psscan is a useful plugin that allows the analyst to examine processes that have been terminated. As was previously discussed, pslist only shows active processes. psscan can provide data about the possibility of a rootkit through the examination of those processes that have been unlinked or hidden. The following command will execute the plugin:
dfir@Desktop-SFARF6G~$ volatility -f cridex_laptop.mem -profile=WinXPSP2x86 psscan
The command produces the following output:
From the output of this plugin, it does not appear that any additional processes have exited. The responder can then start to look at the existing processes for any that may appear to be malicious.