let's use the imageinfo plugin to analyse our memory dump file to determine the Operating System.
python3 vol.py -f workstation.vmem windows.info
To discover what processes were running on the system.
python3 vol.py -f workstation.vmem windows.pslist
To discover what a specific process was actually doing.
python3 vol.py -f workstation.vmem windows.psscan
To export a specific binary that allows us further to analyse it through static or dynamic analysis.
python3 vol.py -f workstation.vmem windows.dumpfiles --pid 4640