GIAC Certified Incident Handler (GCIH) — Question 92

Considering Volatility, why would psscan return more results than pslist?

Answer options

• A. The psscan plugin is known to provide duplicate results
• B. The psscan plugin searches a longer timeline
• C. The psscan plugin can access a list of processes directly from the kernel
• D. The psscan plugin identifies hidden processes

Correct answer: C

Explanation

The correct answer is C because the psscan plugin's ability to access process information directly from the kernel allows it to uncover processes that may not be visible through other methods. Options A and B are incorrect as they do not explain the fundamental capability of psscan, while D, while partially true, does not encompass the broader capability of accessing kernel-level data.