diff --git a/connections-image1.txt b/connections-image1.txt
new file mode 100644
index 0000000..ac1bf02
--- /dev/null
+++ b/connections-image1.txt
@@ -0,0 +1,4 @@
+Offset(P)  Local Address             Remote Address            Pid
+---------- ------------------------- ------------------------- ---
+0x01ff1330 192.168.187.130:1037      99.1.23.71:443            3708
+0x023c9638 192.168.187.130:1035      2.21.99.235:443           1032
diff --git a/envars-image1.txt b/envars-image1.txt
new file mode 100644
index 0000000..dc69d88
--- /dev/null
+++ b/envars-image1.txt
@@ -0,0 +1,333 @@
+Volatility 3 Framework 1.0.1
+
+PID	Process	Block	Variable	Value
+
+600	csrss.exe	0x110048	ComSpec	C:\WINDOWS\system32\cmd.exe
+600	csrss.exe	0x110048	FP_NO_HOST_CHECK	NO
+600	csrss.exe	0x110048	NUMBER_OF_PROCESSORS	1
+600	csrss.exe	0x110048	OS	Windows_NT
+600	csrss.exe	0x110048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+600	csrss.exe	0x110048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+600	csrss.exe	0x110048	PROCESSOR_ARCHITECTURE	x86
+600	csrss.exe	0x110048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+600	csrss.exe	0x110048	PROCESSOR_LEVEL	6
+600	csrss.exe	0x110048	PROCESSOR_REVISION	2502
+600	csrss.exe	0x110048	SystemDrive	C:
+600	csrss.exe	0x110048	SystemRoot	C:\WINDOWS
+600	csrss.exe	0x110048	TEMP	C:\WINDOWS\TEMP
+600	csrss.exe	0x110048	TMP	C:\WINDOWS\TEMP
+600	csrss.exe	0x110048	windir	C:\WINDOWS
+624	winlogon.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+624	winlogon.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+624	winlogon.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+624	winlogon.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+624	winlogon.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+624	winlogon.exe	0x20048	FP_NO_HOST_CHECK	NO
+624	winlogon.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+624	winlogon.exe	0x20048	NUMBER_OF_PROCESSORS	1
+624	winlogon.exe	0x20048	OS	Windows_NT
+624	winlogon.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+624	winlogon.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+624	winlogon.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+624	winlogon.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+624	winlogon.exe	0x20048	PROCESSOR_LEVEL	6
+624	winlogon.exe	0x20048	PROCESSOR_REVISION	2502
+624	winlogon.exe	0x20048	ProgramFiles	C:\Program Files
+624	winlogon.exe	0x20048	SystemDrive	C:
+624	winlogon.exe	0x20048	SystemRoot	C:\WINDOWS
+624	winlogon.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+624	winlogon.exe	0x20048	TMP	C:\WINDOWS\TEMP
+1032	svchost.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1032	svchost.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1032	svchost.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1032	svchost.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1032	svchost.exe	0x20048	FP_NO_HOST_CHECK	NO
+1032	svchost.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1032	svchost.exe	0x20048	OS	Windows_NT
+1032	svchost.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1032	svchost.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1032	svchost.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1032	svchost.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1032	svchost.exe	0x20048	PROCESSOR_LEVEL	6
+1032	svchost.exe	0x20048	PROCESSOR_REVISION	2502
+1032	svchost.exe	0x20048	ProgramFiles	C:\Program Files
+1032	svchost.exe	0x20048	SystemDrive	C:
+1032	svchost.exe	0x20048	SystemRoot	C:\WINDOWS
+1032	svchost.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+1032	svchost.exe	0x20048	TMP	C:\WINDOWS\TEMP
+1032	svchost.exe	0x20048	USERPROFILE	C:\Documents and Settings\NetworkService
+1032	svchost.exe	0x20048	windir	C:\WINDOWS
+1512	explorer.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1512	explorer.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1512	explorer.exe	0x20048	CLIENTNAME	Console
+1512	explorer.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1512	explorer.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1512	explorer.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1512	explorer.exe	0x20048	FP_NO_HOST_CHECK	NO
+1512	explorer.exe	0x20048	HOMEDRIVE	C:
+1512	explorer.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1512	explorer.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1512	explorer.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1512	explorer.exe	0x20048	OS	Windows_NT
