Update README.md

Author: evild3ad

README.md

@@ -1,27 +1,32 @@
 # MemProcFS-Analyzer
 MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to assist with the memory analysis workflow.
 
-MemProcFS - The Memory Process File System by Ulf Frisk 
+MemProcFS - The Memory Process File System by [Ulf Frisk](https://twitter.com/ulffrisk) 
 https://github.com/ufrisk/MemProcFS 
 
 Features:
-* Auto-Install of MemProcFS, Elasticsearch, Kibana, EvtxECmd, AmcacheParser, AppCompatCacheParser, RECmd, SBECmd, ImportExcel, and IPinfo CLI 
-* Auto-Update of MemProcFS, Elasticsearch, Kibana, ClamAV Virus Databases (CVD), EvtxECmd (incl. Maps), AmcacheParser, AppCompactCacheParser, RECmd, SBECmd, Import-Excel, and IPinfo CLI
-* Update-Info when there's a new version of ClamAV or a new Redistributable packaged Dokany Library Bundle available 
+* Fast and easy memory analysis!
+* You can mount a Raw Physical Memory Dump like a disk image and handle the memory compression feature on Windows
+* Auto-Install of MemProcFS, Elasticsearch, Kibana, EvtxECmd, AmcacheParser, AppCompatCacheParser, RECmd, SBECmd, ImportExcel, IPinfo CLI, and xsv 
+* Auto-Update of MemProcFS, Elasticsearch, Kibana, ClamAV Virus Databases (CVD), EvtxECmd (incl. Maps), AmcacheParser, AppCompactCacheParser, RECmd, SBECmd, Import-Excel, IPinfo CLI, and xsv
+* Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available 
 * Multi-Threaded scan w/ ClamAV for Windows 
 * OS Fingerprinting 
 * Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
 * Extracting IPv4/IPv6 
-* IP2ASN Mapping and GeoIP w/ [IPinfo CLI](https://github.com/ipinfo/cli) 
-* Checking for Unusual Parent-Child Relationships and Number of Instances 
+* IP2ASN Mapping and GeoIP w/ [IPinfo CLI](https://github.com/ipinfo/cli) → Get your token for free at [https://ipinfo.io/signup](https://ipinfo.io/signup) 
+* Checking Processes for Unusual Parent-Child Relationships and Number of Instances 
+* Web Browser History (Google Chrome, Microsoft Edge and Firefox) 
 * Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
 * Analyzing extracted Amcache.hve w/ Amcacheparser ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
 * Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
 * Analyzing Syscache w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
 * Analyzing UserAssist Artifacts w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
 * Analyzing ShellBags Artifacts w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
-* Extracting Auto-Start Extensibility Points (ASEPs) w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
+* Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
+* Analyzing RecentDocs, Office Trusted Document w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
 * Integration of PowerShell module [ImportExcel](https://github.com/dfinke/ImportExcel) by Doug Finke
+* CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv) 
 * Collecting Evidence Files (Secure Archive Container → PW: MemProcFS) 
 
 ## Download 
@@ -30,129 +35,142 @@ Download the latest version of **MemProcFS-Analyzer** from the [Releases](https:
 ## Usage 
 Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1. 
 
-![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/195b43a37a11e58998d03213717f70e22c6bae54/Screenshots/01.png) 
+![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/01.png) 
 **Fig 1:** Select your Raw Physical Memory Dump (File Browser)
 
-![Auto-Install](https://github.com/evild3ad/MemProcFS-Analyzer/blob/195b43a37a11e58998d03213717f70e22c6bae54/Screenshots/02.png) 
+![Auto-Install](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/02.png) 
 **Fig 2:** MemProcFS-Analyzer auto-installs dependencies (First Run)
 
-![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/195b43a37a11e58998d03213717f70e22c6bae54/Screenshots/03.png) 
+![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/03.png) 
 **Fig 3:** Accept Terms of Use (First Run) 
 
-![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/195b43a37a11e58998d03213717f70e22c6bae54/Screenshots/04.png) 
+![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/04.png) 
 **Fig 4:** If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk 
 
-![Auto-Update](https://github.com/evild3ad/MemProcFS-Analyzer/blob/195b43a37a11e58998d03213717f70e22c6bae54/Screenshots/05.png) 
-**Fig 5:** MemProcFS-Analyzer checks for updates (Second Run)
+![Mounted](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/05.png)
+**Fig 5:** You can investigate the mounted memory dump by exploring drive letter X:
 
-![ClamAV-Scan](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/06.png) 
-**Fig 6:** Multi-Threaded ClamAV Scan
+![Auto-Update](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/06.png) 
+**Fig 6:** MemProcFS-Analyzer checks for updates (Second Run) 
 
-![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/07.png) 
-**Fig 7:** GeoIP w/ IPinfo.io
+Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.
 
