search

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
462 stars 53 forks source link

WinPmemDump.Raw don't work #26

Closed madeonukraine closed 9 months ago

madeonukraine commented 10 months ago

I made a RAM dump in the .RAW format and when I run the analysis it does not give an error, but it does not load the system and no files appeared in the directory during the day, I checked it on different systems, it works fine with the .mem format, tell me how to solve it and is it possible somehow convert .raw to .mem format?

evild3ad commented 10 months ago

MemProcFS supports Raw Physical Memory Dumps and Microsoft Crash Dumps. When a memory capture tool uses for example the file extension ".raw" that doesn't mean it is in the Raw Physical Memory Dump Format. When you have used a WinPmem version it is possibly AFF4, you can check it in a hex editor.

WinPMEM 4.0 RC2 is still the newest version and should write a Raw Physical Memory Dump by default: https://github.com/Velocidex/WinPmem/releases

You can also check out my Collect-MemoryDump PowerShell script: https://github.com/evild3ad/Collect-MemoryDump

madeonukraine commented 10 months ago

this time I made a .mem format dump via FTK and again I see that the program is working but no load on the system or new files appear in the output folder, I don’t know how to solve it. a couple of months ago with one of the dumps it worked and I saw in real time that the system was loading and artifact files were appearing, so I can say that the program was configured correctly

evild3ad commented 10 months ago

There is no .mem format...you can name the file extension like you want...it is a Raw Physical Memory Dump when using FTK Imager. Please navigate via PowerShell console to the "MemProcFS" directory in the "Tools" directory and launch MemProcFS against your memory dump and check for errors:

