When examining processes, it can be useful to determine the parent/child relationships between the processes. During malware investigation, this will help you understand which other processes are related to the malicious process. The pstree plugin displays the parent-child process relationships by using the output from the pslist and formatting it in a tree view. In the following example, running the pstree plugin against an infected memory image displays a process relationship; a child process is indented to the right and prepended with periods. From the output, you can see that OUTLOOK.EXE was started by the explorer.exe process. This is normal because whenever you launch an application by double-clicking, ...