Q1: Which volatility profile would be best for this machine?
Command: volatility -f FILENAME.raw imageinfo
Ans: WinXPSP2x86
Q2: How many processes were running when the image was acquired?
Command: volatility -f FILENAME.raw psxview
Ans: 19
Q3: What is the process ID of cmd.exe?
Command: volatility -f FILENAME.raw psxview
Ans: 1960
Q4: What is the name of the most suspicious process?
Command: volatility -f FILENAME.raw psxview
Ans: rootkit.exe
Q5: Which process shows the highest likelihood of code injection?
Command: volatility -f FILENAME.raw pslist
Ans: svchost.exe
Q6: There is an odd file referenced in the recent process. Provide the full path of that file.
Command: volatility -f FILENAME.raw malfind
Command: volatility -f FILENAME.raw handles -t file -p 880
Ans: C:\WINDOWS\system32\drivers\str.sys
Q7: What is the name of the injected dll file loaded from the recent process?
Command: volatility -f FILENAME.raw ldrmodules -p 880
Command: volatility -f FILENAME.raw ldrmodules -p 880 | find “False”
Ans: msxml3r.dll
Q8: What is the base address of the injected dll?
Command: volatility -f FILENAME.raw malfind -p 880
Ans: 0x980000