MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.
MemProcFS - The Memory Process File System by Ulf Frisk
https://github.com/ufrisk/MemProcFS
Features:
- Fast and easy memory analysis!
- You can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows
- Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
- Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
- Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
- Pagefile Support
- OS Fingerprinting
- Scan w/ Custom YARA rules (incl. 423 rules by e.g. Chronicle and Elastic Security)
- Multi-Threaded scan w/ ClamAV for Windows
- Collection of infected files detected by ClamAV for further analysis (PW: infected)
- Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
- Extracting IPv4/IPv6
- IP2ASN Mapping and GeoIP w/ IPinfo CLI → Get your token for free at https://ipinfo.io/signup
- Checking for Suspicious Port Numbers
- Process Tree (TreeView) including complete Process Call Chain (Special thanks to Dominik Schmidt)
- Checking Processes for Unusual Parent-Child Relationships and Number of Instances
- Checking Processes for Unusual User Context
- Checking for Process Path Masquerading and Process Name Masquerading (Damerau Levenshtein Distance)
- Web Browser History (Google Chrome, Microsoft Edge and Firefox)
- Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer (EZTools by Eric Zimmerman)
- Event Log Overview
- Processing Windows Event Logs w/ Zircolite - A standalone SIGMA-based detection tool for EVTX
- Analyzing extracted Amcache.hve w/ Amcacheparser (EZTools by Eric Zimmerman)
- Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser (EZTools by Eric Zimmerman)
- Analyzing Syscache w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing ShellBags Artifacts w/ RECmd (EZTools by Eric Zimmerman)
- Simple Prefetch View (based on Forensic Timeline)
- Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing RecentDocs, Office Trusted Document w/ RECmd (EZTools by Eric Zimmerman)
- Analyzing Registry w/ DFIR RECmd Batch File (DFIR Batch File by Andrew Rathbun)
- Analyzing Metadata of Recovered Process Modules (experimental)
- Extracting Windows Shortcut Files (LNK)
- Hunting Malicious Windows Shortcut Files (LNK)
- Integration of PowerShell module ImportExcel by Doug Finke
- CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)
- Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)
- and much more
Download the latest version of MemProcFS-Analyzer from the Releases section.
Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.
Fig 1: Select your Memory Snapshot and select your pagefile.sys (Optional)
Fig 2: MemProcFS-Analyzer auto-installs dependencies (First Run)
Fig 3: Accept Terms of Use (First Run)
Fig 4: If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk
Fig 5: You can investigate the mounted memory dump by exploring drive letter
Fig 6: MemProcFS-Analyzer checks for updates (Second Run)
Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.
Fig 7: FindEvil feature and additional analytics
Fig 8: Processes
Fig 9: Running and Exited Processes
Fig 10: Process Tree (GUI)
Fig 11: Checking Process Tree (to find anomalies)
Fig 12: Process Tree: Alert Messages w/ Process Call Chain
Fig 13: Process Tree: Properties View → Double-Click on a process or alert message
Fig 14: GeoIP w/ IPinfo.io
Fig 15: Map IPs w/ IPinfo.io
Fig 16: Processing Windows Event Logs (EVTX)
Fig 17: Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI)
Fig 18: Processing extracted Amcache.hve → XLSX
Fig 19: Processing ShimCache → XLSX
Fig 20: Analyze CSV output w/ Timeline Explorer (TLE)
Fig 21: ELK Import
Fig 22: Happy ELK Hunting!
Fig 23: Multi-Threaded ClamAV Scan to help you finding evil! ;-)
Fig 24: Press OK to shutdown MemProcFS and Elastisearch/Kibana
Fig 25: Secure Archive Container (PW: MemProcFS)
Check out Super Easy Memory Forensics by Hiroshi Suzuki and Hisao Nashiwa.
