Bob.Vmem
we are checking for a suspicious file in Bob.vmem dump file. 1. First we have to check the integrity of a dump In this we are using imageinfo command. Then it gives as a profile the integrity is good Command used: ./vol.py -f /root/Desktop/Bob.vmem imageinfo In above image we get service packs , profile names ,date and time 2. PSlist: Lists out all the process which was running when the image was taken. Command used: ./vol.py -f /root/Desktop/Bob.vmem --profile = WinXPSP2x86 pslist Add caption 3. PSScan: it mostly used for malware analysis and rootkit scanning , Lists out all the inactive or hidden or unlinked processes which was either created by rootkit or malware Command used: ./vol.py -f /root/Desktop/Bob.vmem --profile = WinXPSP2x86 psscan 4. PSXView: Identify the actual hidden processes. As we can see, There are two columns for commands pslist and psscan . if any process has false in psscan then we consid...