GIAC Certified Incident Handler (GCIH) — Question 52

Which volatility plugin shows the command line path for a recently launched application?

Answer options

• A. hivelist
• B. dlllist
• C. pslist
• D. netscan

Correct answer: D

Explanation

The correct answer is D, netscan, because it is designed to list network connections and associated command lines for applications, which includes the path for recently launched applications. Options A, B, and C do not provide information about command line paths; hivelist focuses on registry hives, dlllist lists loaded DLLs, and pslist shows running processes without command line details.