MemProcFS-Analyzer

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.

MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS

Features:

Fast and easy memory analysis!
You can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows
Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
Pagefile Support
OS Fingerprinting
Scan w/ Custom YARA rules (incl. 391 rules by e.g. Chronicle and Elastic Security)
Multi-Threaded scan w/ ClamAV for Windows
Collection of infected files detected by ClamAV for further analysis (PW: infected)
Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
Extracting IPv4/IPv6
IP2ASN Mapping and GeoIP w/ IPinfo CLI → Get your token for free at https://ipinfo.io/signup
Checking for Suspicious Port Numbers
Process Tree (TreeView) including complete Process Call Chain (Special thanks to Dominik Schmidt)
Checking Processes for Unusual Parent-Child Relationships and Number of Instances
Checking Processes for Unusual User Context
Checking for Process Path Masquerading and Process Name Masquerading (Damerau Levenshtein Distance)
Web Browser History (Google Chrome, Microsoft Edge and Firefox)
Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
Event Log Overview
Processing Windows Event Logs w/ Zircolite - A standalone SIGMA-based detection tool for EVTX
Analyzing extracted Amcache.hve w/ AmcacheParser (EZTools by Eric Zimmerman)
Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
Analyzing Syscache w/ RECmd (EZTools by Eric Zimmerman)
Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)
Analyzing ShellBags Artifacts w/ RECmd (EZTools by Eric Zimmerman)
Simple Prefetch View (based on Forensic Timeline)
Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd (EZTools by Eric Zimmerman)
Analyzing RecentDocs, Office Trusted Document w/ RECmd (EZTools by Eric Zimmerman)
Analyzing Registry w/ RECmd DFIR Batch File (DFIR Batch File by Andrew Rathbun)
Analyzing Metadata of Recovered Process Modules (experimental)
Analyzing Microsoft Protection Logs (experimental)
Extracting Windows Shortcut Files (LNK)
Hunting Malicious Windows Shortcut Files (LNK)
Integration of PowerShell module ImportExcel by Doug Finke
CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)
Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)
Offline-Mode
and much more

Download

Download the latest version of MemProcFS-Analyzer from the Releases section.

Usage

Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.

First-Run
Fig 1: MemProcFS-Analyzer.ps1 (First Run) → Updater.ps1

Updater
Fig 2: Updater.ps1 automatically installs/updates all dependencies (First Run)

File-Browser
Fig 3: Select your Memory Snapshot and select your pagefile.sys (Optional)

Microsoft-Internet-Symbol-Store
Fig 4: Accept Terms of Use (First Run)

Fig 5: If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk

MountPoint
Fig 6: You can investigate the mounted memory dump by exploring drive letter

Fig 7: FindEvil feature and additional analytics

Fig 8: Processes

RunningAndExited
Fig 9: Running and Exited Processes

ProcessTree
Fig 10: Process Tree (GUI)

ProcessTreeSearch
Fig 11: Checking Process Tree (to find anomalies)

ProcessTreeAlerts
Fig 12: Process Tree: Alert Messages w/ Process Call Chain

PropertiesView
Fig 13: Process Tree: Properties View → Double-Click on a process or alert message

IPinfo
Fig 14: GeoIP w/ IPinfo.io

MapReport
Fig 15: Map IPs w/ IPinfo.io

EVTX
Fig 16: Processing Windows Event Logs (EVTX)

Fig 17: Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI)

Amcache
Fig 18: Processing extracted Amcache.hve → XLSX

Fig 19: Processing ShimCache → XLSX

Timeline-Explorer
Fig 20: Analyze CSV output w/ Timeline Explorer (TLE)

ELK-Import
Fig 21: ELK Import

ELK-Timeline
Fig 22: Happy ELK Hunting!

Secure-Archive-Container
Fig 23: Multi-Threaded ClamAV Scan to help you finding evil! ;-)

Message-Box
Fig 24: Press OK to shutdown MemProcFS and Elastisearch/Kibana

Output
Fig 25: Secure Archive Container (PW: MemProcFS)

Introduction MemProcFS and Memory Forensics

Check out Super Easy Memory Forensics by Hiroshi Suzuki and Hisao Nashiwa.

Prerequisites

Download and install the latest Dokany Library Bundle → DokanSetup.exe
https://github.com/dokan-dev/dokany/releases/latest
Download and install the latest .NET 6 Desktop Runtime (Requirement for EZTools)
https://dotnet.microsoft.com/en-us/download/dotnet/6.0
Download and install the latest Windows package of ClamAV → .msi
https://www.clamav.net/downloads#otherversions
First Time Set-Up of ClamAV
Launch Windows PowerShell console as Administrator.
cd "C:\Program Files\ClamAV"
copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
copy .\conf_examples\clamd.conf.sample .\clamd.conf
write.exe .\freshclam.conf → Comment or remove the line that says "Example".
write.exe .\clamd.conf → Comment or remove the line that says "Example".
https://docs.clamav.net/manual/Usage/Configuration.html#windows
Optimize ClamAV scan speed performance (30% faster)
Open "C:\Program Files\ClamAV\clamd.conf" with your text editor and search for: "Don't scan files and directories matching regex"
ExcludePath "\\heaps\\"
ExcludePath "\\handles\\"
ExcludePath "\\memmap\\vad-v\\"
ExcludePath "\\sys\\pool\\"
Create your free IPinfo account [approx. 1-2 min]
https://ipinfo.io/signup?ref=cli
Open "MemProcFS-Analyzer.ps1" with your text editor, search for "Please insert your Access Token here" and copy/paste your access token.
Install the NuGet package provider for PowerShell
Check if NuGet is available in the package providers by running the following command:
Get-PackageProvider -ListAvailable
If NuGet is not installed on your system yet, you have to install it.
Install-PackageProvider -Name NuGet -Force
Make sure to comment/uncomment (selectively enable or disable) the functions you want to play with (Elasticsearch and ELKImport are disabled by default). Check out the "Main" in the bottom of the script.
Done! :smiley: