MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to assist with the analysis workflow. Download the latest version of MemProcFS-Analyzer from the Releases section.
MemProcFS-Analyzer is a PowerShell script designed to make memory analysis easier and more efficient. It automates the installation of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite. It also updates these tools when new versions are available. MemProcFS-Analyzer can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows. It also supports pagefile support and OS fingerprinting.
MemProcFS-Analyzer can scan with custom YARA rules, including 318 rules by Chronicle and Elastic Security. It also has a multi-threaded scan with ClamAV for Windows, which collects infected files for further analysis. It can extract IPv4/IPv6, map IP2ASN and GeoIP with IPinfo CLI, and check for suspicious port numbers. It can also analyze process trees, including complete process call chains, and check for unusual parent-child relationships and number of instances.
MemProcFS-Analyzer can also analyze web browser history, extract Windows event log files, and process them with EvtxECmd. It can analyze extracted Amcache.hve with Amcacheparser, ShimCache with AppCompatcacheParser, Syscache with RECmd, UserAssist artifacts with RECmd, ShellBags artifacts with RECmd, and Auto-Start Extensibility Points (ASEPs) with RECmd. It can also extract Windows shortcut files (LNK) and hunt for malicious ones. It can analyze metadata of recovered process modules, and generate CSV output data for analysis with Timeline Explorer. Finally, it can collect evidence files in a secure archive container.
In order to use MemProcFS-Analyzer, users must download and install the latest Dokany Library Bundle, .NET 6 Desktop Runtime, Windows package of ClamAV, and NuGet package provider for PowerShell. They must also create a free IPinfo account and insert their access token into the script. It is recommended to turn off antivirus protection or exclude the MemProcFS-Analyzer directory from scanning. Additionally, users can optimize ClamAV scan speed performance for faster scans. With all these steps completed, users can
👉🏽 MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to assist with the analysis workflow. Download the latest version of MemProcFS-Analyzer from the Releases section. 👉🏽 Use MemProcFS-Analyzer to simplify and streamline memory analysis tasks. 👉🏽 Automate the installation and updating of various memory analysis tools. 👉🏽 Mount and handle memory snapshots like a disk image, including memory compression. 👉🏽 Scan with custom YARA rules and collect infected files for further analysis. 👉🏽 Extract and analyze network information, including IP mapping and suspicious port numbers. 👉🏽 Analyze process trees and identify unusual parent-child relationships and instances. 👉🏽 Analyze web browser history and extract Windows event log files. 👉🏽 Analyze various artifacts such as Amcache.hve, ShimCache, Syscache, UserAssist, and ShellBags. 👉🏽 Extract and analyze Windows shortcut files (LNK) for malicious content. 👉🏽 Collect and store evidence files in a secure archive container for further examination.
🔗 source link: https://github.com/evild3ad/MemProcFS-Analyzer
🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/memprocfs-analyzer
#MemProcFS-Analyzer #memoryanalysis #malwareanalysis #forensictools #Windowsanalysis