memprocfs.exe -device <path_to_your_memory_dump> -v

madeonukraine commented 10 months ago

C:\MemProcFS-Analyzer-v0.9\Tools\MemProcFS>MemProcFS.exe -device memdump.mem -v DEVICE OPEN: file DEVICE: Successfully opened file: 'memdump.mem' as RAW Memory Dump. [INFODB] INIT: FAIL: va=0xfffff80026c01000 [SYMBOL] Initialized symbol subsystem (Microsoft). Initialized 64-bit Windows 6.3.9600 [PLUGIN] LOAD: built-in module: '\' [PLUGIN] LOAD: built-in module: '\' [PLUGIN] LOAD: built-in module: '\forensic' [PLUGIN] LOAD: built-in module: '\files\handles' [PLUGIN] LOAD: built-in module: '\files\vads' [PLUGIN] LOAD: built-in module: '\files\modules' [PLUGIN] LOAD: built-in module: '\phys2virt' [PLUGIN] LOAD: built-in module: '\misc\phys2virt' [PLUGIN] LOAD: built-in module: '\handles' [PLUGIN] LOAD: built-in module: '\heaps' [PLUGIN] LOAD: built-in module: '\modules' [PLUGIN] LOAD: built-in module: '\memmap' [PLUGIN] LOAD: built-in module: '\minidump' [PLUGIN] LOAD: built-in module: '\threads' [PLUGIN] LOAD: built-in module: '\token' [PLUGIN] LOAD: built-in module: '\search\bin' [PLUGIN] LOAD: built-in module: '\misc\search\bin' [PLUGIN] LOAD: built-in module: '\search\yara' [PLUGIN] LOAD: built-in module: '\misc\search\yara' [PLUGIN] LOAD: built-in module: '\virt2phys' [PLUGIN] LOAD: built-in module: '\misc\bitlocker' [PLUGIN] LOAD: built-in module: '\conf' [PLUGIN] LOAD: built-in module: '\misc\procinfo' [PLUGIN] LOAD: built-in module: '\misc\view' [PLUGIN] LOAD: built-in module: '\sys' [PLUGIN] LOAD: built-in module: '\sys\drivers' [PLUGIN] LOAD: built-in module: '\sys\memory' [PLUGIN] LOAD: built-in module: '\sys\net' [PLUGIN] LOAD: built-in module: '\sys\objects' [PLUGIN] LOAD: built-in module: '\sys\pool' [PLUGIN] LOAD: built-in module: '\sys\proc' [PLUGIN] LOAD: built-in module: '\sys\services' [PLUGIN] LOAD: built-in module: '\sys\syscall' [PLUGIN] LOAD: built-in module: '\sys\tasks' [PLUGIN] LOAD: built-in module: '\sys\users' [PLUGIN] LOAD: built-in module: '\registry' [PLUGIN] LOAD: built-in module: '\forensic\csv' [PLUGIN] LOAD: built-in module: '\forensic\files' [PLUGIN] LOAD: built-in module: '\forensic\findevil' [PLUGIN] LOAD: built-in module: '\forensic\hidden\handles' [PLUGIN] LOAD: built-in module: '\forensic\json' [PLUGIN] LOAD: built-in module: '\forensic\timeline' [PLUGIN] LOAD: built-in module: '\forensic\hidden\module' [PLUGIN] LOAD: built-in module: '\forensic\ntfs' [PLUGIN] LOAD: built-in module: '\forensic\hidden\proc' [PLUGIN] LOAD: built-in module: '\forensic\hidden\registry' [PLUGIN] LOAD: built-in module: '\forensic\hidden\sys' [PLUGIN] LOAD: built-in module: '\forensic\hidden\thread' [PLUGIN] LOAD: built-in module: '\forensic\web' [PLUGIN] LOAD: built-in module: '\forensic\yara' [PLUGIN] LOAD: built-in module: '\findevil\EvKRNL1' [PLUGIN] LOAD: built-in module: '\findevil\EvKERNPROC1' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC1' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC2' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC3' [PLUGIN] LOAD: built-in module: '\findevil\EvTHRD1' [PLUGIN] LOAD: built-in module: '\findevil\EvAV1' [PLUGIN] LOAD: built-in module: '\sys\certificates' [PLUGIN] LOAD: native module: '\vmemd' VmmPyPlugin: Loaded 'plugins.pym_pluginupdater' VmmPyPlugin: Loaded 'plugins.pym_procstruct' VmmPyPluginLight: Register 'reg/net/bth_devices.txt' VmmPyPluginLight: Register 'reg/net/tcpip_interfaces.txt' VmmPyPluginLight: Register 'reg/usb/usb_devices.txt' VmmPyPluginLight: Register 'reg/usb/usb_storage.txt' VmmPyPluginLight: Register 'by-user/reg/user/wallpaper.txt' [PLUGIN] LOAD: native module: 'py' [PLUGIN] PluginManager: Python plugin loaded.

============================== MemProcFS ==============================

MOUNT: Failed. Status Code: -3

evild3ad commented 10 months ago

"Status Code: -3" means that there is a Dokany driver install error. Please uninstall, reboot, install Dokany again...and try it again.

madeonukraine commented 10 months ago

thank you, all works

evild3ad commented 10 months ago

Great!

madeonukraine commented 4 months ago

C:\MemProcFS-Analyzer-v1.0\Tools\MemProcFS>MemProcFS.exe -device "C:\MemProcFS-Analyzer-v1.0\pcileech.raw" -v DEVICE OPEN: file DEVICE: Successfully opened file: 'C:\MemProcFS-Analyzer-v1.0\pcileech.raw' as RAW Memory Dump. [INFODB] INIT: SUCCESS: va=0xfffff80670600000 [SYMBOL] Initialized symbol subsystem (Microsoft). Initialized 64-bit Windows 10.0.22621 [PLUGIN] LOAD: built-in module: '\' [PLUGIN] LOAD: built-in module: '\' [SYMBOL] Functionality may be limited. Extended debug information disabled. [SYMBOL] Partial offline fallback symbols in use. [SYMBOL] For additional information use startup option: -loglevel symbol:4 [SYMBOL] Reason: Unable to download kernel symbols to cache from Symbol Server.

