Memory Analysis using Volatility - pslist

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

pslist – a volatility plugin that print all running processes by following the EPROCESS (a structure that Windows used to represent a process) lists.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Volatility pslist plugin enumerates all the running processes inside the captured memory dump.

This includes the (1) Process ID, (2) Parent Process ID, (3) Session ID and etc.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_Version> pslist

To filter running processes,

We can use the -p option then feed it with the Process ID of choice.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS> pslist -p <PID>

In this sample we can see that pslist has enumerated all running processes, including a process that has an odd name with the process ID 4040.