In memory forensics with Volatility, what does the pslist plugin reveal?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

In memory forensics with Volatility, what does the pslist plugin reveal?

Explanation:
The main idea is that pslist reads the in-memory process list from the Windows memory image to show processes exactly as the OS believes them to be, based on the in-memory EPROCESS structures. By walking those kernel-linked process blocks, pslist outputs each process’s name, process ID, parent process ID, and other session-related details as they exist in memory at the time the image was captured. This is powerful for detection because it can reveal processes that might not be visible through standard OS tooling or file-system views, such as hidden or injected processes associated with rootkits or process hollowing. If a process is running in memory but its presence isn’t reflected in normal system listings, pslist helps you spot that discrepancy and investigate further. It’s worth noting what pslist is not doing here: it isn’t listing DLLs loaded by processes (that’s a different plugin), it isn’t extracting live network connections, and it isn’t dumping memory regions to files. Those other tasks require otherVolatility plugins.

The main idea is that pslist reads the in-memory process list from the Windows memory image to show processes exactly as the OS believes them to be, based on the in-memory EPROCESS structures. By walking those kernel-linked process blocks, pslist outputs each process’s name, process ID, parent process ID, and other session-related details as they exist in memory at the time the image was captured.

This is powerful for detection because it can reveal processes that might not be visible through standard OS tooling or file-system views, such as hidden or injected processes associated with rootkits or process hollowing. If a process is running in memory but its presence isn’t reflected in normal system listings, pslist helps you spot that discrepancy and investigate further.

It’s worth noting what pslist is not doing here: it isn’t listing DLLs loaded by processes (that’s a different plugin), it isn’t extracting live network connections, and it isn’t dumping memory regions to files. Those other tasks require otherVolatility plugins.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy