-
-
Notifications
You must be signed in to change notification settings - Fork 410
FS_Forensic_JSON
The directory forensic/json exists as a sub-directory to the file system root.
The directory is hidden by default. It will appear once forensic mode has been started and processing is completed.
The directory contains json files optimized for Elasticsearch importation as well as a powershell import script.
The files in the forensic/json directory are listed in the table below:
File | Description |
---|---|
elastic_import.ps1 | Elasticsearch import script. |
elastic_import_unauth.ps1 | Elasticsearch import script (localhost unauth instance). |
general.json | General information. Lots of various info. |
registry.json | Registry information. |
timeline.json | Timeline information. |
Files in the forensic/json directory are read-only.
An introduction demo is available on YouTube.
The MemProcFS JSON files are optimized for Elasticsearch importation. By the default the import script will create required indexes and import some initial dashboards. The import script will only work together with a non-authenticated Elasticsearch instance running at localhost; but it should be possible to adapt to your own Elasticsearch instance.
The JSON files will be imported into three index patterns - mp_general
, mp_registry
and mp_timeline
.
The index pattern mp_general
contains different types - which are listed below. In addition to this every record contains the system id in the sys
field.
type: systeminformation
System Information. Only one entry per system. desc
: computername, desc2
: detailed information such as time zones and boot time.
type: bitlocker
Bitlocker keys. obj
: key address, desc
: encryption type, desc2
: dislocker unlock key.
type: certificate
Certificates. desc
: certificate issuer, desc2
: store, thumbprint and issuer.
type: device
Device information. obj
: device object, num
: device tree depth, addr
: attached device object, addr2
: driver object, desc
: name, desc2
: driver name and extra info (such as volume name).
type: driver
Driver information. obj
: driver object, addr
: driver module to/from address, desc
: name, desc2
: service name and path.
type: evil
Find Evil information.
type: handle
Handles. obj
: handle object, hex
: handle id, desc
: handle type, desc2
: detailed handle-dependent info.
type: heap
Heap information. size
: heap size, addr
: heap address.
type: kobj
Kernel Object Manager Object. obj
: object address. desc
: type, desc2
: path/name.
type: memorymap
Physical Memory Map. size
: region byte size. addr(2)
: region address (base-top).
type: module
Loaded Modules (DLLs, EXEs). size
: module size in memory. addr(2)
: module address range (base-top), desc
: name.
type: module-codeview
Debug and PDB information. desc
: module, desc2
: age, guid and pdb name/path.
type: module-versioninfo
Module version information. desc
: module, desc2
: CompanyName, FileDescription, FileVersion, InternalName, LegalCopyright, OriginalFilename, ProductName, ProductVersion.
type: net
Network connections.
type: prefetch
Prefetch information. num
: number of executions (runs)., desc
: executable file name, desc2
: run_count + file + run_times(x8).
type: process
Process information. obj
: object address., hex
: exe base address in memory. desc
: process kernel path, desc2
: flags, user, user-mode path, command line, create-time.
type: pte
Page Table Entry (PTE) information. size
: range size (in bytes), addr(2)
: address range. desc
: flags srwx, desc2
: tag.
type: service
Service Manager Information. obj
: service address in services.exe, addr(2)
: address range. desc
: name, desc2
: start, state, type, image.
type: shtask
Scheduled tasks. desc
: name, desc2
: detailed info.
type: thread
Thread Information.
type: unloadedmodule
Unloaded Modules.
type: vad
Information about Virtual Address Descriptors (VADs).
type: virtualmachine
Device information. obj
: vm object address, hex
: partition id, addr
: max guest physical memory address, desc
: name, desc2
: active/type/osbuild.
For information about the timeline please check out the demo video and the forensic timeline information.
The registry JSON contains two types, one for registry key
and one for registry value
.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