Another good plugin that aids in discovering hidden processes is the psxview plugin. This plugin compares the active processes indicated within psActiveProcessHead with any other possible sources within the memory image. To run the plugin, type the following command:

forensics@ubuntu:~/Documents$ volatility -f stuxnet.vmem --profile=WinXPSP2x86 psxview  

The command produces the following output:

A False within the column indicates that the process is not found in that area. This allows the analyst to review that list and determine if there is a legitimate reason that the process may not be there, or if it is indicative of an attempt ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.