Windows Memory Forensics Technical Guide Part 3

Investigating Process Objects and Network Activity.

Generally speaking, an object is a data structure that represents a system resource, such as a file, thread, or graphic image. Kernel objects in Windows include thirty-seven different variants, including processes, threads, mutexes, files, registry hives etc. To access an object, an application must obtain a so-called object handle, which can be used to interact with the object. Each kernel object maintains information about a number of handles that are opened to it from user space, as well as the count of pointers to that object, used by kernel modules. Handle count is used to ensure that kernel object will not be destroyed if there still is some opened handle pointing to it.
By examining object handles we may be able to identify hidden processes. If any kernel object references some process in its handle table, it means that the process must exist, or must have been present on the system at some point in time.
Handles also reveal what objects were accessed by the process. For example, what files were manipulated, what registry keys have been accessed, etc.

Investigating Process Objects and Network Activity, Windows Memory Forensics Technical Guide Part 3


Volatility plugin handles enumerates all handles that are opened on the investigated system. Keep in mind that output from this plugin is very long, as the number of opened handles per process can reach thousands. It is advised to limit output to handles belonging to a specified process (use command line argument -p PID or -n partOfProcessName to display handles of processes matching partial name), or to include only handles of specific type. The five most useful handle types for forensic purposes are:

  • File for file objects,
  • Process for process handles – parent process always has handle to spawned child process,
  • Key for registry keys,
  • Thread to see which threads belong to the process,
  • Mutant to display mutex structures.

To limit a handles plugin output to specified types, run it with -t <Type1,Type2,…>. Note that types must be written case-sensitively. To further shorten the plugin output, use -s parameter which excludes unnamed handles. Most of the time it does not have any impact on the investigation…

Download “Windows Memory Forensics Technical Guide Part 3” Technical Guide to learn more.


Relevant resources: