Handles

The handles plugin allows analysts to view what type of handles are open in an existing process. This includes a wide variety of information including registry keys and files associated with that process. To identify the open handles for the PID 868 that was previously identified, the following command is used:

forensics@ubuntu:~/Documents$ volatility -f stuxnet.vmem --profile=WinXPSP2x86 -p 868 handles 

That preceding command produces the output found in the following screenshot. As the output indicates, the suspect process has several open handle processes, threads, and a registry key.

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.