memprocfs analyzer

We have hosted the application memprocfs analyzer in order to run this application in our online workstations with Wine or directly.

Quick description about memprocfs analyzer:

MemProcFS-Analyzer is a PowerShell script intended to simplify and automate forensic analysis of memory dumps (raw memory or crash dumps) on Windows. It builds on MemProcFS (which provides a virtual file system to mount memory), integrating many parsing tools and capabilities (YARA, ClamAV, parsers for Windows artifacts, event logs etc.), generating output (timelines, alerts, reports), and facilitating examination of anomalies in process behavior, injected modules, masquerading, unusual parent-child relationships etc.

Features:

• Auto-install and auto-update of many dependent tools such as MemProcFS itself, AmcacheParser, AppCompatCacheParser, EvtxECmd, YARA, Kibana etc.
• Supports mounting memory snapshots (physical or crash dumps) like disk images, handling Windows �pagefile� support and compression features
• OS fingerprinting, browsing process tree with parent-child chain, detection of process path/name masquerading and unusual user contexts
• Ability to scan with custom YARA rules and built-in YARA rule sets, multi-threaded scans with ClamAV on Windows
• Extraction of Windows artifacts: registry, event logs (EVTX), browser histories, Amcache, ShimCache, Prefetch, LNK shortcuts etc.
• Reports / outputs in CSV, organizing suspicious files for further analysis, archiving evidence, timeline generation etc.

Programming Language: PowerShell.
Categories: