Sempersol Consultancy (P) Ltd. Memory Forensics Poster

Find the KDBG structure

and get the profile infor-

mation [imageinfo]

Identify rouge process running.

[pslist]

Identify hidden processes

[psxview]

Identify network activity of

suspicious process [netscan |

vista or above, Connections,

Sockets, Connscan, Sockscan |

for Windows XP]

Check loaded Dlls[dlllist]

Check for injections

[malfind]

Sempersol Consultancy (P) Ltd. Memory Forensics Poster

Identify hidden modules

[ldrmodules]

Find Rootkits activities

[ssdt]

Find Process hollowing

[vadinfo]

Find suspicious driver’s

callbacks [callbacks]

Explore indepth manually

with volshell [volshell]

Dump the suspicious sam-

ple [procdump, moddump,

dlldump, vaddump]

Sempersol Consultancy (P) Ltd. Memory Forensics Poster

Load winpmem driver with the option “-L”

Use rekal with the file option \\.\pmem to port it to live memory.

Use the plugins directly by typing in the plugin name

Use info to find out the de-tailed list of plugins available