-![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/08.png) 
-**Fig 8:** Map IPs w/ IPinfo.io
+![ClamAV-Scan](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/07.png) 
+**Fig 7:** FindEvil feature and additional analytics
 
-![Elasticsearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/09.png) 
-**Fig 9:** Processing Windows Event Logs (EVTX)
+![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/08.png) 
+**Fig 8:** GeoIP w/ IPinfo.io
 
-![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/10.png) 
-**Fig 10:** Processing extracted Amcache.hve → XLSX 
+![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/09.png) 
+**Fig 9:** Map IPs w/ IPinfo.io
 
-![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/11.png) 
-**Fig 11:** Processing ShimCache → XLSX 
+![Elasticsearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/10.png) 
+**Fig 10:** Processing Windows Event Logs (EVTX)
 
-![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/12.png) 
-**Fig 12:** ELK Import
+![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/11.png) 
+**Fig 11:** Processing extracted Amcache.hve → XLSX 
 
-![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/13.png) 
-**Fig 13:** Happy ELK Hunting!
+![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/12.png) 
+**Fig 12:** Processing ShimCache → XLSX 
 
-![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/14.png)  
-**Fig 14:** ClamAV Scan found 29 infected file(s)
+![Timeline-Explorer](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/14.png) 
+**Fig 13:** Analyze CSV output w/ Timeline Explorer (TLE)
 
-![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/15.png) 
-**Fig 15:** Press **OK** to shutdown MemProcFS and Elastisearch/Kibana
+![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/13.png) 
+**Fig 14:** ELK Import
 
-![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/fe680d22179db991ffd8f9851e8ea2374455d231/Screenshots/16.png) 
-**Fig 16:** Secure Archive Container (PW: MemProcFS)
+![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/15.png) 
+**Fig 15:** Happy ELK Hunting!
+
+![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/16.png) 
+**Fig 16:** Multi-Threaded ClamAV Scan to help you finding evil! ;-)
+
+![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/17.png) 
+**Fig 17:** Press **OK** to shutdown MemProcFS and Elastisearch/Kibana
+
+![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/7e190fc50b1844e0e7f8ff287ab08e5040e3c750/Screenshots/18.png) 
+**Fig 18:** Secure Archive Container (PW: MemProcFS) 
+
+## Introduction MemProcFS and Memory Forensics 
+Check out [Super Easy Memory Forensics](https://www.slideshare.net/IIJ_PR/super-easy-memory-forensics) by [Hiroshi Suzuki](https://twitter.com/herosi_t) and [Hisao Nashiwa](https://twitter.com/unk0unk0).
 
 ## Prerequisites 
-1. Download and install the latest Dokany Library Bundle (Redistributable packaged) → DokanSetup_redist.exe 
-The Dokany installer will also install the required Microsoft Visual C++ Redistributables for Visual Studio 2019. 
+1. Download and install the latest Dokany Library Bundle → DokanSetup.exe 
 https://github.com/dokan-dev/dokany/releases/latest 
 
-2. Download and install the latest Windows package of ClamAV. 
-https://www.clamav.net/downloads 
+2. Download and install the latest .NET 6 Desktop Runtime (Requirement for [EZTools](https://ericzimmerman.github.io/)) 
+https://dotnet.microsoft.com/en-us/download/dotnet/6.0 
+
+3. Download and install the latest Windows package of ClamAV. 
+https://www.clamav.net/downloads#otherversions 
 
-3. First Time Set-Up of ClamAV 
+4. First Time Set-Up of ClamAV 
 Launch Windows PowerShell console as Administrator. 
 `cd "C:\Program Files\clamav"` 
 `copy .\conf_examples\freshclam.conf.sample .\freshclam.conf` 
 `copy .\conf_examples\clamd.conf.sample .\clamd.conf` 
 `write.exe .\freshclam.conf` → Comment or remove the line that says “Example”. 
 `write.exe .\clamd.conf` → Comment or remove the line that says “Example”. 
-https://www.clamav.net/documents/installing-clamav-on-windows 
+https://docs.clamav.net/manual/Usage/Configuration.html#windows 
 
-4. Create your free IPinfo account [approx. 1-2 min] 
+5. Create your free IPinfo account [approx. 1-2 min] 
 https://ipinfo.io/signup?ref=cli 
-Open "MemProcFS-Analyzer.ps1" with your text editor, search for "access_token" and copy/paste your access token.
+Open "MemProcFS-Analyzer.ps1" with your text editor, search for "<access_token>" and copy/paste your access token.
 
