1
00:00:01,660 --> 00:00:07,900
Another process Identification command that can be used to list processes is S3.

2
00:00:08,990 --> 00:00:09,710
Here.

3
00:00:09,710 --> 00:00:15,260
So this command shows the same list of processes as the PS list.

4
00:00:15,290 --> 00:00:27,590
But I Dentation is also used to identify child and parent processes, so run the PS3 PS3 plugin by typing

5
00:00:27,590 --> 00:00:32,150
this PS3 command and click enter.

6
00:00:34,500 --> 00:00:37,590
As you can see, we got an output here.

7
00:00:37,770 --> 00:00:39,510
Now, copy this.

8
00:00:40,650 --> 00:00:44,370
And click on the notepad so we can analyze it further.

9
00:00:45,080 --> 00:00:45,590
Here.

10
00:00:46,610 --> 00:00:47,240
So.

11
00:00:48,600 --> 00:01:00,330
In this here, the last five processes are listed in Explorer dot exe and VMware User Cmd.exe, VMware

12
00:01:00,330 --> 00:01:02,890
Tray X and Reader SL.

13
00:01:03,000 --> 00:01:11,110
So and here explorer by itself so is not intended while all the others are.

14
00:01:11,130 --> 00:01:19,860
So indicating that they are child process of explorer explorer dot exe, which is the parent process.

15
00:01:19,860 --> 00:01:24,090
So now we're going to use another another command here.

16
00:01:26,060 --> 00:01:27,470
Named P.

17
00:01:27,470 --> 00:01:29,490
S scan here.

18
00:01:29,510 --> 00:01:38,930
So the scan command displays inactive and even hidden processes that can be used by malware such as

19
00:01:38,930 --> 00:01:46,610
Rootkits and are very, very well known for doing just that to evade discovery by users and antivirus

20
00:01:46,610 --> 00:01:47,410
programs.

21
00:01:47,420 --> 00:01:53,570
So now we're going to use the profile because this needs a profile here.

22
00:01:54,350 --> 00:02:00,370
Now, as you as you remember, our profile was the Windows XP Service Pack two.

23
00:02:00,380 --> 00:02:06,650
But in order to remember that I'm going to I'm going to just imageinfo here and we're going to get the

24
00:02:06,650 --> 00:02:10,640
Windows XP Service Pack two.

25
00:02:12,950 --> 00:02:13,250
Here.

26
00:02:13,250 --> 00:02:16,990
So as you can see, this is service pack two and 32 bit x.

27
00:02:17,780 --> 00:02:18,200
Here.

28
00:02:18,230 --> 00:02:28,070
We can also use the profile of service pack 2 to 3, but it's always better to use first profile in

29
00:02:28,070 --> 00:02:28,850
volatility.

30
00:02:28,880 --> 00:02:29,480
Here.

31
00:02:30,660 --> 00:02:35,790
So now we're going to use the scan scan.

32
00:02:35,790 --> 00:02:46,460
And after like before the specifying file file, memory file, we need to add the profile here.

33
00:02:46,470 --> 00:02:47,550
Profile.

34
00:02:49,060 --> 00:02:53,290
Equals Windows XP Service Pack two.

35
00:02:53,710 --> 00:02:54,460
86.

36
00:02:54,460 --> 00:02:55,630
Here now.

37
00:02:57,450 --> 00:02:58,590
Click Enter.

38
00:03:00,470 --> 00:03:02,600
Here we have this.

39
00:03:03,880 --> 00:03:05,140
Now we're going to.

40
00:03:07,250 --> 00:03:08,200
Copy this.

41
00:03:08,240 --> 00:03:09,590
Two more.

42
00:03:10,260 --> 00:03:13,260
For further investigation on the notepad.

43
00:03:14,360 --> 00:03:15,020
Here.

44
00:03:16,920 --> 00:03:19,110
This is our output result.

45
00:03:21,920 --> 00:03:26,290
So since we don't need time exited here, we can delete it.

46
00:03:26,300 --> 00:03:29,840
So we can zoom in further.

47
00:03:34,770 --> 00:03:35,310
Here.

