MemProcFS-Analyzer is a forensic analysis toolset that builds on the MemProcFS virtual filesystem to make volatile memory artefacts easier to browse and interpret. By exposing process memory, kernel objects, and derived artifacts as regular files, the framework lets analysts use familiar filesystem operations and standard tools (editors, grep, diff) to explore memory snapshots. The Analyzer layer adds higher-level parsing and extraction routines—for example, carving strings, locating injected modules, enumerating handles, or reconstructing network sockets—so investigators can go from raw memory to actionable evidence more quickly. It emphasizes automation and reproducibility: parsers can be chained, results exported, and reports templated to fit incident workflows. Because memory contains transient but critical traces of running malware or misuse, the project focuses on robust parsing in the face of corruption and mismatched OS versions.
Features
- Auto-install and auto-update of many dependent tools such as MemProcFS itself, AmcacheParser, AppCompatCacheParser, EvtxECmd, YARA, Kibana etc.
- Supports mounting memory snapshots (physical or crash dumps) like disk images, handling Windows “pagefile” support and compression features
- OS fingerprinting, browsing process tree with parent-child chain, detection of process path/name masquerading and unusual user contexts
- Ability to scan with custom YARA rules and built-in YARA rule sets, multi-threaded scans with ClamAV on Windows
- Extraction of Windows artifacts: registry, event logs (EVTX), browser histories, Amcache, ShimCache, Prefetch, LNK shortcuts etc.
- Reports / outputs in CSV, organizing suspicious files for further analysis, archiving evidence, timeline generation etc.
Project Samples
