When you are investigating a memory image, you will mainly focus on identifying any suspicious process running on the system. There are various plugins in Volatility that allow you to enumerate processes. Volatility's pslist plugin lists the processes from the memory image, similar to how task manager lists the process on a live system. In the following output, running the pslist plugin against a memory image infected with a malware sample (Perseus) shows two suspicious processes: svchost..exe (pid 3832) and suchost..exe ( pid 3924). The reason why these two processes are suspicious is that the names of these processes have an additional dot character before the .exe extension (which is abnormal). On a clean system, ...