Detecting and Identifying Hidden Processes (Rekall Edition)

 

volatility is a powerful framework for conducting memory forensics. It offers a variety of tools that enable investigators to analyze memory dumps, detect malicious activity, and uncover hidden processes. For example, the psscan plugin can identify processes that are not visible in standard process listings.

Another excellent framework for advanced memory forensics is Rekall. Like Volatility, Rekall includes several useful plugins such as psscan, pslist, and netscan that perform similar functions. However, each framework has its own unique features and differences in operation.

One key difference is in the use of the imageinfo function. In Volatility, you must specify the --imageinfo command to gather details about the memory image. In Rekall, this step is much simpler you can simply run: rekall.exe -f your_memory_image.raw . 

Rekall will automatically detect and interact with your memory image without requiring additional parameters, making the process more efficient. 

You can see the results in the screenshot below:

As an example, we can perform a network connection scan to identify which processes have made remote connections:

For viewing the list of running processes similar to a tasklist you can use the pslist command in Rekall, just like in Volatility. Below, you can see the results:

To detect hidden processes using Rekall, you can run the psscan command. The results will appear as shown in the screenshot below:

Enjoy :) .