Skip to content

FS_Forensic_JSON

Jump to bottom
ufrisk edited this page Apr 26, 2021 · 7 revisions

The forensic/json directory

The directory forensic/json exists as a sub-directory to the file system root.

The directory is hidden by default. It will appear once forensic mode has been started and processing is completed.

The directory contains json files optimized for Elasticsearch importation as well as a powershell import script.

The files in the forensic/json directory are listed in the table below:

File Description
elastic_import.ps1 Elasticsearch import script (localhost unauth instance).
general.json General information. Lots of various info.
general-v.json Verbose general information (not automatically imported).
registry.json Registry information.
timeline.json Timeline information.

Files in the forensic/json directory are read-only.

An introduction demo is available on YouTube.

Elasticsearch integration:

The MemProcFS JSON files are optimized for Elasticsearch importation. By the default the import script will create required indexes and import some initial dashboards. The import script will only work together with a non-authenticated Elasticsearch instance running at localhost; but it should be fairly easy to adapt to your own Elasticsearch instance.

General JSON:

The index mp_general contains different types - which are listed below. In addition to this every record contains the system id in the sys field.

type: systeminformation System Information. Only one entry per system. `desc`: computername, `desc2`: detailed information such as time zones and boot time.
type: certificate Certificates. `desc`: certificate issuer, `desc2`: store, thumbprint and issuer.
type: codeview Debug&PDB information. `desc`: module, `desc2`: age, guid and pdb name/path.
type: driver Driver information. `obj`: driver object, `addr`: driver module to/from address, `desc`: name, `desc2`: service name and path.
type: evil Find Evil information.
type: handle Handles. `obj`: handle object, `hex`: handle id, `desc`: handle type, `desc2`: detailed handle-dependent info.
type: heap Heap information. `size`: heap size, `addr`: heap address.
type: kobj Kernel Object Manager Object. `obj`: object address. `desc`: type, `desc2`: path/name.
type: memorymap Physical Memory Map. `size`: region byte size. `addr(2)`: region address (base-top).
type: module Loaded Modules (DLLs, EXEs). `size`: module size in memory. `addr(2)`: module address range (base-top), `desc`: name.
type: net Network connections.
type: process Process information. `obj`: object address., `hex`: exe base address in memory. `desc`: process kernel path, `desc2`: flags, user, user-mode path, command line, create-time.
type: pte Page Table Entry (PTE) information. `size`: range size (in bytes), `addr(2)`: address range. `desc`: flags srwx, `desc2`: tag.
type: service Service Manager Information. `obj`: service address in services.exe, `addr(2)`: address range. `desc`: name, `desc2`: start, state, type, image.
type: shtask Scheduled tasks. `desc`: name, `desc2`: detailed info.
type: thread Thread Information.
type: unloadedmodule Unloaded Modules.
type: vad Information about Virtual Address Descriptors (VADs).

Timeline JSON:

Registry JSON:

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally