FS_Forensic_JSON
The directory forensic/json exists as a sub-directory to the file system root.
The directory is hidden by default. It will appear once forensic mode has been started and processing is completed.
The directory contains json files optimized for Elasticsearch importation as well as a powershell import script.
The files in the forensic/json directory are listed in the table below:
| File | Description |
|---|---|
| elastic_import.ps1 | Elasticsearch import script. |
| elastic_import_unauth.ps1 | Elasticsearch import script (localhost unauth instance). |
| general.json | General information. Lots of various info. |
| registry.json | Registry information. |
| timeline.json | Timeline information. |
Files in the forensic/json directory are read-only.
An introduction demo is available on YouTube.
The MemProcFS JSON files are optimized for Elasticsearch importation. By the default the import script will create required indexes and import some initial dashboards. The import script will only work together with a non-authenticated Elasticsearch instance running at localhost; but it should be possible to adapt to your own Elasticsearch instance.
The JSON files will be imported into three index patterns - mp_general, mp_registry and mp_timeline.
The index pattern mp_general contains different types - which are listed below. In addition to this every record contains the system id in the sys field.
type: systeminformation
System Information. Only one entry per system. desc: computername, desc2: detailed information such as time zones and boot time.
type: bitlocker
Bitlocker keys. obj: key address, desc: encryption type, desc2: dislocker unlock key.
type: certificate
Certificates. desc: certificate issuer, desc2: store, thumbprint and issuer.
type: device
Device information. obj: device object, num: device tree depth, addr: attached device object, addr2: driver object, desc: name, desc2: driver name and extra info (such as volume name).
type: driver
Driver information. obj: driver object, addr: driver module to/from address, desc: name, desc2: service name and path.
type: evil
Find Evil information.
type: handle
Handles. obj: handle object, hex: handle id, desc: handle type, desc2: detailed handle-dependent info.
type: heap
Heap information. size: heap size, addr: heap address.
type: kobj
Kernel Object Manager Object. obj: object address. desc: type, desc2: path/name.
type: memorymap
Physical Memory Map. size: region byte size. addr(2): region address (base-top).
type: module
Loaded Modules (DLLs, EXEs). size: module size in memory. addr(2): module address range (base-top), desc: name.
type: module-codeview
Debug and PDB information. desc: module, desc2: age, guid and pdb name/path.
type: module-versioninfo
Module version information. desc: module, desc2: CompanyName, FileDescription, FileVersion, InternalName, LegalCopyright, OriginalFilename, ProductName, ProductVersion.
type: net
Network connections.
type: prefetch
Prefetch information. num: number of executions (runs)., desc: executable file name, desc2: run_count + file + run_times(x8).
type: process
Process information. obj: object address., hex: exe base address in memory. desc: process kernel path, desc2: flags, user, user-mode path, command line, create-time.
type: pte
Page Table Entry (PTE) information. size: range size (in bytes), addr(2): address range. desc: flags srwx, desc2: tag.
type: service
Service Manager Information. obj: service address in services.exe, addr(2): address range. desc: name, desc2: start, state, type, image.
type: shtask
Scheduled tasks. desc: name, desc2: detailed info.
type: thread
Thread Information.
type: unloadedmodule
Unloaded Modules.
type: vad
Information about Virtual Address Descriptors (VADs).
type: virtualmachine
Device information. obj: vm object address, hex: partition id, addr: max guest physical memory address, desc: name, desc2: active/type/osbuild.
For information about the timeline please check out the demo video and the forensic timeline information.
The registry JSON contains two types, one for registry key and one for registry value.