+1512	explorer.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1512	explorer.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1512	explorer.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1512	explorer.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1512	explorer.exe	0x20048	PROCESSOR_LEVEL	6
+1512	explorer.exe	0x20048	PROCESSOR_REVISION	2502
+1512	explorer.exe	0x20048	ProgramFiles	C:\Program Files
+1512	explorer.exe	0x20048	SESSIONNAME	Console
+1512	explorer.exe	0x20048	SystemDrive	C:
+1512	explorer.exe	0x20048	SystemRoot	C:\WINDOWS
+1512	explorer.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1752	VMwareTray.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1752	VMwareTray.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1752	VMwareTray.exe	0x20048	CLIENTNAME	Console
+1752	VMwareTray.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1752	VMwareTray.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1752	VMwareTray.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1752	VMwareTray.exe	0x20048	FP_NO_HOST_CHECK	NO
+1752	VMwareTray.exe	0x20048	HOMEDRIVE	C:
+1752	VMwareTray.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1752	VMwareTray.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1752	VMwareTray.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1752	VMwareTray.exe	0x20048	OS	Windows_NT
+1752	VMwareTray.exe	0x20048	Path	C:\Program Files\VMware\VMware Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1752	VMwareTray.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1752	VMwareTray.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1752	VMwareTray.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1752	VMwareTray.exe	0x20048	PROCESSOR_LEVEL	6
+1752	VMwareTray.exe	0x20048	PROCESSOR_REVISION	2502
+1752	VMwareTray.exe	0x20048	ProgramFiles	C:\Program Files
+1752	VMwareTray.exe	0x20048	SESSIONNAME	Console
+1752	VMwareTray.exe	0x20048	SystemDrive	C:
+1752	VMwareTray.exe	0x20048	SystemRoot	C:\WINDOWS
+1752	VMwareTray.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1752	VMwareTray.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1752	VMwareTray.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+1752	VMwareTray.exe	0x20048	USERNAME	Administrator
+1772	VMwareUser.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1772	VMwareUser.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1772	VMwareUser.exe	0x20048	CLIENTNAME	Console
+1772	VMwareUser.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1772	VMwareUser.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1772	VMwareUser.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1772	VMwareUser.exe	0x20048	FP_NO_HOST_CHECK	NO
+1772	VMwareUser.exe	0x20048	HOMEDRIVE	C:
+1772	VMwareUser.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1772	VMwareUser.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1772	VMwareUser.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1772	VMwareUser.exe	0x20048	OS	Windows_NT
+1772	VMwareUser.exe	0x20048	Path	C:\Program Files\VMware\VMware Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1772	VMwareUser.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1772	VMwareUser.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1772	VMwareUser.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1772	VMwareUser.exe	0x20048	PROCESSOR_LEVEL	6
+1772	VMwareUser.exe	0x20048	PROCESSOR_REVISION	2502
+1772	VMwareUser.exe	0x20048	ProgramFiles	C:\Program Files
+1772	VMwareUser.exe	0x20048	SESSIONNAME	Console
+1772	VMwareUser.exe	0x20048	SystemDrive	C:
+1772	VMwareUser.exe	0x20048	SystemRoot	C:\WINDOWS
+1772	VMwareUser.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1772	VMwareUser.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1772	VMwareUser.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+1772	VMwareUser.exe	0x20048	USERNAME	Administrator
+1796	AdobeARM.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1796	AdobeARM.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1796	AdobeARM.exe	0x20048	CLIENTNAME	Console
+1796	AdobeARM.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1796	AdobeARM.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1796	AdobeARM.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1796	AdobeARM.exe	0x20048	FP_NO_HOST_CHECK	NO
+1796	AdobeARM.exe	0x20048	HOMEDRIVE	C:
