evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
547 stars 58 forks source link

Only some processes shown in Process Tree #21

Closed tuttimann closed 1 year ago

tuttimann commented 1 year ago

Only a few amount of all processes are shown in process tree and there are many error messages shown in the logs. errors process_tree

evild3ad commented 1 year ago

Which PowerShell version are you using? It seems that the cmdlet "New-Guid" is not existing.

Get-Command New-Guid

tuttimann commented 1 year ago

I am using Powershell version 7.3.1 and "New-Guid" seems to be installed (screenshots attached). It also doesn't work with Windows Powershell, however there aren't these error message I attached above. New-Guid Powershell Powershell2

evild3ad commented 1 year ago

You need PowerShell 5.1.

evild3ad commented 1 year ago

Are you using a public memory dump or can you share your memory dump for inspection?

tuttimann commented 1 year ago

I have Powershell 5.1.19041.2364. Unfortunately it seems to happen with any memory dump I am analyzing. I.e. "2020 CTF - Windows Memory.zip" from Magnet: https://digitalcorpora.s3.amazonaws.com/corpora/scenarios/magnet/2020%20CTF%20-%20Windows%20Memory.zip

evild3ad commented 1 year ago

02

evild3ad commented 1 year ago

MemProcFS-Analyzer v0.8 - Automated Forensic Analysis of Windows Memory Dumps for DFIR (c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2023-01-23 20:18:54 UTC

