Issues with Kibana

[antmar904]

Hi. When running the script here is the output I am getting with Kibana and EvtxECmd:

MemProcFS-Analyzer v0.2 - Automated Forensic Analysis of Windows Memory Dumps for DFIR (c) 2021 Martin Willing (https://evild3ad.com/)

Analysis date: 2022-05-04 11:20:27 UTC

[Info] Current Version: MemProcFS v4.7 (2022-04-26) [Info] Latest Release: MemProcFS v4.7 (2022-01-30) [Info] You are running the most recent version of MemProcFS. [Info] Dokany File System Library NOT found. [Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01) [Info] Please download/install the latest release of Dokany File System Library manually: https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe) [Info] Current Version: Elasticsearch v8.1.3 [Info] Latest Release: Elasticsearch v8.2.0 (2022-05-03) [Info] Dowloading Latest Release ... [Info] Extracting Files ... [Info] Kibana NOT found. [Info] Latest Release: Kibana v8.2.0 (2022-05-03) [Info] Dowloading Latest Release ... [Info] Extracting Files ... Rename-Item : Cannot rename because item at 'E:\Tools\MemProcFS-Analyzer-v0.2\Tools\kibana-8.2.0-windows-x86_64' does not exist. At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:512 char:9

• Rename-Item "$SCRIPT_DIR\Tools\kibana-$LatestRelease-windows- ...

• 
  + CategoryInfo          : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException
  + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand

[Info] EvtxECmd NOT found. [Info] Dowloading Latest Release ... Invoke-WebRequest : { "code": "not_found", "message": "File with such name does not exist.", "status": 404 } At E:\Tools\MemProcFS-Analyzer-v0.2\MemProcFS-Analyzer.ps1:566 char:5

• Invoke-WebRequest -Uri $URL -OutFile "$SCRIPT_DIR\Tools\$Zip"

• 
  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
  [Info]  Current Version: AmcacheParser v1.5.1.0
  [Info]  You are running the most recent version of AmcacheParser.
  [Info]  Current Version: AppCompatCacheParser v1.5.0.0
  [Info]  You are running the most recent version of AppCompatCacheParser.
  [Info]  Current Version: ImportExcel v7.4.2
  [Info]  Latest Release:  ImportExcel v7.5.1 (2022-05-03)
  [Info]  Dowloading ImportExcel v7.5.1 ...
  [Info]  Current Version: IPinfo CLI v2.8.0 (2022-03-22)
  [Info]  Latest Release:  IPinfo CLI v2.8.0 (2022-03-21)
  [Info]  You are running the most recent version of IPinfo CLI.
  [Info]  Starting Elasticsearch ... 
  [Info]  Starting Kibana ... 

[antmar904]

Hello. So I keep getting asked to configure Kibana and I've tried numerous settings but I'm unable to get it to work

[evild3ad]

Hi, I've updated MemProcFS-Analyzer today. Please check out MemPorcFS-Analyzer-v0.4.

The ELK feature should also work again. The tutorial for setting up ELK will follow soon. You can use Timeline Explorer to analyze the new CSV output.

[evild3ad]

Closed.

[antmar904]

Testing now

[antmar904]

It's asking me for a username and password for elasticsearch...

[antmar904]

[evild3ad]

Yea...Elastic changed a lot...new security features added. A pre-configuration is needed. I hope Ulf is writing a tutorial for this soon.

[antmar904]

Ah ok. Ill hold off on using it and hopefully a tutorial is released soon on how to configure it. :) Thanks

[ufrisk]

I don't have any immediate plans on releasing a tutorial how to configure elasticsearch. I may have to look over some of the videos I have, but that will probably be later this fall at the earliest. I'm sure ElasticSearch have a tutorial though if needed.

Otherwise it's not too hard. When elasticsearch starts for the first time it will display a password for the user elastic in the console window. It will also present a configuration token for kibana.

Copy this information. Then start kibana. Input the auto-configuration token and see to it that you're logged on to kibana.

Then when ElasticSearch/Kibana is up and running enter the user name elastic and the password copied earlier on and things should work as before.

Unfortunately this is how things are. Elastic made it harder and there is not much I can do to simplify this.

[evild3ad]

I will have a look on it hopefully next week.

[antmar904]

Looking forward to the next release as I love this tool and I'm not able to use it currently. :( Plus it's getting a lot of notice on Reddit and I've been advocating for the use of it also. I just need to get Elastic working.

[evild3ad]

I wrote a simple tutorial for Elastic: https://github.com/evild3ad/MemProcFS-Analyzer/wiki/Elasticsearch

[antmar904]

It's working perfect, thanks again for the tutorial! :)

[antmar904]

Awesome thanks. I’ll check it out tmrw.

On Mon, Jul 11, 2022 at 11:31 AM Martin Willing @.***> wrote:

Hi, I've updated MemProcFS-Analyzer today. Please check out MemPorcFS-Analyzer-v0.4.

The ELK feature should also work again. The tutorial for setting up ELK will follow soon. You can use Timeline Explorer to analyze the new CSV output.

— Reply to this email directly, view it on GitHub https://github.com/evild3ad/MemProcFS-Analyzer/issues/9#issuecomment-1180558010, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACBKBE655UNZTSAUVGWY5GDVTQ46TANCNFSM5VBVK7NQ . You are receiving this because you authored the thread.Message ID: @.***>