-5. Install the NuGet package provider for PowerShell 
+6. Install the NuGet package provider for PowerShell 
 Check if NuGet is available in the package providers by running the following command: 
 `Get-PackageProvider -ListAvailable` 
 If NuGet is not installed on your system yet, you have to install it. 
 `Install-PackageProvider -Name NuGet -Force` 
 
-6. Done! :smiley: 
+7. Done! :smiley: 
 
 ## Dependencies
-7-Zip 9.20 Command Line Version (2010-11-18) 
+7-Zip 22.00 Standalone Console (2022-06-15) 
 https://www.7-zip.org/download.html 
 
-AmcacheParser v1.4.0.0 (2021-03-20) 
-https://binaryforay.blogspot.com/ 
+AmcacheParser v1.5.1.0 (.NET 6) 
+https://ericzimmerman.github.io/ 
 
-AppCompatCacheParser v1.4.4.0 (2021-03-20) 
-https://binaryforay.blogspot.com/ 
+AppCompatCacheParser v1.5.0.0 (.NET 6) 
+https://ericzimmerman.github.io/ 
 
-ClamAV - Windows Packages &#8594; Win64 &#8594; ClamAV-0.103.2.exe (2021-04-07) 
-https://www.clamav.net/downloads 
-https://www.clamav.net/documents/installing-clamav-on-windows &#8594; First Time Set-Up 
+ClamAV - Alternate Versions &#8594; Windows Packages &#8594; Win64 &#8594; clamav-0.105.0.win.x64.msi (2022-05-03) 
+https://www.clamav.net/downloads#otherversions 
 
-Dokany Library Bundle v1.4.0.1000 x64 (2020-06-01) 
-https://github.com/dokan-dev/dokany/releases/latest &#8594; DokanSetup_redist.exe 
+Dokany Library Bundle v2.0.5.1000 (2022-07-04) 
+https://github.com/dokan-dev/dokany/releases/latest &#8594; DokanSetup.exe 
 
-Elasticsearch 7.13.2 (2021-06-14) 
+Elasticsearch 8.3.1 (2022-06-30) 
 https://www.elastic.co/downloads/elasticsearch 
 
-EvtxECmd v0.6.5.0 (2020-12-21) 
-https://binaryforay.blogspot.com/ 
+EvtxECmd v1.0.0.0 (.NET 6) 
+https://ericzimmerman.github.io/ 
 
-ImportExcel 7.1.2 (2020-05-08) 
+ImportExcel 7.7.0 (2022-07-04) 
 https://github.com/dfinke/ImportExcel 
 
-Ipinfo CLI 2.0.0 (2021-05-26) 
+Ipinfo CLI 2.8.0 (2022-03-21) 
 https://github.com/ipinfo/cli 
 
-Kibana 7.13.2 (2021-06-14) 
+Kibana 8.3.1 (2022-06-30) 
 https://www.elastic.co/downloads/kibana 
 
-MemProcFS v4.1.0 - The Memory Process File System (2021-06-13) 
+MemProcFS v4.9.3 - The Memory Process File System (2022-06-15) 
 https://github.com/ufrisk/MemProcFS 
 
-Microsoft Visual C++ Redistributables for Visual Studio 2019 
-https://go.microsoft.com/fwlink/?LinkId=746572 &#8594; VC_redist.x64.exe 
+RECmd v2.0.0.0 (.NET 6) 
+https://ericzimmerman.github.io/ 
 
-Registry Explorer/RECmd v1.6.0.0 (2021-06-08) 
-https://binaryforay.blogspot.com/ 
+SBECmd v2.0.0.0 (.NET 6) 
+https://ericzimmerman.github.io/ 
 
-ShellBags Explorer v1.4.0.0 (2021-05-24) 
-https://binaryforay.blogspot.com/ 
+xsv v0.13.0 (2018-05-12) 
+https://github.com/BurntSushi/xsv
 
 ## Links
 [MemProcFS](https://github.com/ufrisk/MemProcFS) 
 [Demo of MemProcFS with Elasticsearch](https://www.youtube.com/watch?v=JcIlowlrvyI) 
-[Sponsor MemProcFS project](https://github.com/sponsors/ufrisk) 
+[Sponsor MemProcFS Project](https://github.com/sponsors/ufrisk) 
 [MemProcFSHunter](https://github.com/memprocfshunt/MemProcFSHunter) 
+[MemProcFS-Plugins](https://github.com/ufrisk/MemProcFS-Plugins)