48
00:03:38,730 --> 00:03:39,210
Yeah.

49
00:03:39,480 --> 00:03:46,080
So the output of the scan plugin in this memory address is as follows here.

50
00:03:46,470 --> 00:03:53,310
So the output of both PS list and PS scan comments will be compared to observe any anomalies.

51
00:03:53,310 --> 00:03:56,400
So we need to compare this.

52
00:03:57,110 --> 00:04:03,050
With the previous command that we used scan.

53
00:04:03,230 --> 00:04:12,590
So actually, let's compare it, see if we got any, uh, different results or if we have any hidden

54
00:04:12,710 --> 00:04:13,880
processes.

55
00:04:15,690 --> 00:04:16,050
Here.

56
00:04:16,050 --> 00:04:17,940
We're gonna add another tab.

57
00:04:18,120 --> 00:04:20,160
And as you can see here.

58
00:04:21,410 --> 00:04:25,670
We will observe it in lectures, but for now.

59
00:04:27,290 --> 00:04:33,020
It's like we don't have any hidden processes because as you can see here, all of these lines is almost

60
00:04:33,020 --> 00:04:35,750
the same if we just delete this command.

61
00:04:37,490 --> 00:04:41,270
Yeah, they are actually almost the same files.

62
00:04:43,600 --> 00:04:43,990
Let's.

63
00:04:43,990 --> 00:04:44,590
Yeah.

64
00:04:45,440 --> 00:04:49,290
As you can see here, both of them has 25 lines in it.

65
00:04:49,310 --> 00:04:51,500
So in next.

66
00:04:53,330 --> 00:04:57,590
The plugin we have is ps x v here.

67
00:04:57,980 --> 00:04:59,660
Now we're going to use p.

68
00:05:00,350 --> 00:05:01,370
S x.

69
00:05:01,370 --> 00:05:03,050
Vive Ps6.

70
00:05:03,080 --> 00:05:03,950
Vive.

71
00:05:04,750 --> 00:05:11,680
So as with the scan plugin, the ps6 is used to find and list hidden processes.

72
00:05:11,770 --> 00:05:18,940
But with Ps6, however, a variety of scans are run, including the PS list and PS scan here.

73
00:05:18,940 --> 00:05:22,930
So in order to run this command you need to specify the profile.

74
00:05:22,930 --> 00:05:24,160
So we already did.

75
00:05:24,160 --> 00:05:26,380
And yeah, click on Enter.

76
00:05:31,180 --> 00:05:36,100
Yeah, we got actually as you can see, we got the different results from previous commands.

77
00:05:36,130 --> 00:05:37,240
Copy it.

78
00:05:37,240 --> 00:05:38,980
And here.

79
00:05:41,600 --> 00:05:42,290
Can you see it?

80
00:05:42,290 --> 00:05:43,410
Actually, clearly?

81
00:05:43,430 --> 00:05:44,030
Yeah.

82
00:05:44,540 --> 00:05:54,800
So the Ps6 Vive plugin lists the processes and compares the outputs listed as true or false.

83
00:05:54,980 --> 00:05:59,180
So a false output means that the process is hidden.

84
00:06:01,730 --> 00:06:02,300
Here.

85
00:06:02,330 --> 00:06:04,550
It means that process is hidden.

86
00:06:06,120 --> 00:06:08,190
Uh, that as in the C.

87
00:06:08,190 --> 00:06:14,220
S, r, s s that X session and this chart here.

88
00:06:15,340 --> 00:06:16,900
This means that.

89
00:06:18,540 --> 00:06:28,890
Yeah, with false outputs for system and SMS, SMS dot x and this here says dot, which tells us that

90
00:06:28,890 --> 00:06:35,640
the processes are not found in the in these areas and should be inspected further.

91
00:06:35,640 --> 00:06:42,480
So not now that we have weaved and documented the services that were running at the time the memory

92
00:06:42,480 --> 00:06:43,620
dump was taken.

93
00:06:43,620 --> 00:06:52,230
So let's try to find network services and connections that may also have been established at the time.