evild3ad
commented
3 months ago Hi, I started working on the next release. The next release with a fix of the installer/updater part is planned for end of the month!
Closed SeattleForensics closed 2 months ago
evild3ad
commented
3 months ago Hi, I started working on the next release. The next release with a fix of the installer/updater part is planned for end of the month!
SeattleForensics
commented
3 months ago This is fantastic! Thanks so much! Looking very much forward to testing it out.
evild3ad
commented
2 months ago (2) What do you mean exactly? I cannot re-produce it. I get always a False and no error. Is the 'WinDefend' service not running in your VM?
Get-Service -Name "WinDefend" -ErrorAction SilentlyContinue
Status Name DisplayName Running WinDefend Microsoft Defender Antivirus-Dienst
SeattleForensics
commented
2 months ago Yes. For my Forensic VM, I used Group Policy (gpedit.msc) to turn-off/disable Windows Defender so that I could run all of the tools I needed.
In Windows 10: -Run gpedit.msc. -Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender. -Double click on "Turn off Windows Defender" -Select "Enabled" > Apply > OK.
[Note that, sometimes with regular updates, the verbiage and radio buttons change, so they might not be exactly as above anymore.
SeattleForensics
commented
2 months ago I took the latest vesion you released for a test drive. WOW! This is really wonderful. I didn't run into any errors this time, and everything worked as expected so far. I haven't tried Elastic and Kibana yet to see if I have the same issues there as I did with the previous release, in terms of not having time to capture the enrollment token and password.
Hello Martin! First, thank you for making this project! I came across it somewhat recently and realized what a game-changer this could be. I was excited to try it out, and did, and spent a few nights troubleshooting spots where the script fails on an up-to-date Windows 10 VM.
As I ran the script in my Windows 10 forensics VM that I created and maintain, I ran into some issues with programs that were supposed to be auto-downloaded, issues with first time configuration of elastic and kibana, and some errors that were thrown in Powershell while running the script. I image that some of this is due to newer versions of the dependencies being auto-downloaded that do not match the versions stated at the top of the script.
I was wondering if perhaps you were planning on revisiting or updating this awesome project? I would volunteer to test the changes and run it against some memory images I have on hand, if so.
In the meantime, below are the specific issues I ran into. I used the latest version of the script 2023-12-10 (not in the releases).
(1) Invoke-WebRequest : Invalid URI: The hostname could not be parsed. At C:\Temp\MemProcFS-Analyzer-v1.0\MemProcFS-Analyzer.ps1:2367 char:5
SOLUTION: It could not find the file to download, so downloaded it manually (see # 4)
(2) Get-MpComputerStatus : A general error occurred that is not covered by a more specific error code. At C:\Temp\MemProcFS-Analyzer-v1.0\MemProcFS-Analyzer.ps1:9663 char:6
SOLUTION: In my VM, real time protection is already disabled. Research showed the service has to be running for the command to be successful. The code could include a check to see if the service is already disabled so that the error is not displayed.
(3) Get-Item : Could not find item E:\evidence\pagefile.sys. At C:\Temp\MemProcFS-Analyzer-v1.0\MemProcFS-Analyzer.ps1:2494 char:47
SOLUTION: After much tinkering I found that Pagefile.sys works only if you use the "-Force" commmand; this had to be edited Line 2497 $PagefileSize = Get-FileSize((Get-Item -Force "$Pagefile").Length)
(4) [Error] zircolite_win10.exe NOT found.
SOLUTION: --Script is not able to download the version specified --Had to manually download from https://github.com/wagga40/Zircolite (2.20.0 is the current latest) --Zircolite v2.9.10 (2023-07-15) is expected as the dependency but trying with the latest --Unzip to the directory it expects to be in: C:\Temp\MemProcFS-Analyzer-v1.0\Tools\Zircolite\zircolite_win --Because the script calls out the full name of the version it expects "zircolite_win10.exe": ---rename the exe to zircolite.exe ---change all references in the script from "zircolite_win10.exe" to "zircolite.exe" ---change the path to it as well (expected dir is \Tools\Zircolite)
(5) Line 4707 seems to be causing an error (I think the logic is already true and it trys to add-type again?)
(6) [Error] freshclam.conf is missing. https://docs.clamav.net/manual/Usage/Configuration.html#windows --> First Time Set-Up
SOLUTION:
Download the MSI and install in the default path. I had downloaded the zip file version to keep installations in my VM to a minimum, trying to run it in a more "portable" way. The script calls out specific paths, so we could either (a) update the documentation to say use the MSI installer, or (b) mention that if you want to use the other then you'll need to change the paths in the script.
(7) The installation of elastic and kibana upon first run was tough, especially for those of us who have not used it much. The two additional windows that pop up, one of which has the enrollment token and the password, scrolls too quickly in the window, and thus I wasn't able to select and copy that info to then paste into the browser. Each time I tried to scroll up, a new line was generated in the window which auto-scrolled you back to the bottom of window, thus preventing you from copying the needed text. SOLUTION: CTRL-A select all text into a notepad document, or, reset the password manually with: ./bin/elasticsearch-reset-password -i -u elastic ./bin/elasticsearch-reset-password -i -u kibana_system
Ideally, one would not have to enter any credentials on the runs of the script where elastic is used.
Thanks so much in advance for your consideration on re-visiting this project!