Progress percent of the forensics mode stucks at 90% and not finishing

Question

Progress percent of the forensics mode stucks at 90% and not finishing

UltraForensic opened this issue 5 months ago · 3 comments

Hello,
I ran into an issue that forensics mode (-forensic 1) stucks since its forensic/progress_percent.txt reaches 90 in specific memory image.

> MemProcFS.exe -device physmem.raw -pagefile0 pagefile.sys -pagefile1 swapfile.sys -forensic 1 -license-accept-elastic-license-2-0
Initialized 64-bit Windows 10.0.22631
[PLUGIN]   Python initialization failed. Python 3.6 or later not found.

==============================  MemProcFS  ==============================
 - Author:           Ulf Frisk - pcileech@frizk.net
 - Info:             https://github.com/ufrisk/MemProcFS
 - Discord:          https://discord.gg/pcileech
 - License:          GNU Affero General Public License v3.0
   ---------------------------------------------------------------------
   MemProcFS is free open source software. If you find it useful please
   become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
   ---------------------------------------------------------------------
 - Version:          5.11.1 (Windows)
 - Mount Point:      M:\
 - Tag:              22631_c82dd926
 - Operating System: Windows 10.0.22631 (X64)
==========================================================================

PS M:\> date

Monday, July 29, 2024 11:06:33 PM


PS M:\> type .\forensic\progress_percent.txt
90
PS M:\> date

Monday, July 29, 2024 11:49:36 PM


PS M:\> type .\forensic\progress_percent.txt
90
PS M:\> dir .\forensic\


    Directory: M:\forensic


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
------         7/29/2024  11:01 PM              2 progress_percent.txt
------         7/29/2024  11:01 PM              1 forensic_enable.txt
------         7/29/2024  11:01 PM              0 database.txt
------         7/29/2024  11:01 PM           2695 readme.txt

Confirmed that this issue is still present on latest release version of MemProcFS (5.11.1) for Windows.

Let me know if any additional information is needed for investigation (I can share the memory image causing this issue).
Thanks for developing a great tool!

Some notes:

Memory image has been acquired using WinPmem (Release 4.0 RC2)
- https://github.com/Velocidex/WinPmem/releases/tag/v4.0.rc1
- winpmem_mini_x64_rc2.exe physmem.raw
Machine running MemProcFS and origin of acquired memory image is both Windows 11 23H2 on VMware Workstation 17 Pro 17.5.2

Answer 1 · 2024-07-30T09:11:53.000Z

There must be some deadlock issue. Those can be a bit tricky to find, but it's good that you're able to share the memory dump.

Can you please zip and upload the memory dump, pagefile and swapfile and share the link with me and I'll take a look ASAP.

Send it to me in a DM on Twitter or Discord

Answer 2 · 2024-07-30T09:45:05.000Z

@ufrisk
Thank you for quick reply!
Sent you a DM on Twitter. Please check it out.

Answer 3 · 2024-07-30T11:59:25.000Z

The issue should now be resolved in 5.11.2 which was just published.

It was a parsing issue resulting the parser to get stuck in a forever loop in some very specific cases.

Thank you for reporting this issue and sharing the problematic memory dump.