-
-
Notifications
You must be signed in to change notification settings - Fork 384
FS_Forensic_Yara
The directory forensic/yara exists as a sub-directory to the file system root.
The directory is hidden by default. It will appear once forensic mode has been started and processing is completed if optional yara rules have been specified.
The directory contains results of a forensic yara scan of process and kernel virtual address spaces.
The forensic scan is conducted with rules specified in the start-up option -forensic-yara-rules
. The rules may be either compiled rules or source rules (including index rules referencing other rules). Example: memprocfs.exe -device c:\dumps\win10.raw -forensic-yara-rules c:\yara\rules\windows_malware_index.yar
The files in the forensic/yara directory are listed in the table below:
File | Description |
---|---|
match-count.txt | The number of yara matches. |
result.txt | Detailed yara match information. |
rules.txt | The user-defined rules used in the scan. |
The example shows looking at forensic yara matches which indicates Trickbot in the svchost.exe process.
The forensic/yara sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_fc_yara.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