nerdexam
ExamsGCIHQuestions#664
GIAC

GCIH · Question #664

GCIH Question #664: Real Exam Question with Answer & Explanation

The correct answer is C: pslist. The pslist Volatility plugin enumerates running processes from the EPROCESS linked list, displaying image paths and command-line arguments used to launch each application.

Malware Analysis & Advanced Persistent Threats

Question

Which volatility plugin shows the command line path for a recently launched application?

Options

  • Ahivelist
  • Bdlllist
  • Cpslist
  • Dnetscan

Explanation

The pslist Volatility plugin enumerates running processes from the EPROCESS linked list, displaying image paths and command-line arguments used to launch each application.

Common mistakes.

  • A. The hivelist plugin locates and displays registry hive structures loaded in memory and provides no information about process command-line paths.
  • B. The dlllist plugin enumerates dynamic-link libraries loaded into each process's address space and is not the primary tool for viewing a process launch path.
  • D. The netscan plugin scans memory pools for active and recently terminated network connection structures and is unrelated to process launch paths.

Concept tested. Volatility pslist plugin for process path analysis

Reference. https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#pslist

Topics

#Volatility framework#memory forensics#process analysis#forensic plugins

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice