Update README.md

README.md

@@ -10,6 +10,7 @@ Features:
 * Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, Kibana, lnk_parser, RECmd, SBECmd, xsv, and YARA  
 * Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, Kibana, lnk_parser, RECmd, SBECmd, xsv, and YARA   
 * Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available  
+* Pagefile Support
 * OS Fingerprinting  
 * Multi-Threaded scan w/ ClamAV for Windows  
 * Collection of infected files detected by ClamAV for further analysis (PW: infected)
@@ -19,14 +20,18 @@ Features:
 * Checking for Suspicious Port Numbers
 * Process Tree (TreeView) including complete Process Call Chain (Special thanks to [Dominik Schmidt](https://github.com/DaFuqs))
 * Checking Processes for Unusual Parent-Child Relationships and Number of Instances  
+* Checking Processes for Unusual User Context
 * Checking for Process Path Masquerading and Process Name Masquerading (Damerau Levenshtein Distance)
 * Web Browser History (Google Chrome, Microsoft Edge and Firefox) 
-* Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
+* Extracting Windows Event Log Files and processing w/ EvtxECmd → Timeline Explorer ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman) 
+* Event Log Overview  
+* Processing Windows Event Logs w/ Zircolite - A standalone SIGMA-based detection tool for EVTX
 * Analyzing extracted Amcache.hve w/ Amcacheparser ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
 * Analyzing Application Compatibility Cache aka ShimCache w/ AppCompatcacheParser ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
 * Analyzing Syscache w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
 * Analyzing UserAssist Artifacts w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
 * Analyzing ShellBags Artifacts w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
+* Simple Prefetch View (based on Forensic Timeline)  
 * Analyzing Auto-Start Extensibility Points (ASEPs) w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
 * Analyzing RecentDocs, Office Trusted Document w/ RECmd ([EZTools](https://ericzimmerman.github.io/) by Eric Zimmerman)  
 * Analyzing Registry w/ Kroll RECmd Batch File ([Kroll Batch File](https://github.com/EricZimmerman/RECmd/projects/1) by Andrew Rathbun)  
@@ -36,83 +41,90 @@ Features:
 * Integration of PowerShell module [ImportExcel](https://github.com/dfinke/ImportExcel) by Doug Finke
 * CSV output data for analysis w/ Timeline Explorer (e.g. timeline-reverse.csv, findevil.csv, web.csv)  
 * Collecting Evidence Files (Secure Archive Container → PW: MemProcFS)  
+* and much more
 
 ## Download 
 Download the latest version of **MemProcFS-Analyzer** from the [Releases](https://github.com/evild3ad/MemProcFS-Analyzer/releases) section.  
 
 ## Usage  
 Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1. 
 
-![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/01.png)  
-**Fig 1:** Select your Raw Physical Memory Dump (File Browser)
+![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/01.png)  
+**Fig 1:** Select your Raw Physical Memory Dump and select your pagefile.sys (Optional)
 
-![Auto-Install](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/02.png)  
+![Auto-Install](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/02.png)  
 **Fig 2:** MemProcFS-Analyzer auto-installs dependencies (First Run)
 
-![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/03.png)  
+![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/03.png)  
 **Fig 3:** Accept Terms of Use (First Run)  
 
-![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/04.png)  
+![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/04.png)  
 **Fig 4:** If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk  
 
-![Mounted](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/05.png)  
+![Mounted](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/05.png)  
 **Fig 5:** You can investigate the mounted memory dump by exploring drive letter X:
 
-![Auto-Update](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/06.png)  
+![Auto-Update](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/06.png)  
 **Fig 6:** MemProcFS-Analyzer checks for updates (Second Run) 
 
 Note: It's recommended to uncomment/disable the "Updater" function after installation. Check out the "Main" in the bottom of the script.
 
-![ClamAV-Scan](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/07.png)  
+![FindEvil](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/07.png)  
 **Fig 7:** FindEvil feature and additional analytics
 
-![Processes](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/08.png)  
+![Processes](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/08.png)  
 **Fig 8:** Processes
 
-![RunningAndExited](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/09.png)  
+![RunningAndExited](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/09.png)  
 **Fig 9:** Running and Exited Processes
 
-![ProcessTree](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/10.png)  
+![ProcessTree](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/10.png)  
 **Fig 10:** Process Tree (GUI)
 
-![ProcessTreeSearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/11.png)  
+![ProcessTreeSearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/11.png)  
 **Fig 11:** Checking Process Tree (to find anomalies)
 
-![ProcessTreeAlerts](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/12.png)  
+![ProcessTreeAlerts](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/12.png)  
 **Fig 12:** Process Tree: Alert Messages w/ Process Call Chain
 
-![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/13.png)  
-**Fig 13:** GeoIP w/ IPinfo.io
+![PropertiesView](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/13.png)  
+**Fig 13:** Process Tree: Properties View → Double-Click on process or alert message
 
