search

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
547 stars 58 forks source link

Analyzer Stuck #2

Closed antmar904 closed 3 years ago

antmar904 commented 3 years ago

Hi. When trying to analyze a different complete memory dump the script stops at: [Info] 3 IPv4 address found (269).

It's hard to say if the script is frozen, a process is stuck or the analyzer is still working.

It's been in this state for 5 hrs now and I'm not sure if that is normal as there is no progress type bar.

evild3ad commented 3 years ago

With this message on the screen you know where the script stopped. You can also check the output files and have a closer look.

/sys/net/IPv4/

It is possible that it stopped during IP2ASN mapping w/ TeamCymru (via Netcat for Windows) or during checking the IPv4 addresses via IPinfo CLI. These checks are very quick. When something takes longer you see something like "approx. 1-2 min".

antmar904 commented 3 years ago

I am only seeing /sys/net folder Is there a way to skip the IP2ASN mapping? Here is a snippet of the log file:

MemProcFS-Analyzer v0.2 - Automated Forensic Analysis of Windows Memory Dumps for DFIR (c) 2021 Martin Willing (https://evild3ad.com/)

Analysis date: 2021-06-03 18:08:21 UTC

[Info] Current Version: MemProcFS v4.0 (2021-05-31) [Info] Latest Release: MemProcFS v4.0 (2021-05-24) [Info] You are running the most recent version of MemProcFS. [Info] Current Version: Dokany File System Library v1.5.0.3000 (2021-05-31) [Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01) [Info] Please download/install the latest release of Dokany File System Library manually: https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe) [Info] Current Version: Elasticsearch v7.13.1 [Info] Latest Release: Elasticsearch v7.13.1 (2021-06-02) [Info] You are running the most recent version of Elasticsearch. [Info] Current Version: Kibana v7.13.1 [Info] Latest Release: Kibana v7.13.1 (2021-06-02) [Info] You are running the most recent version of Kibana. [Info] Current Version: EvtxECmd v0.6.5.0 [Info] You are running the most recent version of EvtxECmd. [Info] Current Version: AmcacheParser v1.4.0.0 [Info] You are running the most recent version of AmcacheParser. [Info] Current Version: AppCompatCacheParser v1.4.4.0 [Info] You are running the most recent version of AppCompatCacheParser. [Info] Current Version: ImportExcel v7.1.2 [Info] Latest Release: ImportExcel v7.1.2 (2021-05-08) [Info] You are running the most recent version of ImportExcel. [Info] Current Version: IPinfo CLI v2.0.0 (2021-05-26) [Info] Latest Release: IPinfo CLI v2.0.0 (2021-05-26) [Info] You are running the most recent version of IPinfo CLI. [Info] Starting Elasticsearch ... [Info] Starting Kibana ... [Info] Mounting the Physical Memory Dump file as X: ... [Info] Physical Memory Dump File Size: 8.14 GB [Info] MemProcFS Forensic Analysis initiated ... [Info] Processing E:_DATA\server\05252021\mem05252021.dmp [approx. 1-2 min] ... [Info] Host Name: server
[Info] OS Version: Windows 10.0.17763 [Info] Architecture: X64 [Info] Last Boot: 2021-05-20 04:14:17 UTC [Info] Acquisition Time: 2021-05-25 11:53:24 UTC [Info] Timezone Info: Central Standard Time (Mexico) : UTC-5:00 [Info] Collecting Evidence Files ... [Info] 66 Certificates found (66) [Info] 3 IPv4 addresses found (269)

evild3ad commented 3 years ago

/sys/net/IPv4/ should be there or you would not see "[Info] 3 IPv4 addresses found (269)". You can comment these line with "#".

But I recommend checking if nc.exe exists (/Tools/Netcat/nc.exe). AV don't like Netcat on Windows. ;-)

antmar904 commented 3 years ago

IPv4 does not exist. Also, I am running the analysis on a VM with no AV, even defender. I am running it again, lets see what happens.

evild3ad commented 3 years ago

OK. You can check if netstat.txt exists under /sys/net/.

antmar904 commented 3 years ago

same thing, it's hanging on "[Info] 3 IPv4 addresses found (269)". I am seeing: sys\net netstat.txt netstat-v.txt readme.txt

evild3ad commented 3 years ago

You see readme.txt? That would mean you're looking on drive letter X. Wrong place. MemProcFS-Analyzer ist not writing any data to this drive letter. You have to check your output folder.

antmar904 commented 3 years ago

ah!

antmar904 commented 3 years ago

When running analysis from my home network on my Win10 VM it works and does not freeze at "[Info] 3 IPv4 addresses found (269)" anymore. Must be something blocking the ASN lookup...

I am receiving this error every time I run analysis.

[Info] Importing JSON data to Elasticsearch [approx. 1-5 min] ... Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Classes\ChromeHTML\shell\open\command' because it does not exist. At C:\Temp\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:2013 char:20

[Info] Microsoft Defender (Real-Time Protection) will be disabled temporarily ...

evild3ad commented 3 years ago

I think I will remove Netcat for Windows and IP2ASN Mapping w/ TeamCymru in v0.3. With IPinfo.io not needed anymore.

This is the check if Chrome web browser is installed. You can simply install Chrome.

You possibly can add -ErrorAction SilentlyContinue: (Get-ItemProperty "HKLM:\SOFTWARE\Classes\ChromeHTML\shell\open\command" -ErrorAction SilentlyContinue)."(Default)"

I can harden this in the next release. Started working on it today...

antmar904 commented 3 years ago

Got it.