GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → evild3ad → MemProcFS-Analyzer

evild3ad / MemProcFS-Analyzer

Licence: GPL-3.0 license
MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

Labels

incident-responsedfirdigital-forensicsmemory-forensicslive-responsememprocfs

Projects that are alternatives of or similar to MemProcFS-Analyzer

Dfirtrack
DFIRTrack - The Incident Response Tracking Application
Stars: ✭ 232 (+160.67%)
Mutual labels:  incident-response, dfir, digital-forensics
catalyst
Catalyst is an open source SOAR system that helps to automate alert handling and incident response processes
Stars: ✭ 91 (+2.25%)
Mutual labels:  incident-response, dfir, digital-forensics
Cortex Analyzers
Cortex Analyzers Repository
Stars: ✭ 246 (+176.4%)
Mutual labels:  incident-response, dfir, digital-forensics
Kuiper
Digital Forensics Investigation Platform
Stars: ✭ 257 (+188.76%)
Mutual labels:  incident-response, dfir, digital-forensics
Beagle
Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs.
Stars: ✭ 976 (+996.63%)
Mutual labels:  incident-response, dfir, digital-forensics
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (-64.04%)
Mutual labels:  incident-response, dfir, digital-forensics
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: ✭ 260 (+192.13%)
Mutual labels:  incident-response, dfir, live-response
Thehivedocs
Documentation of TheHive
Stars: ✭ 353 (+296.63%)
Mutual labels:  incident-response, dfir, digital-forensics
Cortex
Cortex: a Powerful Observable Analysis and Active Response Engine
Stars: ✭ 676 (+659.55%)
Mutual labels:  incident-response, dfir, digital-forensics
Thehive4py
Python API Client for TheHive
Stars: ✭ 143 (+60.67%)
Mutual labels:  incident-response, dfir, digital-forensics
Thehive
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Stars: ✭ 2,300 (+2484.27%)
Mutual labels:  incident-response, dfir, digital-forensics
Atc React
A knowledge base of actionable Incident Response techniques
Stars: ✭ 226 (+153.93%)
Mutual labels:  incident-response, dfir
Vast
🔮 Visibility Across Space and Time
Stars: ✭ 227 (+155.06%)
Mutual labels:  incident-response, dfir
Dfir Orc
Forensics artefact collection tool for systems running Microsoft Windows
Stars: ✭ 202 (+126.97%)
Mutual labels:  incident-response, dfir
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (+151.69%)
Mutual labels:  incident-response, dfir
Packrat
Live system forensic collector
Stars: ✭ 16 (-82.02%)
Mutual labels:  incident-response, dfir
pyarascanner
A simple many-rules to many-files YARA scanner for incident response or malware zoos.
Stars: ✭ 23 (-74.16%)
Mutual labels:  incident-response, dfir
Pockint
A portable OSINT Swiss Army Knife for DFIR/OSINT professionals 🕵️ 🕵️ 🕵️
Stars: ✭ 196 (+120.22%)
Mutual labels:  incident-response, dfir
CCXDigger
The CyberCX Digger project is designed to help Australian organisations determine if they have been impacted by certain high profile cyber security incidents. Digger provides threat hunting functionality packaged in a simple-to-use tool, allowing users to detect certain attacker activities; all for free.
Stars: ✭ 45 (-49.44%)
Mutual labels:  incident-response, dfir
Evilize
Parses Windows event logs files based on SANS Poster
Stars: ✭ 24 (-73.03%)
Mutual labels:  incident-response, dfir
View All Similar Projects ➔

MemProcFS-Analyzer

MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.

MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS

Features:

  • Fast and easy memory analysis!
  • You can mount a Raw Physical Memory Dump like a disk image and handle the memory compression feature on Windows
  • Auto-Install of MemProcFS, Elasticsearch, Kibana, EvtxECmd, AmcacheParser, AppCompatCacheParser, RECmd, SBECmd, ImportExcel, IPinfo CLI, and xsv
  • Auto-Update of MemProcFS, Elasticsearch, Kibana, ClamAV Virus Databases (CVD), EvtxECmd (incl. Maps), AmcacheParser, AppCompactCacheParser, RECmd, SBECmd, Import-Excel, IPinfo CLI, and xsv
  • Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
  • Multi-Threaded scan w/ ClamAV for Windows
  • OS Fingerprinting
  • Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
  • Extracting IPv4/IPv6
  • IP2ASN Mapping and GeoIP w/ IPinfo CLI → Get your token for free at https://ipinfo.io/signup
  • Checking Processes for Unusual Parent-Child Relationships and Number of Instances
  • Web Browser History (Google Chrome, Microsoft Edge and Firefox)
  • Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
  • Analyzing extracted Amcache.hve w/ Amcacheparser (EZTools by Eric Zimmerman)
  • Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
  • Analyzing Syscache w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing ShellBags Artifacts w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd (EZTools by Eric Zimmerman)
  • Analyzing RecentDocs, Office Trusted Document w/ RECmd (EZTools by Eric Zimmerman)
  • Integration of PowerShell module ImportExcel by Doug Finke
  • CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)
  • Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)

Download

Download the latest version of MemProcFS-Analyzer from the Releases section.

