MemProcFS

Can load pagefile.sys and swapfile.sys using -pagefile0 and -pagefile1 flags

Process Memory

Per VAD / PTE

M:\<process>\vmemd

Private Memory

M:\<process>\heaps

unified Process Memory

M:\<process>\minidump\minidmp.dmp

Image Mapped

EXEs and DLLs

M:\<process>\modules\<module name>\pefile.dll M:\<process>\files\(modules | vads)

Drivers

M:\name\System-4\modules\<driver name>\pefile.dll

Some processes can be missing - normally due to them being exited. This can be forced to load within the config file.

Cached files

M:\forensic\ntfs

Specialty

MFT

M:\forensic\ntfs

Registry

M:\Registry

Services

M:\sys\services

Tasks

M:\sys\tasks

LogoGitHub - evild3ad/MemProcFS-Analyzer: MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIRGitHub
LogoGitHub - ufrisk/MemProcFS: MemProcFSGitHub
LogoGitHub - ufrisk/MemProcFS-pluginsGitHub
PreviousMemory BaselinerNextCode Injection

Last updated