[PLUGIN] LOAD: built-in module: '\forensic' [PLUGIN] LOAD: built-in module: '\files\handles' [PLUGIN] LOAD: built-in module: '\files\vads' [PLUGIN] LOAD: built-in module: '\files\modules' [PLUGIN] LOAD: built-in module: '\phys2virt' [PLUGIN] LOAD: built-in module: '\misc\phys2virt' [PLUGIN] LOAD: built-in module: '\handles' [PLUGIN] LOAD: built-in module: '\heaps' [PLUGIN] LOAD: built-in module: '\modules' [PLUGIN] LOAD: built-in module: '\memmap' [PLUGIN] LOAD: built-in module: '\minidump' [PLUGIN] LOAD: built-in module: '\threads' [PLUGIN] LOAD: built-in module: '\token' [PLUGIN] LOAD: built-in module: '\search\bin' [PLUGIN] LOAD: built-in module: '\misc\search\bin' [PLUGIN] LOAD: built-in module: '\search\yara' [PLUGIN] LOAD: built-in module: '\misc\search\yara' [PLUGIN] LOAD: built-in module: '\virt2phys' [PLUGIN] LOAD: built-in module: '\misc\bitlocker' [PLUGIN] LOAD: built-in module: '\conf' [PLUGIN] LOAD: built-in module: '\misc\eventlog' [PLUGIN] LOAD: built-in module: '\misc\procinfo' [PLUGIN] LOAD: built-in module: '\misc\view' [PLUGIN] LOAD: built-in module: '\sys' [PLUGIN] LOAD: built-in module: '\sys\drivers' [PLUGIN] LOAD: built-in module: '\sys\memory' [PLUGIN] LOAD: built-in module: '\sys\net' [PLUGIN] LOAD: built-in module: '\sys\objects' [PLUGIN] LOAD: built-in module: '\sys\pool' [PLUGIN] LOAD: built-in module: '\sys\proc' [PLUGIN] LOAD: built-in module: '\sys\services' [PLUGIN] LOAD: built-in module: '\sys\syscall' [PLUGIN] LOAD: built-in module: '\sys\sysinfo' [PLUGIN] LOAD: built-in module: '\sys\tasks' [PLUGIN] LOAD: built-in module: '\sys\users' [PLUGIN] LOAD: built-in module: '\registry' [PLUGIN] LOAD: built-in module: '\forensic\csv' [PLUGIN] LOAD: built-in module: '\forensic\files' [PLUGIN] LOAD: built-in module: '\forensic\findevil' [PLUGIN] LOAD: built-in module: '\forensic\hidden\handles' [PLUGIN] LOAD: built-in module: '\forensic\json' [PLUGIN] LOAD: built-in module: '\forensic\timeline' [PLUGIN] LOAD: built-in module: '\forensic\hidden\module' [PLUGIN] LOAD: built-in module: '\forensic\ntfs' [PLUGIN] LOAD: built-in module: '\forensic\hidden\proc' [PLUGIN] LOAD: built-in module: '\forensic\hidden\registry' [PLUGIN] LOAD: built-in module: '\forensic\hidden\sys' [PLUGIN] LOAD: built-in module: '\forensic\hidden\thread' [PLUGIN] LOAD: built-in module: '\forensic\web' [PLUGIN] LOAD: built-in module: '\forensic\yara' [PLUGIN] LOAD: built-in module: '\findevil\EvKRNL1' [PLUGIN] LOAD: built-in module: '\findevil\EvKERNPROC1' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC1' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC2' [PLUGIN] LOAD: built-in module: '\findevil\EvPROC3' [PLUGIN] LOAD: built-in module: '\findevil\EvTHRD1' [PLUGIN] LOAD: built-in module: '\findevil\EvAV1' [PLUGIN] LOAD: built-in module: '\sys\certificates' [PLUGIN] LOAD: native module: '\vmemd' [PROCESS] BAD DTB: PID=5500 DTB=00000001da9c5000 [PROCESS] BAD DTB: PID=11140 DTB=000000010cef1000 [PLUGIN] Python initialization failed. Python 3.6 or later not found.

============================== MemProcFS ==============================