-![MapReport](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/14.png)  
-**Fig 14:** Map IPs w/ IPinfo.io
+![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/14.png)  
+**Fig 14:** GeoIP w/ IPinfo.io
 
-![EVTX](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/15.png)  
-**Fig 15:** Processing Windows Event Logs (EVTX)
+![MapReport](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/15.png)  
+**Fig 15:** Map IPs w/ IPinfo.io
 
-![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/16.png)  
-**Fig 16:** Processing extracted Amcache.hve → XLSX  
+![EVTX](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/16.png)  
+**Fig 16:** Processing Windows Event Logs (EVTX)
 
-![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/17.png)  
-**Fig 17:** Processing ShimCache → XLSX  
+![Zircolite](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/17.png)  
+**Fig 17:** Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI)
 
-![Timeline-Explorer](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/18.png)  
-**Fig 18:** Analyze CSV output w/ Timeline Explorer (TLE)
+![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/18.png)  
+**Fig 18:** Processing extracted Amcache.hve → XLSX  
 
-![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/19.png)  
-**Fig 19:** ELK Import
+![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/19.png)  
+**Fig 19:** Processing ShimCache → XLSX  
 
-![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/20.png)  
-**Fig 20:** Happy ELK Hunting!
+![Timeline-Explorer](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/20.png)  
+**Fig 20:** Analyze CSV output w/ Timeline Explorer (TLE)
 
-![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/21.png)  
-**Fig 21:** Multi-Threaded ClamAV Scan to help you finding evil! ;-)
+![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/21.png)  
+**Fig 21:** ELK Import
 
-![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/22.png)  
-**Fig 22:** Press **OK** to shutdown MemProcFS and Elastisearch/Kibana
+![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/22.png)  
+**Fig 22:** Happy ELK Hunting!
 
-![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f5f84b6d7b179c43f16913a79353576b42ac339c/Screenshots/23.png)  
-**Fig 23:** Secure Archive Container (PW: MemProcFS)  
+![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/23.png)  
+**Fig 23:** Multi-Threaded ClamAV Scan to help you finding evil! ;-)
+
+![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/24.png)  
+**Fig 24:** Press **OK** to shutdown MemProcFS and Elastisearch/Kibana
+
+![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/e081cfb94cb4b8b7a8795e99bec28e0a3f7b0432/Screenshots/25.png)  
+**Fig 25:** Secure Archive Container (PW: MemProcFS)  
 
 ## Introduction MemProcFS and Memory Forensics  
 Check out [Super Easy Memory Forensics](https://www.slideshare.net/IIJ_PR/super-easy-memory-forensics) by [Hiroshi Suzuki](https://twitter.com/herosi_t) and [Hisao Nashiwa](https://twitter.com/unk0unk0).
@@ -175,7 +187,7 @@ https://www.clamav.net/downloads#otherversions
 Dokany Library Bundle v2.0.6.1000 (2022-10-02)  
 https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe  
 
-Elasticsearch 8.4.3 (2022-10-05)  
+Elasticsearch 8.5.1 (2022-11-15)  
 https://www.elastic.co/downloads/elasticsearch  
 
 entropy v1.0 (2022-02-04)  
@@ -184,19 +196,19 @@ https://github.com/merces/entropy
 EvtxECmd v1.0.0.0 (.NET 6)  
 https://ericzimmerman.github.io/  
 
-ImportExcel 7.8.1 (2022-09-03)  
+ImportExcel v7.8.2 (2022-10-22)  
 https://github.com/dfinke/ImportExcel  
 
 Ipinfo CLI 2.10.0 (2022-09-28)  
 https://github.com/ipinfo/cli  
 
-Kibana 8.4.3 (2022-10-05)  
+Kibana 8.5.1 (2022-11-15)  
 https://www.elastic.co/downloads/kibana  
 
 lnk_parser v0.2.0 (2022-08-10)  
 https://github.com/AbdulRhmanAlfaifi/lnk_parser  
 
-MemProcFS v5.1.1 - The Memory Process File System (2022-09-26)  
+MemProcFS v5.2.0 - The Memory Process File System (2022-11-16)  
 https://github.com/ufrisk/MemProcFS  
 
 RECmd v2.0.0.0 (.NET 6)  
@@ -211,6 +223,9 @@ https://github.com/BurntSushi/xsv
 YARA v4.2.3 (2022-08-09)  
 https://virustotal.github.io/yara/  
 
+Zircolite v2.9.7 (2022-10-08)  
+https://github.com/wagga40/Zircolite  
+
 ## Links
 [MemProcFS](https://github.com/ufrisk/MemProcFS)  
 [Demo of MemProcFS with Elasticsearch](https://www.youtube.com/watch?v=JcIlowlrvyI)