Memory Analysis using Volatility - pstree
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
pstree – a volatility plugin that print all running processes as a tree(parent-child relationship).
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Using the Volatility pstree plugin, we can see the parent child relationship of all the processes.
This plugin can be a good use to detect if the sample have spawned another process.
#note: We can identify the child process because it is indented from the parent process.
Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_version> pstree
In this sample, we can see that NjRAT malware spawned another processes when infecting the system.