Pool scan for _FILE_OBJECT
Usage
- Hidden open files
- Suspicious handles
Commands
# Scan memory for file objects (Vol2)
vol2.exe -f <mem> --profile=<profile> filescan
# Scan memory for file objects (Vol3)
vol.exe -f <mem> windows.filescan
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Files