nerdexam
GIAC

GCIH · Question #657

Which of the following statements describes the data below from volatility's pstree plugin?

The correct answer is C. Explorer.exe was the parent process for firefox.exe. Volatility's pstree plugin displays processes in an indented parent-child hierarchy, allowing analysts to determine which process spawned another. The correct answer reflects that Explorer.exe, as the Windows shell process, is typically the direct parent of applications launched

Malware Analysis & Advanced Persistent Threats

Question

Which of the following statements describes the data below from volatility's pstree plugin?

Exhibit

GCIH question #657 exhibit

Options

  • ACmd.exe was the child process of OneDrive.exe
  • BChrmstp.exe was launched by MSASCuiL.exe
  • CExplorer.exe was the parent process for firefox.exe
  • DNotepad.exe was launched with Administrative privileges

How the community answered

(30 responses)
  • A
    7% (2)
  • B
    7% (2)
  • C
    73% (22)
  • D
    13% (4)

Why each option

Volatility's pstree plugin displays processes in an indented parent-child hierarchy, allowing analysts to determine which process spawned another. The correct answer reflects that Explorer.exe, as the Windows shell process, is typically the direct parent of applications launched by a user.

ACmd.exe was the child process of OneDrive.exe

The pstree data would show cmd.exe indented under a process such as explorer.exe or another shell host, not under OneDrive.exe, which is a file sync client with no operational reason to spawn a command shell.

BChrmstp.exe was launched by MSASCuiL.exe

Chrmstp.exe is a Chrome installer or setup component that would appear as a child of an update or installer process, not of MSASCuiL.exe, which is the Windows Defender system tray notification icon.

CExplorer.exe was the parent process for firefox.exeCorrect

In a standard Windows user session, Explorer.exe (the shell) is the parent process for applications launched from the desktop or taskbar. Volatility's pstree output would show firefox.exe indented directly beneath explorer.exe, indicating a parent-child relationship consistent with a user launching Firefox through the normal shell environment.

DNotepad.exe was launched with Administrative privileges

The pstree plugin output displays process names, PIDs, and parent-child nesting but does not report privilege levels or whether a process was launched with administrative rights.

Concept tested: Reading process parent-child relationships in Volatility pstree

Source: https://volatility3.readthedocs.io/en/stable/

Topics

#Volatility#pstree#process tree#memory forensics

Community Discussion

No community discussion yet for this question.

Full GCIH Practice