Download
MemProcFS-Analyzer is a PowerShell script intended to simplify and automate forensic analysis of memory dumps (raw memory or crash dumps) on Windows. It builds on MemProcFS (which provides a virtual file system to mount memory), integrating many parsing tools and capabilities (YARA, ClamAV, parsers for Windows artifacts, event logs etc.), generating output (timelines, alerts, reports), and facilitating examination of anomalies in process behavior, injected modules, masquerading, unusual parent-child relationships etc.
Features
- Auto-install and auto-update of many dependent tools such as MemProcFS itself, AmcacheParser, AppCompatCacheParser, EvtxECmd, YARA, Kibana etc.
- Supports mounting memory snapshots (physical or crash dumps) like disk images, handling Windows “pagefile” support and compression features
- OS fingerprinting, browsing process tree with parent-child chain, detection of process path/name masquerading and unusual user contexts
- Ability to scan with custom YARA rules and built-in YARA rule sets, multi-threaded scans with ClamAV on Windows
- Extraction of Windows artifacts: registry, event logs (EVTX), browser histories, Amcache, ShimCache, Prefetch, LNK shortcuts etc.
- Reports / outputs in CSV, organizing suspicious files for further analysis, archiving evidence, timeline generation etc.
Project Samples
Categories
Data AnalyticsLicense
GNU General Public License version 3.0 (GPLv3)Follow MemProcFS Analyzer
nel_h2
Simply solve complex auth. Easy for devs to set up. Easy for non-devs to use.
Custom auth drains 25% of dev time and risks 62% more breaches, stalling enterprise deals. Frontegg platform delivers a simple login box, seamless authentication (SSO, MFA, passwordless), robust multi-tenancy, and a customizable Admin Portal. Integrate fast with the React SDK, meet compliance needs, and focus on innovation.
Rate This Project
Login To Rate This Project
User Reviews
Be the first to post a review of MemProcFS Analyzer!