+1796	AdobeARM.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1796	AdobeARM.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1796	AdobeARM.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1796	AdobeARM.exe	0x20048	OS	Windows_NT
+1796	AdobeARM.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1796	AdobeARM.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1796	AdobeARM.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1796	AdobeARM.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1796	AdobeARM.exe	0x20048	PROCESSOR_LEVEL	6
+1796	AdobeARM.exe	0x20048	PROCESSOR_REVISION	2502
+1796	AdobeARM.exe	0x20048	ProgramFiles	C:\Program Files
+1796	AdobeARM.exe	0x20048	SESSIONNAME	Console
+1796	AdobeARM.exe	0x20048	SystemDrive	C:
+1796	AdobeARM.exe	0x20048	SystemRoot	C:\WINDOWS
+1796	AdobeARM.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1796	AdobeARM.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1796	AdobeARM.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+1796	AdobeARM.exe	0x20048	USERNAME	Administrator
+1796	AdobeARM.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+252	vmtoolsd.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+252	vmtoolsd.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+252	vmtoolsd.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+252	vmtoolsd.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+252	vmtoolsd.exe	0x20048	FP_NO_HOST_CHECK	NO
+252	vmtoolsd.exe	0x20048	NUMBER_OF_PROCESSORS	1
+252	vmtoolsd.exe	0x20048	OS	Windows_NT
+252	vmtoolsd.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+252	vmtoolsd.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+252	vmtoolsd.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+252	vmtoolsd.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+252	vmtoolsd.exe	0x20048	PROCESSOR_LEVEL	6
+252	vmtoolsd.exe	0x20048	PROCESSOR_REVISION	2502
+252	vmtoolsd.exe	0x20048	ProgramFiles	C:\Program Files
+252	vmtoolsd.exe	0x20048	SystemDrive	C:
+252	vmtoolsd.exe	0x20048	SystemRoot	C:\WINDOWS
+252	vmtoolsd.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+252	vmtoolsd.exe	0x20048	TMP	C:\WINDOWS\TEMP
+252	vmtoolsd.exe	0x20048	USERPROFILE	C:\Documents and Settings\LocalService
+252	vmtoolsd.exe	0x20048	windir	C:\WINDOWS
+992	wmiprvse.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+992	wmiprvse.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+992	wmiprvse.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+992	wmiprvse.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+992	wmiprvse.exe	0x20048	FP_NO_HOST_CHECK	NO
+992	wmiprvse.exe	0x20048	NUMBER_OF_PROCESSORS	1
+992	wmiprvse.exe	0x20048	OS	Windows_NT
+992	wmiprvse.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+992	wmiprvse.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+992	wmiprvse.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+992	wmiprvse.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+992	wmiprvse.exe	0x20048	PROCESSOR_LEVEL	6
+992	wmiprvse.exe	0x20048	PROCESSOR_REVISION	2502
+992	wmiprvse.exe	0x20048	ProgramFiles	C:\Program Files
+992	wmiprvse.exe	0x20048	SystemDrive	C:
+992	wmiprvse.exe	0x20048	SystemRoot	C:\WINDOWS
+992	wmiprvse.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+992	wmiprvse.exe	0x20048	TMP	C:\WINDOWS\TEMP
+992	wmiprvse.exe	0x20048	USERPROFILE	C:\WINDOWS\system32\config\systemprofile
+992	wmiprvse.exe	0x20048	windir	C:\WINDOWS
+1132	wuauclt.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1132	wuauclt.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1132	wuauclt.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1132	wuauclt.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1132	wuauclt.exe	0x20048	FP_NO_HOST_CHECK	NO
+1132	wuauclt.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1132	wuauclt.exe	0x20048	OS	Windows_NT
+1132	wuauclt.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1132	wuauclt.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1132	wuauclt.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1132	wuauclt.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1132	wuauclt.exe	0x20048	PROCESSOR_LEVEL	6
+1132	wuauclt.exe	0x20048	PROCESSOR_REVISION	2502
+1132	wuauclt.exe	0x20048	ProgramFiles	C:\Program Files
+1132	wuauclt.exe	0x20048	SystemDrive	C:
+1132	wuauclt.exe	0x20048	SystemRoot	C:\WINDOWS
+1132	wuauclt.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+1132	wuauclt.exe	0x20048	TMP	C:\WINDOWS\TEMP