[Info] Mounting the Physical Memory Dump file as X: ... [Info] Physical Memory Dump File Size: 5,00 GB [Info] MemProcFS Forensic Analysis initiated ... [Info] Processing F:\Memory-Samples\memdump-001.mem [approx. 1-10 min] ... [Info] Host Name: WIN-9H6J4FBP8F7 [Info] OS: Windows 7 Enterprise (x64), Service Pack 1 (6.1.7601.24384) [Info] InstallDate: 2020-02-14 02:10:21 UTC [Info] RegisteredOrganization: -- [Info] RegisteredOwner: Windows User [Info] Timezone Information: Eastern Standard Time (UTC-04:00) [Info] Last Written Time: 2020-03-08 07:00:00 UTC
[Info] Last Logged On User: Warren [Info] Last Boot: 2020-04-20 22:44:50 UTC [Info] Memory Acquisition Time: 2020-04-20 23:23:26 UTC [Info] Collecting Evidence Files ... [Info] Your Operating System is NOT supported by FindEvil. Note: FindEvil is only available on 64-bit Windows 11, 10 and 8.1. [Info] 65 Certificates found (65) [Info] 0 IPv4 addresses found (3) [Info] 0 IPv6 addresses found (2) [Alert] TCP on Source Port 3389 detected - May indicates incoming Remote Desktop Protocol (RDP) activity (2) [Info] Processing 65 Processes ... [Info] Launching Process Tree (TreeView) ... [Alert] Unusual Parent-Child Relationship found: csrss.exe (2) [Alert] Unusual Parent-Child Relationship found: wininit.exe (1) [Alert] Unusual Parent-Child Relationship found: winlogon.exe (1) [Info] Checking for Process Path Masquerading ... [Info] Checking Damerau–Levenshtein Distance of common System Processes ... [Info] Checking for Processes w/ Unusual User Context ... [Info] Checking for Processes Spawned From Suspicious Folder Locations ... [Alert] Process spawned from a suspicious folder location: C:\Users*\Downloads* (1) [Info] Checking for Suspicious Process Lineage ... [Info] Checking for Processes with Suspicious Command Line Arguments ... [Info] Checking for Suspicious Processes without any Command Line Arguments ... [Info] Processing 419 Services (Running Services: 192) ... [Alert] Service running from a suspicious folder location: C:\Users*\AppData\Local\Temp* (1) [Info] Processing Web History Information (Records: 0) ... [Info] Creating Forensic Timeline ... [Info] File Size (CSV): 88,74 MB [Info] Total Lines (CSV): 519.709 [Info] Extracting Prefetch File Information from Forensic Timeline ... [Info] File Size (CSV): 23,46 KB [Info] Total Lines (CSV): 187 [Info] Collecting Windows Event Logs (EVTX) ... [Info] Processing 48 EVTX Files (33,50 MB) ... [Info] Updating Event Log Maps ... [Info] 423 Event Log Maps will be initiated by EvtxECmd ... [Info] File Size (CSV): 1,71 MB [Info] Updating SIGMA Rulesets ... [Info] No newer rulesets found [Info] Processing Windows Event Logs w/ Zircolite ... [Info] Creating JSON output and ZircoGui package ... [Info] Executed ruleset - 2.046 rules [Info] File Size (JSON): 4,00 Bytes [Info] 0 Detections found [Info] Parsing Event Record Information from JSON Files ... [Info] Collecting Registry Hives ... [Info] 13 Registry Hives (102,11 MB) found [Info] Analyzing Application Compatibility Cache aka ShimCache ... [Info] Found 0 cache entries for Windows7x64_Windows2008R2 in ControlSet001 Found 0 cache entries for Windows7x64_Windows2008R2 in ControlSet002 [Info] Analyzing Syscache Hive ... [Info] Found 48.540 key/value pairs across 1 file [Info] 3.669 SHA1 hash value(s) of executables found [Info] Analyzing UserAssist Artifacts ... [Info] Found 156 key/value pairs across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000) [Info] Analyzing MUICache Artifacts ... [Info] Found 3 key/value pairs across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000) [Info] 1 GUI-based executable(s) found (1) [Info] Analyzing ShellBags Artifacts ... [Info] Total ShellBags found: 61 [Info] Extracting Auto-Start Extensibility Points (ASEPs) ... [Info] Found 221 key/value pairs across 4 files [Info] SQLite Database: C:\Users\evild3ad\AppData\Local\Temp\vmm.sqlite3 [Info] Collecting SQLite Database ... [Info] File Size (SQLite3): 454,00 MB [Info] Collecting pypykatz ... [Info] Collecting regsecrets ... [Info] Checking for ClamAV Updates ... [Info] Updating ClamAV Virus Databases (CVD) ... [Info] Engine Version: ClamAV 1.0.0 (#26790) [Info] Custom scan w/ ClamAV is running (X:\name) ... [Info] Directory Scan Mode enabled [time-consuming task] ... [Info] Starting ClamAV Daemon ... [Info] ClamAV Daemon is running ... [Alert] 15 infected file(s) found (15) [Info] Analyzing RecentDocs Artifacts ... [Info] Found 78 key/value pairs across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000) [Info] Analyzing Trusted Documents Artifacts ... [Info] Found 0 key/value pairs across 1 file (S-1-5-20) [Info] Found 0 key/value pairs across 1 file (S-1-5-19) [Info] Found 1 key/value pair across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000) [Info] Analyzing Registry Hives w/ RECmd (Kroll Batch) ... [Info] Found 2.781 key/value pairs across 8 files [Info] Analyzing Reconstructed Process Modules ... [Info] 64 Reconstructed Process Modules found (67) [Alert] Missing Internal Name, Original FileName, File Description, and Company Name detected [Modules] (Count: 7) [Alert] Missing File Description and/or Company Name detected [Modules] (Count: 7) [Alert] Missing Internal Name and/or Original FileName detected [Modules] (Count: 7) [Alert] Mismatch on Original FileName detected [Modules] (Count: 8) [Info] Preparing Secure Archive Container ... [Info] Archive Size: 162,44 MB [Info] Shutting Down (Unmount) ...

FINISHED! Overall analysis duration: 0 h 32 min 30 sec

evild3ad commented 1 year ago

I used PowerShell ISE. Worked smoothly.

tuttimann commented 1 year ago

Now it's working, don't know what happened before. Thanks for your help.