WEBVTT 00:00.430 --> 00:05.740 In this lecture we will learn about the list plugin in volatility. 00:05.740 --> 00:13.870 So this tool not only displays a list of all running processor, but also gives a useful information 00:13.870 --> 00:17.950 such as the process ID and parent process ID. 00:17.950 --> 00:27.130 So in order to run this plugin, you need to like specify the directory of volatility file like volatility 00:27.130 --> 00:36.280 program and then up specify the directory of virtual memory file with this parameter and then use the 00:36.280 --> 00:41.320 PS list PS list plugin in after this. 00:41.320 --> 00:44.260 After the specifying the file name here. 00:45.150 --> 00:48.770 And as you can see here, we got this useful information from it. 00:48.780 --> 00:50.970 So now I want to actually. 00:50.970 --> 00:51.480 Let's see. 00:51.480 --> 00:51.930 Yeah. 00:51.930 --> 00:55.710 Yes, Actually, you can see pretty much everything, but I'm going to. 00:57.090 --> 00:59.190 Decrease the font size a little bit. 01:00.350 --> 01:03.050 So you can see more? 01:03.230 --> 01:03.890 Yeah. 01:05.160 --> 01:07.280 You know, think it's okay here. 01:07.280 --> 01:07.910 So. 01:09.000 --> 01:09.870 This is the output. 01:09.870 --> 01:17.580 Here we have the name process, ID, PID threads, hands and C session. 01:17.580 --> 01:19.910 We have Windows 64. 01:20.220 --> 01:26.340 All of this is zero because we we have a 32 bit system and the start time of the. 01:28.170 --> 01:31.260 Executable, uh, task here. 01:31.260 --> 01:36.300 So here, uh, in this code we have, uh, system. 01:36.420 --> 01:37.290 System. 01:38.100 --> 01:39.750 Uh, we have winlogon. 01:40.970 --> 01:48.110 And we have services and also we have CBC host Xs here executables. 01:48.590 --> 01:56.960 And this services here are started at first here, as you can see these time here. 01:58.090 --> 02:11.830 So and after that we it started the read SL here read the cell that x LG dot x here. 02:13.970 --> 02:15.310 Algae, not eggs. 02:15.790 --> 02:20.830 And finally the VM VMware user that exit here. 02:20.830 --> 02:31.960 So the process ID here identifies the processes and the PID identifies the parent process, parent of 02:31.960 --> 02:33.090 the process here. 02:33.100 --> 02:36.910 So looking at the list output here. 02:37.910 --> 02:40.700 We can see that the winlogon here. 02:40.730 --> 02:41.990 Winlogon. 02:43.420 --> 02:43.750 Oops. 02:45.760 --> 02:47.650 We can see that Winlogon. 02:54.310 --> 02:57.630 Your services and winlogon. 02:57.640 --> 03:02.410 Here is the parent process here. 03:03.960 --> 03:05.010 Services. 03:05.040 --> 03:09.420 676 and 600. 03:10.020 --> 03:10.380 Yeah. 03:10.470 --> 03:12.930 634 632. 03:13.680 --> 03:29.160 So this IDs specifies the these IDs of the services and services and l a s s lsas here directly after 03:29.160 --> 03:32.490 the winlogon dot x process. 03:32.490 --> 03:38.400 And these are both 630 632 here. 03:40.550 --> 03:46.070 Here services A here 632. 03:47.410 --> 03:51.610 And, uh, the process ID is here. 03:51.880 --> 03:54.070 536. 03:56.410 --> 03:56.890 Here. 03:58.630 --> 04:06.490 Now, as you can see, when we go down, we have a VMware tray that has a different parent process ID. 04:07.210 --> 04:14.620 So for this new parent process ID and process themselves, a quick Google search can assist with identification 04:14.620 --> 04:16.260 and description information. 04:16.270 --> 04:23.260 It is also useful to become familiar with many of the startup processes in order to really point out 04:23.260 --> 04:26.930 processes that may be unusual or suspect here. 04:26.950 --> 04:34.360 So the timing and order of the processes should be also noted as they that these may assist in investigation. 04:34.360 --> 04:39.640 So although not seen in the previous output due to the limited screen space. 04:40.520 --> 04:41.120 Here. 04:41.690 --> 04:44.210 Um, if you scroll a bit. 04:45.200 --> 04:53.870 We can also see the Explorer dot exe with the process ID of 1956. 04:53.870 --> 05:00.180 So is the process ID of reader SL here, as you can see, 1956. 05:00.200 --> 05:01.190 So. 05:02.440 --> 05:12.780 Adding to the analysis, we can see that there are two instances of assault here and w w assault here, 05:12.780 --> 05:13.980 as you can see here. 05:15.000 --> 05:18.570 Which it's it's actually a little bit suspected here.