+1132	wuauclt.exe	0x20048	USERPROFILE	C:\Documents and Settings\NetworkService
+1132	wuauclt.exe	0x20048	windir	C:\WINDOWS
+3692	AcroRd32.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3692	AcroRd32.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3692	AcroRd32.exe	0x20048	CLIENTNAME	Console
+3692	AcroRd32.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3692	AcroRd32.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3692	AcroRd32.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3692	AcroRd32.exe	0x20048	FP_NO_HOST_CHECK	NO
+3692	AcroRd32.exe	0x20048	HOMEDRIVE	C:
+3692	AcroRd32.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3692	AcroRd32.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3692	AcroRd32.exe	0x20048	NUMBER_OF_PROCESSORS	1
+3692	AcroRd32.exe	0x20048	OS	Windows_NT
+3692	AcroRd32.exe	0x20048	Path	C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins;C:\Program Files\Adobe\Reader 9.0\Reader\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3692	AcroRd32.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3692	AcroRd32.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+3692	AcroRd32.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3692	AcroRd32.exe	0x20048	PROCESSOR_LEVEL	6
+3692	AcroRd32.exe	0x20048	PROCESSOR_REVISION	2502
+3692	AcroRd32.exe	0x20048	ProgramFiles	C:\Program Files
+3692	AcroRd32.exe	0x20048	SESSIONNAME	Console
+3692	AcroRd32.exe	0x20048	SystemDrive	C:
+3692	AcroRd32.exe	0x20048	SystemRoot	C:\WINDOWS
+3692	AcroRd32.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3692	AcroRd32.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3692	AcroRd32.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+3692	AcroRd32.exe	0x20048	USERNAME	Administrator
+3692	AcroRd32.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3692	AcroRd32.exe	0x20048	windir	C:\WINDOWS
+3728	AcroRd32Info.ex	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3728	AcroRd32Info.ex	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3728	AcroRd32Info.ex	0x20048	CLIENTNAME	Console
+3728	AcroRd32Info.ex	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3728	AcroRd32Info.ex	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3728	AcroRd32Info.ex	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3728	AcroRd32Info.ex	0x20048	FP_NO_HOST_CHECK	NO
+3728	AcroRd32Info.ex	0x20048	HOMEDRIVE	C:
+3728	AcroRd32Info.ex	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3728	AcroRd32Info.ex	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3728	AcroRd32Info.ex	0x20048	NUMBER_OF_PROCESSORS	1
+3728	AcroRd32Info.ex	0x20048	OS	Windows_NT
+3728	AcroRd32Info.ex	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3728	AcroRd32Info.ex	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_ARCHITECTURE	x86
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_LEVEL	6
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_REVISION	2502
+3728	AcroRd32Info.ex	0x20048	ProgramFiles	C:\Program Files
+3728	AcroRd32Info.ex	0x20048	SESSIONNAME	Console
+3728	AcroRd32Info.ex	0x20048	SystemDrive	C:
+3728	AcroRd32Info.ex	0x20048	SystemRoot	C:\WINDOWS
+3728	AcroRd32Info.ex	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3728	AcroRd32Info.ex	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3728	AcroRd32Info.ex	0x20048	USERDOMAIN	SECURITY-91B8EC
+3728	AcroRd32Info.ex	0x20048	USERNAME	Administrator
+3728	AcroRd32Info.ex	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3728	AcroRd32Info.ex	0x20048	windir	C:\WINDOWS
+3968	rundll32.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3968	rundll32.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3968	rundll32.exe	0x20048	CLIENTNAME	Console
+3968	rundll32.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3968	rundll32.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3968	rundll32.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3968	rundll32.exe	0x20048	FP_NO_HOST_CHECK	NO
+3968	rundll32.exe	0x20048	HOMEDRIVE	C:
+3968	rundll32.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3968	rundll32.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3968	rundll32.exe	0x20048	NUMBER_OF_PROCESSORS	1
+3968	rundll32.exe	0x20048	OS	Windows_NT
+3968	rundll32.exe	0x20048	Path	C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins;C:\Program Files\Adobe\Reader 9.0\Reader\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3968	rundll32.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3968	rundll32.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+3968	rundll32.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3968	rundll32.exe	0x20048	PROCESSOR_LEVEL	6
