Searching for opened documents
In some cases, you may want to understand if any Microsoft Office files or just text files were opened by corresponding applications. Why? They may contain passwords or some data that's valuable from an investigative perspective. Volatility has several plugins that allow you to work with files in memory. For example, the filescan plugin allows you to get information about all the files that were encountered in the memory dump, and dumpfiles allows you to try to extract these files (remember that some files may be unloaded at the time the dump is created). So, how do we find a file that's been opened in MS Word?
Documents in process memory
If we pay attention to the Process ID (PID) column, we will see that our WINWORD.exe process has an ID of 1592. We can use this ID with the -p option to run Volatility plugins only for this process. If we want to see what resources our process used, the handles plugin can help us. Let's use this...
