 and e.g. updated the OS Fingerprinting feature. For testing purposes I processed 15-20 different memory dumps (Win7 up to Win11 and also Windows Servers) without any issue.

[mikal70]

Thank you so much. I have pass the file and some info to @ufrisk.

[ufrisk]

This should now be fixed in the latest MemProcFS release (v5.2.4). Can you both please confirm it's working now?

[belveruski]

This should now be fixed in the latest MemProcFS release (v5.2.4). Can you both please confirm it's working now?

Thank you for your reactivity I will test it as soon as possible and I come back to you.

[mikal70]

OK.Now it's working perfectly. Thank you!

[belveruski]

It's working for me, thank you for your work !

[tacotuesday23]

Do you happen to know what you did to fix their issues? I am running into the same problem. However, I can't share the memory, unfortunately. It is using a profile Win10x64_19041 in Volatility if that helps at all.

[ufrisk]

@tacotuesday23 It was caused by a null pointer dereference in forensics mode processing in memprocfs.exe. It would be hard to find the culprit without having access to the memory dump causing it. Unless you're willing to do a debug build of MemProcFS and run it in Microsoft Visual Studio. Please let me know if this would be possible.

There may also be the possibility that I could put together a debug build for you to run to see if it will trigger the error with some additional diagnostics data. If you'd be willing to try it out.

Also it would be interesting if an older build of MemProcFS would cause this issue as well (I assume you use the one released last week). If that would be possible download the v5.4 release from https://github.com/ufrisk/MemProcFS/releases/tag/v5.4 unzip it and run memprocfs.exe -device c:\path\to\your\memdump -forensic 4 -mount x

[tacotuesday23]

I will try the older build when I have a chance next week. I do know that the memprocfs binary I was using worked prior but I wanted to try out the analyzer because I think this is awesome work. However, when I was running just the memprocfs I was running with "forensic 1" and not 4, so I have a few things to test out to see if I get a different result. Regardless, thank you for the help and the work that you have put into this project!