MemProcFS is a powerful memory forensics tool that allows forensic investigators to mount raw memory images as a virtual file system. This enables direct analysis of memory artifacts without the need for heavy processing tools. It simplifies the process by converting the memory dump into a filesystem with readable structures like processes, drivers, services, etc.
This guide covers best practices for using MemProcFS, from mounting a memory image to performing in-depth analysis using various tools and techniques.
--------------------------------------------------------------------------------------------------------
Mounting the Image with MemProcFS
The basic command to mount a memory dump using MemProcFS is:
MemProcFS.exe -device c:\temp\memdump-win10x64.raw
This mounts the memory dump as a virtual file system. However, the best way to use MemProcFS is by taking advantage of its built-in Yara rules provided by Elastic. These Yara rules allow you to scan for Indicators of Compromise (IOCs) such as malware signatures, suspicious files, and behaviors within the memory image.
Command with Elastic Yara Rules
To mount a memory image and enable Elastic's Yara rules, use the following command:
MemProcFS.exe -device <Image.path> -forensic 1 -license-accept-elastic-license-2.0
The -forensic 1 flag ensures that the image is mounted with forensic options enabled, while the -license-accept-elastic-license-2.0 flag accepts Elastic's license terms for the built-in Yara rules.
--------------------------------------------------------------------------------------------------------
Methods for Analysis
There are multiple ways to analyze the mounted memory image. Below are the three most common methods:
Using WSL (Windows Subsystem for Linux)
Using Windows Explorer
Using MemProcFS Analyzer Suite
1. Analyzing with WSL (Windows Subsystem for Linux)
One of the most efficient ways to analyze the memory dump is by using the Linux shell within Windows, i.e., WSL. By doing this, you can easily use Linux tools such as grep, awk, and strings to filter and search through the mounted image.
Step 1: Create a Directory in WSL
First, create a directory in WSL where you will mount the memory image:
sudo mkdir /mnt/d
Step 2: Mount the Windows Memory Image to WSL
Next, mount the Windows memory image to the directory you just created. Assuming the image is mounted on the M: drive in Windows, you can mount it to WSL with the following command:
sudo mount -t drvfs M: /mnt/d
This command mounts the M: drive (where MemProcFS has mounted the memory image) to the /mnt/d directory in WSL. Now you can access the mounted memory dump via WSL for further analysis using grep, awk, strings, and other Linux-based utilities.
--------------------------------------------------------------------------------------------------------
2. Analyzing with Windows Explorer
MemProcFS makes it easy to browse the memory image using Windows Explorer by exposing critical memory artifacts in a readable format. Here’s what each folder contains:
Key Folders and Files
Sys Folder:
Proc:
Proc.txt: Lists processes running in memory.
Proc-v.txt: Displays detailed command-line information for the processes.
Drivers:
ers.txt: Contains information about drivers loaded in memory.
Net:
Netstat.txt: Lists network information at the time of acquisition.
Netstat-v.txt: Provides details about network paths used by processes.
Services:
Services.txt: Lists installed services.
Subfolder /byname: Provides detailed information for each service.
Tasks:
Task.txt: Contains information about scheduled tasks in memory.
Name Folder:
Contains folders for each process with detailed information such as files, handles, modules, and Virtual Address Descriptors (VADs).
PID Folder:
Similar to the Name Folder, but uses Process IDs (PIDs) instead of process names.
Registry Folder:
Contains all registry keys and values available in memory during the dump.
Forensic Folder:
CSV files (e.g., pslist.csv): Easily analyzable using Eric Zimmerman's tools.
Timeline: Contains timestamped events related to memory activity, available in both .csv and .txt formats.
Files Folder: Attempts to reconstruct the system's C: drive from memory.
NTFS Folder: Attempts to reconstruct the NTFS file system structure from memory.
Yara Folder: Contains results from Yara scans, populated if Yara scanning is enabled.
FindEvil Folder: You must determine if files are malicious or legitimate.
--------------------------------------------------------------------------------------------------------
3. Using MemProcFS Analyzer Suite
For more automated analysis, MemProcFS comes with an Analyzer Suite that simplifies the process by running pre-configured scripts to extract and analyze data from the memory image.
Step 1: Download and Install Analyzer Suite
First, download the MemProcFS Analyzer Suite. Inside the suite folder, you will find a script named updater.ps1. Run this script in PowerShell to download all the necessary binaries and tools for analysis:
Step 2: Run the Analyzer
Once the setup is complete, you can begin your automated analysis by running the MemProcFS-Analyzer.ps1 script:
.\MemProcFS-Analyzer.ps1
This will launch the GUI for MemProcFS Analyzer. You can then select the mounted memory image and (optionally) the pagefile if it is available. Once you run the analysis, MemProcFS will automatically extract and analyze the data.
--------------------------------------------------------------------------------------------------------
Output and Results
After running the MemProcFS analysis, the results will be saved in a folder under the script directory. Make sure that you have 7-Zip installed, as some of the output may be archived. The
default password for the archives is MemProcFS.
Key Output Files:
Parsed Files: Contains all the data successfully parsed by MemProcFS.
Unparsed Files: Lists data that could not be parsed by the tool. For further analysis, you can manually review these files using tools like Volatility 3 or by leveraging WSL tools.
By reviewing both parsed and unparsed files, you can ensure that no critical information is missed during the analysis.
--------------------------------------------------------------------------------------------------------
Considerations and Best Practices
Antivirus Interference
If you are running MemProcFS Analyzer in a environment, your antivirus software may block certain forensic tools. To avoid interruptions, it is recommended to create exclusions for the tools used by MemProcFS Analyzer or, if necessary, temporarily disable the antivirus software during the analysis.
Manual Review of Unparsed Data
While MemProcFS automates many aspects of memory forensics, it is crucial to manually check files that were not parsed during the automated process. These files can be analyzed using other memory forensic tools like Volatility 3, or through manual inspection using WSL commands.
--------------------------------------------------------------------------------------------------------
Conclusion
MemProcFS offers a powerful and efficient way to analyze memory dumps by mounting them as a virtual file system. This method allows for both manual and automated analysis using familiar tools like grep, awk, strings, and the MemProcFS Analyzer Suite. Whether you are performing quick IOC triage or a detailed forensic analysis, MemProcFS can handle a wide range of memory artifacts, from processes and drivers to network activity and registry keys.
Key Takeaways:
MemProcFS is versatile, offering both manual and automated analysis methods.
Use Elastic’s built-in Yara rules to enhance your malware detection capabilities.
Leverage WSL or Windows Explorer to manually browse and analyze memory artifacts.
The Analyzer Suite automates much of the forensic process, saving time and effort.
Always review unparsed files to ensure nothing critical is missed.
Akash Patel
Comments