Usage

Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.

File-Browser
Fig 1: Select your Raw Physical Memory Dump (File Browser)

Auto-Install
Fig 2: MemProcFS-Analyzer auto-installs dependencies (First Run)

Microsoft-Internet-Symbol-Store
Fig 3: Accept Terms of Use (First Run)

MemProcFS
Fig 4: If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk

Mounted Fig 5: You can investigate the mounted memory dump by exploring drive letter X:

Auto-Update
Fig 6: MemProcFS-Analyzer checks for updates (Second Run)

Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.

ClamAV-Scan
Fig 7: FindEvil feature and additional analytics

IPinfo
Fig 8: GeoIP w/ IPinfo.io

IPinfo
Fig 9: Map IPs w/ IPinfo.io

Elasticsearch
Fig 10: Processing Windows Event Logs (EVTX)

Amcache
Fig 11: Processing extracted Amcache.hve → XLSX

ShimCache
Fig 12: Processing ShimCache → XLSX

Timeline-Explorer Fig 13: Analyze CSV output w/ Timeline Explorer (TLE)

ELK-Import
Fig 14: ELK Import

ELK-Timeline
Fig 15: Happy ELK Hunting!

Secure-Archive-Container
Fig 16: Multi-Threaded ClamAV Scan to help you finding evil! ;-)

Message-Box
Fig 17: Press OK to shutdown MemProcFS and Elastisearch/Kibana

Output
Fig 18: Secure Archive Container (PW: MemProcFS)

Introduction MemProcFS and Memory Forensics

Check out Super Easy Memory Forensics by Hiroshi Suzuki and Hisao Nashiwa.

Prerequisites

  1. Download and install the latest Dokany Library Bundle → DokanSetup.exe
    https://github.com/dokan-dev/dokany/releases/latest

  2. Download and install the latest .NET 6 Desktop Runtime (Requirement for EZTools)
    https://dotnet.microsoft.com/en-us/download/dotnet/6.0

  3. Download and install the latest Windows package of ClamAV.
    https://www.clamav.net/downloads#otherversions

  4. First Time Set-Up of ClamAV
    Launch Windows PowerShell console as Administrator.
    cd "C:\Program Files\clamav"
    copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
    copy .\conf_examples\clamd.conf.sample .\clamd.conf
    write.exe .\freshclam.conf → Comment or remove the line that says “Example”.
    write.exe .\clamd.conf → Comment or remove the line that says “Example”.
    https://docs.clamav.net/manual/Usage/Configuration.html#windows

  5. Create your free IPinfo account [approx. 1-2 min]
    https://ipinfo.io/signup?ref=cli
    Open "MemProcFS-Analyzer.ps1" with your text editor, search for "<access_token>" and copy/paste your access token.

  6. Install the NuGet package provider for PowerShell
    Check if NuGet is available in the package providers by running the following command:
    Get-PackageProvider -ListAvailable
    If NuGet is not installed on your system yet, you have to install it.
    Install-PackageProvider -Name NuGet -Force

  7. Done! 😃

Notes:

  • Turn off your antivirus protection temporarily or better exclude your MemProcFS-Analyzer directory from scanning.
  • Elasticsearch Tips

Dependencies

7-Zip 22.00 Standalone Console (2022-06-15)
https://www.7-zip.org/download.html

AmcacheParser v1.5.1.0 (.NET 6)
https://ericzimmerman.github.io/

AppCompatCacheParser v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/

ClamAV - Alternate Versions → Windows Packages → Win64 → clamav-0.105.0.win.x64.msi (2022-05-03)
https://www.clamav.net/downloads#otherversions

Dokany Library Bundle v2.0.5.1000 (2022-07-04)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe

Elasticsearch 8.3.1 (2022-06-30)
https://www.elastic.co/downloads/elasticsearch

EvtxECmd v1.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

ImportExcel 7.7.0 (2022-07-04)
https://github.com/dfinke/ImportExcel

Ipinfo CLI 2.8.0 (2022-03-21)
https://github.com/ipinfo/cli

Kibana 8.3.1 (2022-06-30)
https://www.elastic.co/downloads/kibana

MemProcFS v4.9.3 - The Memory Process File System (2022-06-15)
https://github.com/ufrisk/MemProcFS

RECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

SBECmd v2.0.0.0 (.NET 6)
https://ericzimmerman.github.io/

xsv v0.13.0 (2018-05-12)
https://github.com/BurntSushi/xsv

Links

MemProcFS
Demo of MemProcFS with Elasticsearch
Sponsor MemProcFS Project
MemProcFSHunter
MemProcFS-Plugins

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].