Often when examining system memory, it is necessary to have an understanding of what parent processes child processes are executed under. One indicator of a system being compromised is the identification of a process executed outside the normal parent process. The pstree plugin provides examiners a tree-like structure that identifies the parent process that is executing a potential suspect process. The Stuxnet image is run with this plugin, utilizing the following command:

forensics@ubuntu:~/Documents$ volatility -f stuxnet.vmem --profile=WinXPSP2x86 pstree 

This produces the following output:

From an examination of these results, ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.