All changes to MemProcFS-Analyzer will be documented in this file.
- EZTools (.NET 9)
- DFIR RECmd Batch File v2.11 (2025-03-31)
- 423 YARA Custom Rules
- FS_Process_Console
- FS_SysInfo_Network: DNS Information
- Digital Signature
- Minor fixes and improvements
- CHANGELOG.md
- Updater.ps1
- FS_Sys_Sysinfo
- FS_Forensic_Prefetch
- 376 YARA Custom Rules
- Offline Mode
- MemProcFS.log
- Microsoft Protection Logs (MPLogs)
- ProcessesAndModules-Extended_Info.ps1 (Collect-MemoryDump)
- Minor fixes and improvements
- Improved Hunting for Suspicious Scheduled Tasks
- 318 YARA Custom Rules
- Get-YaraCustomRules
- Kroll RECmd Batch File v1.22 (2023-06-20)
- Checkbox Forensic Timeline (CSV)
- Checkbox Forensic Timeline (XLSX)
- FindEvil: AV_DETECT
- Minor fixes and improvements
- FS_Forensic_Yara (YARA Custom Rules)
- FS_Forensic_Files (incl. ClamAV)
- Checking for suspicious processes with double file extensions
- Checking for Command and Scripting Interpreters
- Recent Folder Artifacts
- Hunting Suspicious Image Mounts
- OpenSaveMRU (OpenSavePidlMRU)
- LastVisitedMRU (LastVisitedPidlMRU)
- Terminal Server Client (RDP)
- Kroll RECmd Batch File v1.21 (2023-03-04)
- Improved Microsoft Defender AntiVirus Handling
- Improved Drive Letter (Mount Point) Handling
- Minor fixes and improvements
- MUICache
- Windows Background Activity Moderator (BAM)
- Check if it's a Domain Controller
- Check if it's a Microsoft Exchange Server
- Checking for processes spawned from suspicious folder locations
- Checking for suspicious processes without any command-line arguments
- Checking for suspicious process lineage
- Checking for processes with suspicious command-line arguments
- Parent Name (proc.csv, Processes.xlsx, and RunningandExited.xlsx)
- Listing of MiniDumps
- Status Bar (User Interface)
- Minor fixes and improvements
- User Interface
- Pagefile Support
- Zircolite - A standalone SIGMA-based detection tool for EVTX
- Event Log Overview
- Checking for Processes w/ Unusual User Context
- Process Tree: Properties View
- Searching for Cobalt Strike Beacons Configuration(s) w/ 1768.py (needs to be installed manually, disabled by default)
- Simple Prefetch View (based on Forensic Timeline)
- Minor fixes and improvements
- Process Tree (TreeView)
- Unusual Number of Process Instances
- Process Path Masquerading
- Process Name Masquerading (Damerau Levenshtein Distance)
- Suspicious Port Numbers
- Minor fixes and improvements
- BitLocker Plugin
- Kroll RECmd Batch File v1.20 (2022-06-01)
- FS_Forensic_CSV + XLSX
- FS_SysInfo_Users
- Windows Shortcut Files (LNK)
- Process Modules (Metadata)
- Number of Sub-Processes (proc.csv, Processes.xlsx, and RunningandExited.xlsx)
- Colorized Running and Exited Processes (RunningandExited.xlsx)
- Minor fixes and improvements
- Web Browser History
- Forensic Timeline (CSV, XLSX)
- JSON to CSV and XLSX output (including Handles)
- Collecting output of pypykatz and regsecrets (MemProcFS Plugins)
- RecentDocs
- Office Trusted Documents
- Adobe RecentDocs
- Startup Folders
- Minor fixes and improvements
- OS Fingerprinting
- Registry Explorer/RECmd
- UserAssist
- Syscache
- ShellBags Explorer/SBECmd
- Registry ASEPs (Auto-Start Extensibility Points)
- Minor fixes and improvements
- IPinfo CLI
- Collecting Registry Hives
- AmcacheParser
- AppCompatCacheParser (ShimCache)
- PowerShell module 'ImportExcel'
- Collection of PE_INJECT (PW: infected)
- Hunting for suspicious Services
- Hunting for suspicious Scheduled Tasks
- Minor fixes and improvements
- Initial Release