Forensics with Volatility

CommandDescription

$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 psscan
Check for hidden processes (would show as False in pslist or psscan)
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 psxviewCheck for hidden processes (would show as False in pslist or psscan)
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 envars -p 123Check for hidden processes (would show as False in pslist or psscan)
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 connscanView active network connections
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 malfind -D ./dumpDump all procs with injected code
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 malfind -p 123 -D ./dumpDump injected code in process with PID 960
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 dlllistGet a list of all dlls loaded by each process
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 hivelistGet a list of all reg hives