Post on 15-Apr-2018
Sempersol Consultancy (P) Ltd. Memory Forensics Poster
Find the KDBG structure
and get the profile infor-
mation [imageinfo]
Identify rouge process running.
[pslist]
Identify hidden processes
[psxview]
Identify network activity of
suspicious process [netscan |
vista or above, Connections,
Sockets, Connscan, Sockscan |
for Windows XP]
Check loaded Dlls[dlllist]
Check for injections
[malfind]
Sempersol Consultancy (P) Ltd. Memory Forensics Poster
Identify hidden modules
[ldrmodules]
Find Rootkits activities
[ssdt]
Find Process hollowing
[vadinfo]
Find suspicious driver’s
callbacks [callbacks]
Explore indepth manually
with volshell [volshell]
Dump the suspicious sam-
ple [procdump, moddump,
dlldump, vaddump]
Sempersol Consultancy (P) Ltd. Memory Forensics Poster
Load winpmem driver with the option “-L”
Use rekal with the file option \\.\pmem to port it to live memory.
Use the plugins directly by typing in the plugin name
Use info to find out the de-tailed list of plugins available