Computer Hacking Forensic Investigator (CHFI v10) — Question 279

Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victim's computer. The investigator uses
Volatility Framework to analyze RAM contents: which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump?

Answer options

• A. malfind
• B. pslist
• C. mallist
• D. malscan

Correct answer: A

Explanation

The correct answer is malfind, as it is specifically designed to identify hidden processes and injected code in memory. The other options, such as pslist, provide a list of running processes without revealing hidden ones, while mallist and malscan are not standard plugins in the context of identifying hidden malware.