volatilityfoundation
Process Connection Volatility3 Plugin
proccon.py – Process Connectivity & Visualization (Volatility 3 Plugin)
proccon.py is a Volatility 3 plugin designed to provide process visualization and relationship mapping from a Windows memory dump.
While it does not perform direct forensic analysis, it serves as a critical utility for post-processing and visualizing process hierarchy data.
The plugin extracts Parent-Child process relationships and outputs them as a Graphviz DOT file, enabling investigators to generate graphical representations of the system’s process tree at the time of capture.
Key Capabilities
Process Tree Extraction
Efficiently iterates through the complete process list obtained via Volatility’s windows.pslist plugin to map:
- PID (Process ID) → PPID (Parent Process ID)
This provides a foundational dataset for visual process relationship mapping.
Graphviz DOT Output
Automatically generates a structured .dot file compatible with Graphviz visualization tools such as:
dotneato- Online renderers and graphing tools
This output can be rendered into network-style process trees, allowing investigators to:
- Visualize process spawning chains
- Detect irregular or unexpected parent-child relationships
- Identify suspicious execution flows in malware investigations
Visualization Focus
The plugin emphasizes connectivity and hierarchy, providing a clear visual representation of process structures that supports:
- Anomaly Detection: Spot abnormal or hidden parent-child relationships
- Malware Analysis: Map execution chains to trace malicious process origins
- System Understanding: Reveal the operational process tree at the time of memory capture
