1
00:00:00,430 --> 00:00:05,740
In this lecture we will learn about the list plugin in volatility.

2
00:00:05,740 --> 00:00:13,870
So this tool not only displays a list of all running processor, but also gives a useful information

3
00:00:13,870 --> 00:00:17,950
such as the process ID and parent process ID.

4
00:00:17,950 --> 00:00:27,130
So in order to run this plugin, you need to like specify the directory of volatility file like volatility

5
00:00:27,130 --> 00:00:36,280
program and then up specify the directory of virtual memory file with this parameter and then use the

6
00:00:36,280 --> 00:00:41,320
PS list PS list plugin in after this.

7
00:00:41,320 --> 00:00:44,260
After the specifying the file name here.

8
00:00:45,150 --> 00:00:48,770
And as you can see here, we got this useful information from it.

9
00:00:48,780 --> 00:00:50,970
So now I want to actually.

10
00:00:50,970 --> 00:00:51,480
Let's see.

11
00:00:51,480 --> 00:00:51,930
Yeah.

12
00:00:51,930 --> 00:00:55,710
Yes, Actually, you can see pretty much everything, but I'm going to.

13
00:00:57,090 --> 00:00:59,190
Decrease the font size a little bit.

14
00:01:00,350 --> 00:01:03,050
So you can see more?

15
00:01:03,230 --> 00:01:03,890
Yeah.

16
00:01:05,160 --> 00:01:07,280
You know, think it's okay here.

17
00:01:07,280 --> 00:01:07,910
So.

18
00:01:09,000 --> 00:01:09,870
This is the output.

19
00:01:09,870 --> 00:01:17,580
Here we have the name process, ID, PID threads, hands and C session.

20
00:01:17,580 --> 00:01:19,910
We have Windows 64.

21
00:01:20,220 --> 00:01:26,340
All of this is zero because we we have a 32 bit system and the start time of the.

22
00:01:28,170 --> 00:01:31,260
Executable, uh, task here.

23
00:01:31,260 --> 00:01:36,300
So here, uh, in this code we have, uh, system.

24
00:01:36,420 --> 00:01:37,290
System.

25
00:01:38,100 --> 00:01:39,750
Uh, we have winlogon.

26
00:01:40,970 --> 00:01:48,110
And we have services and also we have CBC host Xs here executables.

27
00:01:48,590 --> 00:01:56,960
And this services here are started at first here, as you can see these time here.

28
00:01:58,090 --> 00:02:11,830
So and after that we it started the read SL here read the cell that x LG dot x here.

29
00:02:13,970 --> 00:02:15,310
Algae, not eggs.

30
00:02:15,790 --> 00:02:20,830
And finally the VM VMware user that exit here.

31
00:02:20,830 --> 00:02:31,960
So the process ID here identifies the processes and the PID identifies the parent process, parent of

32
00:02:31,960 --> 00:02:33,090
the process here.

33
00:02:33,100 --> 00:02:36,910
So looking at the list output here.

34
00:02:37,910 --> 00:02:40,700
We can see that the winlogon here.

35
00:02:40,730 --> 00:02:41,990
Winlogon.

36
00:02:43,420 --> 00:02:43,750
Oops.

37
00:02:45,760 --> 00:02:47,650
We can see that Winlogon.

38
00:02:54,310 --> 00:02:57,630
Your services and winlogon.

39
00:02:57,640 --> 00:03:02,410
Here is the parent process here.

40
00:03:03,960 --> 00:03:05,010
Services.

41
00:03:05,040 --> 00:03:09,420
676 and 600.

42
00:03:10,020 --> 00:03:10,380
Yeah.

43
00:03:10,470 --> 00:03:12,930
634 632.

44
00:03:13,680 --> 00:03:29,160
So this IDs specifies the these IDs of the services and services and l a s s lsas here directly after

45
00:03:29,160 --> 00:03:32,490
the winlogon dot x process.

46
00:03:32,490 --> 00:03:38,400
And these are both 630 632 here.

47
00:03:40,550 --> 00:03:46,070
Here services A here 632.

48
00:03:47,410 --> 00:03:51,610
And, uh, the process ID is here.

49
00:03:51,880 --> 00:03:54,070
536.

50
00:03:56,410 --> 00:03:56,890
Here.

51
00:03:58,630 --> 00:04:06,490
Now, as you can see, when we go down, we have a VMware tray that has a different parent process ID.

52
00:04:07,210 --> 00:04:14,620
So for this new parent process ID and process themselves, a quick Google search can assist with identification

53
00:04:14,620 --> 00:04:16,260
and description information.

54
00:04:16,270 --> 00:04:23,260
It is also useful to become familiar with many of the startup processes in order to really point out

55
00:04:23,260 --> 00:04:26,930
processes that may be unusual or suspect here.

56
00:04:26,950 --> 00:04:34,360
So the timing and order of the processes should be also noted as they that these may assist in investigation.

57
00:04:34,360 --> 00:04:39,640
So although not seen in the previous output due to the limited screen space.

58
00:04:40,520 --> 00:04:41,120
Here.

59
00:04:41,690 --> 00:04:44,210
Um, if you scroll a bit.

60
00:04:45,200 --> 00:04:53,870
We can also see the Explorer dot exe with the process ID of 1956.

61
00:04:53,870 --> 00:05:00,180
So is the process ID of reader SL here, as you can see, 1956.

62
00:05:00,200 --> 00:05:01,190
So.

63
00:05:02,440 --> 00:05:12,780
Adding to the analysis, we can see that there are two instances of assault here and w w assault here,

64
00:05:12,780 --> 00:05:13,980
as you can see here.

65
00:05:15,000 --> 00:05:18,570
Which it's it's actually a little bit suspected here.