As was shown in the Redline section, it is necessary for responders to see what parent processes child processes are executed under. One indicator of a system being compromised is the identification of a process executed outside the normal parent process. The pstree plugin provides examiners with a tree-like structure that identifies the parent process that is executing a potential suspect process. The Cridex image is run with this plugin, utilizing the following command:

dfir@Desktop-SFARF6G~$ volatility -f cridex_laptop.mem -profile=WinXPSP2x86 pstreee

The command produces the following output:

An analysis of the results from the three plugins shows an interesting entry. PID 1640 is associated with the reader_sl.exe executable. The responder may focus on this due to the fact that it may not look like an application that should run. Further, the parent PID indicates that it was run via Windows Explorer:

From here, the responder can supplement the existing process data with additional data, such as which DLLs are loaded and other ancillary data.