ฝัง
- เผยแพร่เมื่อ 20 มิ.ย. 2024
- Imagine being able to "mount" memory as if it were a disk image. With a single command, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more. The tool can be executed against a memory dump, or run against memory on a live system. This is a game changer for memory forensics!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
01:42 - Installation
02:41 - Demo
🛠 Resources
MemProcFS: The Memory Process File System:
github.com/ufrisk/MemProcFS
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics - วิทยาศาสตร์และเทคโนโลยี
Great find! Thanks for sharing and I'll be using this going forward for sure!
This is by far the most useful tool introduced in your informative channel .. Many thanks for the support you are providing to us.
Great video as usual. I wait for a practical applied case using this tool
The best project on DFIR a ever see! amazing work!!
Wow, Absolutely fantastic, I have dreamed of this kind of tool. So valuable, Thanks a lot.
Thats Great Thank you.
This is so valuable, thanks a lot :)
Great video
One interesting thing which you did not show is NTFS directory in forensics, of course you have whole MFT list in one file but sometimes I don't know what am I looking for and I find it extremely helpful that you can just browse through it like C->Users->user->Downloads and you see there bunch of files and start thinking. Why are those files visible in memory? Did something loaded it up or was it downloaded with browser?
Anyways, as always great content, thank you for your work :)!
About the best you can do would be to browse the contents of the $MFT as available within the memory capture. Some of those files may actually be present within memory, and recoverable. That said, there isn't a virtual directory hierarchy that re-creates the entire file system structure. Also remember that there are no guarantees in memory forensics -- what you are looking for *may* be present, or it may have been paged to disk and not available in the memory capture. Also keep in mind that at some point, everything you do on a computer system (websites you visit, pictures you view, documents you create, etc.) traverses the memory. So, there can be a lot of interesting evidence and potentially valuable content therein -- but again, just no guarantees.
the best class, very good
This saves my day.
Thanks for video
This is a revelation!
Ive been using this for awhile, superglad you covered it so well!
A completely other question: Is there any good tools to create a memory dump without crashing the system? Havent found one yeat.
WinPmem is usually my go-to.
@@13Cubed Thank you kind sir! Keep up the superb work :)
This changes everything
does the proc file show unlinked processes?
Thank you for the video, could you show how to prepare for the CHFI certificate and where to get best free courses for it?
and if your prepare a video on it, it would be much better.
Unfortunately, I'm not very familiar with that certification. I would take a look at the learning objectives for it and compare it to the "Digital Forensics" playlist. I'm guessing a good bit of the content would be covered in those episodes. You can also check out 13cubed.com/episodes for the official Episode Guide. Click "All Series" and use the search blank in the top right to search across all of the channel content.
@@13Cubed
Thank you so much, your channel helps toward this certification efficiently, I hope you continue
Push!
You can of course do most of this from a debugger on the dump, but requires a great deal of expertise (and time and effort).
The forensics bit etc automates a lot of that
Would MemProcFS be able to process Windows 10 hibernation files (hiberfil.sys)?
If you use Hibernation Recon to extract the active memory from hiberfil.sys, it should work. Check out the Windows Hibernation Files episode for more information on how to do that.
What Linux distros does this support?
Any distro with fuse support
So anything that uses modern kernels like the second latest lts
first
So it basically trying to recreate Linux (or any Unix-like system) in Windows.
Why is it only 1GB of storage?so if your memory is 10GB it keeps saying insufficient memory.KINDLY address will appreciate @13Cubed