+3968	rundll32.exe	0x20048	PROCESSOR_REVISION	2502
+3968	rundll32.exe	0x20048	ProgramFiles	C:\Program Files
+3968	rundll32.exe	0x20048	SESSIONNAME	Console
+3968	rundll32.exe	0x20048	SystemDrive	C:
+3968	rundll32.exe	0x20048	SystemRoot	C:\WINDOWS
+3968	rundll32.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3968	rundll32.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3968	rundll32.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+3968	rundll32.exe	0x20048	USERNAME	Administrator
+3968	rundll32.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3968	rundll32.exe	0x20048	windir	C:\WINDOWS
+3976	Netlogon.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3976	Netlogon.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3976	Netlogon.exe	0x20048	CLIENTNAME	Console
+3976	Netlogon.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3976	Netlogon.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3976	Netlogon.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3976	Netlogon.exe	0x20048	FP_NO_HOST_CHECK	NO
+3976	Netlogon.exe	0x20048	HOMEDRIVE	C:
+3976	Netlogon.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3976	Netlogon.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3976	Netlogon.exe	0x20048	NUMBER_OF_PROCESSORS	1
+3976	Netlogon.exe	0x20048	OS	Windows_NT
+3976	Netlogon.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3976	Netlogon.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3976	Netlogon.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+3976	Netlogon.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3976	Netlogon.exe	0x20048	PROCESSOR_LEVEL	6
+3976	Netlogon.exe	0x20048	PROCESSOR_REVISION	2502
+3976	Netlogon.exe	0x20048	ProgramFiles	C:\Program Files
+3976	Netlogon.exe	0x20048	SESSIONNAME	Console
+3976	Netlogon.exe	0x20048	SystemDrive	C:
+3976	Netlogon.exe	0x20048	SystemRoot	C:\WINDOWS
+3976	Netlogon.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3976	Netlogon.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3976	Netlogon.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+3976	Netlogon.exe	0x20048	USERNAME	Administrator
+3976	Netlogon.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3976	Netlogon.exe	0x20048	windir	C:\WINDOWS
diff --git a/iehistory-image1.txt b/iehistory-image1.txt
new file mode 100644
index 0000000..62ec49f
--- /dev/null
+++ b/iehistory-image1.txt
@@ -0,0 +1,12 @@
+**************************************************
+Process: 1512 explorer.exe
+Cache type "DEST" at 0x15c445
+Last modified: 2011-11-30 12:12:28 UTC+0000
+Last accessed: 2011-11-30 11:12:30 UTC+0000
+URL: Administrator@file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/navy%20procurement.pdf
+**************************************************
+Process: 1512 explorer.exe
+Cache type "DEST" at 0x15c6ed
+Last modified: 2011-11-30 12:12:28 UTC+0000
+Last accessed: 2011-11-30 11:12:30 UTC+0000
+URL: Administrator@file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/navy%20procurement.pdf
diff --git a/imageinfo-image1.txt b/imageinfo-image1.txt
new file mode 100644
index 0000000..25d9ad7
--- /dev/null
+++ b/imageinfo-image1.txt
@@ -0,0 +1,12 @@
+          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
+                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
+                     AS Layer2 : FileAddressSpace (/home/zenon/Nextcloud/uni/2021WS/df/assignment2/image1.vmem)
+                      PAE type : PAE
+                           DTB : 0x319000L
+                          KDBG : 0x80545b60L
+          Number of Processors : 1
+     Image Type (Service Pack) : 3
+                KPCR for CPU 0 : 0xffdff000L
+             KUSER_SHARED_DATA : 0xffdf0000L
+           Image date and time : 2011-11-30 11:14:10 UTC+0000
+     Image local date and time : 2011-11-30 12:14:10 +0100
diff --git a/malfind-image1.txt b/malfind-image1.txt
new file mode 100644
index 0000000..c9acb5b
--- /dev/null
+++ b/malfind-image1.txt
@@ -0,0 +1,45 @@
+Volatility 3 Framework 1.0.1
+
+PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	File output	Hexdump	Disasm
+
+3708	svchost.exe	0x400000	0x404fff	VadS	PAGE_EXECUTE_READWRITE	5	1	Disabled	
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........	
