search

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
462 stars 53 forks source link

MemProcFS-Analyzer does not work if a computer is behind a proxy or if ICMP is filtered by a firewall #25

Closed mnrkbys closed 10 months ago

mnrkbys commented 11 months ago

MemProcFS-Analyzer doen't work if a computer is behind a proxy server like below.

Transcript started, output file is C:\tools\MemProcFS-Analyzer\2023-10-13T064208-data.txt

██╗     ███████╗████████╗██╗  ██╗ █████╗ ██╗      ███████╗ ██████╗ ██████╗ ███████╗███╗   ██╗███████╗██╗ ██████╗███████╗
██║     ██╔════╝╚══██╔══╝██║  ██║██╔══██╗██║      ██╔════╝██╔═══██╗██╔══██╗██╔════╝████╗  ██║██╔════╝██║██╔════╝██╔════╝
██║     █████╗     ██║   ███████║███████║██║█████╗█████╗  ██║   ██║██████╔╝█████╗  ██╔██╗ ██║███████╗██║██║     ███████╗
██║     ██╔══╝     ██║   ██╔══██║██╔══██║██║╚════╝██╔══╝  ██║   ██║██╔══██╗██╔══╝  ██║╚██╗██║╚════██║██║██║     ╚════██║
███████╗███████╗   ██║   ██║  ██║██║  ██║███████╗ ██║     ╚██████╔╝██║  ██║███████╗██║ ╚████║███████║██║╚██████╗███████║
╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═══╝╚══════╝╚═╝ ╚═════╝╚══════╝

MemProcFS-Analyzer v0.9 - Automated Forensic Analysis of Windows Memory Dumps for DFIR
(c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)

Analysis date: 2023-10-13 06:42:08 UTC

[Error] f001.backblazeb2.com is NOT reachable. Please check your network connection and try again.

This is because MemProcFS-Analyzer uses Test-Connection. It is using ping. Therefore, if ICMP packets are filtered by a firewall, it will also not work.

evild3ad commented 11 months ago

Hi, is following command working for you?

((Test-NetConnection -ComputerName f001.backblazeb2.com -Port 443).TcpTestSucceeded)

mnrkbys commented 11 months ago

It does not work. Test-NetConnection is not able to specify a proxy server.

PS C:\Windows\system32> ((Test-NetConnection -ComputerName f001.backblazeb2.com -Port 443).TcpTestSucceeded)
WARNING: TCP connect to (104.153.233.181 : 443) failed
WARNING: Ping to 104.153.233.181 failed with status: TimedOut
False
evild3ad commented 11 months ago

Pleasy try:

$URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
(Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
mnrkbys commented 10 months ago

It's working.

PS C:\Windows\system32> $URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
PS C:\Windows\system32> (Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
200
evild3ad commented 10 months ago

Nice. I will implement it in the next release. The release of MemProcFS-Analyzer v1.0 is planned for the next 1-2 weeks.

Check if Backblaze B2 Platform is reachable

$URL = "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip"
$StatusCode = (Invoke-WebRequest -Uri $URL -UseBasicParsing -DisableKeepAlive | Select-Object StatusCode).StatusCode
if ($StatusCode -ne "200") 
{
    Write-Host "[Error] f001.backblazeb2.com is NOT reachable. Please check your network connection and try again." -ForegroundColor Red
    $Host.UI.RawUI.WindowTitle = "$DefaultWindowsTitle"
    Exit
}