Every process has a (virtual) space, called Virtual Memory Pages, where DLLs and Memory Sections

files are loaded and data is stored. the VAD tree maintains a list of these assigned
memory sections
Command / use tool
Sockets
these are network connection endpoints
Internal Content (what is in the file or log described) or
output
define the capabilities of a project DLLs
for example: if a process needs to communicate via HTTP, it will load the WININET.ddl
file
Audit / Place to look up forensic artifacts
A pointer to a resource

File Handles
which items in the file system are being accessed Feature/functionality
why is it used...
known lists within the kernel that allow the process to find kernel objects like: Directory handles
KnownDlls, BaseNamedObjects, Callbacks, Device and Drivers Handles
Registry handles sub category
Registry keys the process is reading or writing to Find First Hit:
2. Analyzing Process Objects
mutants: these objects control or limit access to a resource. Mutex or semaphore handles
Worms use this to mark a system so it does not spend time to reinfect it again
Description/extra info
Event handles
Events are a way for process threads to communicate

Tool
Threads
smallest unit of execution; The workhorse of a process

Solution
Displays the loaded DLLs and the command line used to start each process

with the "-p" option you can get the info for a specific process if you give the Process
vol.py -f <imagename> dlllist -p <PID>
ID
dlllist Bad, needs extra attention
- Base offset: useful for further analysis (dlldump plugin to extract individual DLLs)
- DLL size:
- Load count: shows if dll was statically of dynamically loaded (not that interesting) output for each loaded DLL
- Load time: when it was loaded in process (fe to check if dll was added later/ Bad standard config that need a config.
injection)
- DLL file path object plugins:
Volatility
Display conmand line args for each process cmdline

getsids

handles

scan memory for mutant objects (KMUTANT) mutantscan