search

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
462 stars 53 forks source link

[FEATURE REQUEST] Allow MemProcFS-Analyzer to work offline #27

Closed digitalsleuth closed 4 days ago

digitalsleuth commented 9 months ago

I've recently been introduced to MemProcFS-Analyzer and love how powerful it is. One issue I'm having though is that, in order to use the tool, a valid internet connection is required.

While I can understand this from the Microsoft Internet Symbol Store perspective, I believe that, if the rest of the requirements are installed (Kibana, Elasticsearch, Zimmerman tools, et al), the tool should still be able to function, as long as a minimum version of each is installed.

Would you consider an option to determine if the accepted minimums are installed, then continue functioning, otherwise inform the user that updates are required?

Another way to do this would be to add an "Install" param, so that the user can "Install" MemProcFS-Analyzer with all components on an online system (without needing to load a memory dump first) then transfer the folder offline. The user then only needs to get the Symbols for their analysis and, if already installed, can run fully functional in an offline mode.

If this is something you would consider, I would be interested in assisting.

Cheers, and thanks!

evild3ad commented 9 months ago

I will have a look what currently uses/needs an Internet connection the next days...but I will definitely put it on my TODO.

You can disable e.g. the "Updater" when you scroll down to the bottom of the script. Simply uncomment "Updater".

evild3ad commented 9 months ago

I started working on the offline mode. Will be implemented in MemProcFS-Analyzer v1.1. Release planned for early January, 2024.

evild3ad commented 4 days ago

I released MemProcFS-Analyzer v1.1.0 a minute ago. I have added an offline-mode.

Updater.ps1 is a new standalone script to auto-install MemProcFS-Analyzer and all dependencies (what's possible to automate). All updates are skipped when activating the offline-mode in the GUI.

Note: MemProcFS is possibly checking for symbols on Microsoft servers...what should be no issue I guess.

Let me know when it is not working for you and give me a hint how to make it fit for you. Thx.