Skip to content

Commit f3c8ecc

Browse files
evild3adevild3ad
committed
2024-09-03
1 parent f68d625 commit f3c8ecc

File tree

1 file changed

+25
-25
lines changed

1 file changed

+25
-25
lines changed

README.md

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -54,79 +54,79 @@ Download the latest version of **MemProcFS-Analyzer** from the [Releases](https:
5454
## Usage
5555
Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.
5656

57-
![First-Run](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/01.png)
57+
![First-Run](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/01.png)
5858
**Fig 1:** MemProcFS-Analyzer.ps1 (First Run) → Updater.ps1
5959

60-
![Updater](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/01.png)
60+
![Updater](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/02.png)
6161
**Fig 2:** Updater.ps1 automatically installs/updates all dependencies (First Run)
6262

63-
![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/01.png)
63+
![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/03.png)
6464
**Fig 3:** Select your Memory Snapshot and select your pagefile.sys (Optional)
6565

66-
![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/03.png)
66+
![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/04.png)
6767
**Fig 4:** Accept Terms of Use (First Run)
6868

69-
![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/04.png)
69+
![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/05.png)
7070
**Fig 5:** If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk
7171

72-
![MountPoint](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/05.png)
72+
![MountPoint](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/06.png)
7373
**Fig 6:** You can investigate the mounted memory dump by exploring drive letter
7474

75-
![FindEvil](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/07.png)
75+
![FindEvil](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/07.png)
7676
**Fig 7:** FindEvil feature and additional analytics
7777

78-
![Processes](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/08.png)
78+
![Processes](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/08.png)
7979
**Fig 8:** Processes
8080

81-
![RunningAndExited](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/09.png)
81+
![RunningAndExited](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/09.png)
8282
**Fig 9:** Running and Exited Processes
8383

84-
![ProcessTree](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/10.png)
84+
![ProcessTree](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/10.png)
8585
**Fig 10:** Process Tree (GUI)
8686

87-
![ProcessTreeSearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/11.png)
87+
![ProcessTreeSearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/11.png)
8888
**Fig 11:** Checking Process Tree (to find anomalies)
8989

90-
![ProcessTreeAlerts](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/12.png)
90+
![ProcessTreeAlerts](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/12.png)
9191
**Fig 12:** Process Tree: Alert Messages w/ Process Call Chain
9292

93-
![PropertiesView](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/13.png)
93+
![PropertiesView](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/13.png)
9494
**Fig 13:** Process Tree: Properties View → Double-Click on a process or alert message
9595

96-
![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/14.png)
96+
![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/14.png)
9797
**Fig 14:** GeoIP w/ IPinfo.io
9898

99-
![MapReport](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/15.png)
99+
![MapReport](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/15.png)
100100
**Fig 15:** Map IPs w/ IPinfo.io
101101

102-
![EVTX](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/16.png)
102+
![EVTX](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/16.png)
103103
**Fig 16:** Processing Windows Event Logs (EVTX)
104104

105-
![Zircolite](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/17.png)
105+
![Zircolite](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/17.png)
106106
**Fig 17:** Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI)
107107

108-
![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/18.png)
108+
![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/18.png)
109109
**Fig 18:** Processing extracted Amcache.hve → XLSX
110110

111-
![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/19.png)
111+
![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/19.png)
112112
**Fig 19:** Processing ShimCache → XLSX
113113

114-
![Timeline-Explorer](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/20.png)
114+
![Timeline-Explorer](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/20.png)
115115
**Fig 20:** Analyze CSV output w/ Timeline Explorer (TLE)
116116

117-
![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/21.png)
117+
![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/21.png)
118118
**Fig 21:** ELK Import
119119

120-
![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/22.png)
120+
![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/22.png)
121121
**Fig 22:** Happy ELK Hunting!
122122

123-
![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/23.png)
123+
![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/23.png)
124124
**Fig 23:** Multi-Threaded ClamAV Scan to help you finding evil! ;-)
125125

126-
![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/24.png)
126+
![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/24.png)
127127
**Fig 24:** Press **OK** to shutdown MemProcFS and Elastisearch/Kibana
128128

129-
![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/25.png)
129+
![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/25.png)
130130
**Fig 25:** Secure Archive Container (PW: MemProcFS)
131131

132132
## Introduction MemProcFS and Memory Forensics

0 commit comments

Comments
 (0)