-
Download and install the latest Dokany Library Bundle → DokanSetup.exe
https://github.com/dokan-dev/dokany/releases/latest -
Download and install the latest .NET 9 Desktop Runtime (Requirement for EZTools)
https://dotnet.microsoft.com/en-us/download/dotnet/9.0 -
Download and install the latest Windows package of ClamAV.
https://www.clamav.net/downloads#otherversions -
First Time Set-Up of ClamAV
Launch Windows PowerShell console as Administrator.
cd "C:\Program Files\ClamAV"
copy .\conf_examples\freshclam.conf.sample .\freshclam.conf
copy .\conf_examples\clamd.conf.sample .\clamd.conf
write.exe .\freshclam.conf→ Comment or remove the line that says "Example".
write.exe .\clamd.conf→ Comment or remove the line that says "Example".
https://docs.clamav.net/manual/Usage/Configuration.html#windows -
Optimize ClamAV scan speed performance (30% faster)
Open "C:\Program Files\ClamAV\clamd.conf" with your text editor and search for: "Don't scan files and directories matching regex"
ExcludePath "\\heaps\\"
ExcludePath "\\handles\\"
ExcludePath "\\memmap\\vad-v\\"
ExcludePath "\\sys\\pool\\" -
Create your free IPinfo account [approx. 1-2 min]
https://ipinfo.io/signup?ref=cli
Open "MemProcFS-Analyzer.ps1" with your text editor, search for "Please insert your Access Token here" and copy/paste your access token. -
Install the NuGet package provider for PowerShell
Check if NuGet is available in the package providers by running the following command:
Get-PackageProvider -ListAvailable
If NuGet is not installed on your system yet, you have to install it.
Install-PackageProvider -Name NuGet -Force -
Make sure to comment/uncomment (selectively enable or disable) the functions you want to play with (Elasticsearch and ELKImport are disabled by default). Check out the "Main" in the bottom of the script.
-
Launch the Automated Installer/Updater for MemProcFS-Analyzer
.\Updater.ps1 -
Done! 😃
Notes:
- Turn off your antivirus protection temporarily or better exclude your MemProcFS-Analyzer directory from scanning (e.g. Zircolite).
- Elasticsearch Tips
7-Zip 25.00 Standalone Console (2025-07-05)
https://www.7-zip.org/download.html
AmcacheParser v1.5.2.0 (.NET 9)
https://ericzimmerman.github.io/
AppCompatCacheParser v1.5.1.0 (.NET 9)
https://ericzimmerman.github.io/
ClamAV - Download --> Windows --> clamav-1.5.1.win.x64.msi (2025-10-15)
https://www.clamav.net/downloads
Dokany File System Library v2.3.1.1000 (2025-09-28)
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe
Elasticsearch 9.1.5 (2025-10-06)
https://www.elastic.co/downloads/elasticsearch
entropy v1.1 (2023-07-28)
https://github.com/merces/entropy
EvtxECmd v1.5.2.0 (.NET 9)
https://ericzimmerman.github.io/
ImportExcel v7.8.10 (2024-10-21)
https://github.com/dfinke/ImportExcel
IPinfo CLI 3.3.1 (2024-03-01)
https://github.com/ipinfo/cli
jq v1.8.1 (2025-07-01)
https://github.com/stedolan/jq
Kibana 9.1.5 (2025-10-06)
https://www.elastic.co/downloads/kibana
llnk_parser v0.4.1 (2025-01-02)
https://github.com/AbdulRhmanAlfaifi/lnk_parser
MemProcFS v5.16.4 - The Memory Process File System (2025-10-21)
https://github.com/ufrisk/MemProcFS
RECmd v2.1.0.0 (.NET 9)
https://ericzimmerman.github.io/
SBECmd v2.1.0.0 (.NET 9)
https://ericzimmerman.github.io/
xsv v0.13.0 (2018-05-12)
https://github.com/BurntSushi/xsv
YARA v4.5.4 (2025-05-27)
https://virustotal.github.io/yara/
Zircolite v2.40.0 (2025-04-06)
https://github.com/wagga40/Zircolite
MemProcFS
Demo of MemProcFS with Elasticsearch
Sponsor MemProcFS Project
MemProcFS-Plugins