The handles plugin allows analysts to view what type of handles are open in an existing process. These handles are references to resources that are managed by the operating system. This data provides to the responder an understanding of the specific blocks of memory an application or process is using. This includes a wide variety of information, including registry keys and files associated with that process. To identify the open handles for PID 1640 that was previously identified, the following command is used:

dfir@Desktop-SFARF6G~$ volatility -f cridex_laptop.mem -profile=WinXPSP2x86 -p 1640 handles

The command produces the following output:

As the output indicates, the suspect process has several open handle processes, threads, and registry keys. These may become important data points moving forward and give some indication of the behavior of the reader_sl.exe executable.