+0x400000:	add	byte ptr [eax], al
+0x400002:	add	byte ptr [eax], al
+0x400004:	add	byte ptr [eax], al
+0x400006:	add	byte ptr [eax], al
+0x400008:	add	byte ptr [eax], al
+0x40000a:	add	byte ptr [eax], al
+0x40000c:	add	byte ptr [eax], al
+0x40000e:	add	byte ptr [eax], al
+0x400010:	add	byte ptr [eax], al
+0x400012:	add	byte ptr [eax], al
+0x400014:	add	byte ptr [eax], al
+0x400016:	add	byte ptr [eax], al
+0x400018:	add	byte ptr [eax], al
+0x40001a:	add	byte ptr [eax], al
+0x40001c:	add	byte ptr [eax], al
+0x40001e:	add	byte ptr [eax], al
+0x400020:	add	byte ptr [eax], al
+0x400022:	add	byte ptr [eax], al
+0x400024:	add	byte ptr [eax], al
+0x400026:	add	byte ptr [eax], al
+0x400028:	add	byte ptr [eax], al
+0x40002a:	add	byte ptr [eax], al
+0x40002c:	add	byte ptr [eax], al
+0x40002e:	add	byte ptr [eax], al
+0x400030:	add	byte ptr [eax], al
+0x400032:	add	byte ptr [eax], al
+0x400034:	add	byte ptr [eax], al
+0x400036:	add	byte ptr [eax], al
+0x400038:	add	byte ptr [eax], al
+0x40003a:	add	byte ptr [eax], al
+0x40003c:	add	byte ptr [eax], al
+0x40003e:	add	byte ptr [eax], al
diff --git a/processes-image1.txt b/processes-image1.txt
new file mode 100644
index 0000000..b96f45a
--- /dev/null
+++ b/processes-image1.txt
@@ -0,0 +1,39 @@
+Volatility 3 Framework 1.0.1
+
+PID	PPID	ImageFileName	Offset	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output
+
+3692	1512	AcroRd32.exe	0x1fc5958	4	161	0	False	2011-11-30 11:12:27.000000 	N/A	Disabled
+3728	860	AcroRd32Info.ex	0x1ffa918	7	149	0	False	2011-11-30 11:12:28.000000 	N/A	Disabled
+3560	1032	wuauclt.exe	0x201cb08	6	118	0	False	2011-11-30 11:11:55.000000 	N/A	Disabled
+992	860	wmiprvse.exe	0x2023878	5	189	0	False	2011-11-30 11:10:54.000000 	N/A	Disabled
+252	676	vmtoolsd.exe	0x2027da0	6	222	0	False	2011-11-30 11:10:51.000000 	N/A	Disabled
+3976	1512	Netlogon.exe	0x2067308	1	14	0	False	2011-11-30 11:14:06.000000 	N/A	Disabled
+1028	1036	wuauclt.exe	0x2075be0	0	-	0	False	2011-11-30 11:05:21.000000 	2011-11-30 11:10:23.000000 	Disabled
+1804	1512	ctfmon.exe	0x207a2a0	1	99	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+1796	1512	AdobeARM.exe	0x207d020	8	143	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+1620	676	spoolsv.exe	0x20a1558	14	123	0	False	2011-11-30 11:10:42.000000 	N/A	Disabled
+1088	668	svchost.exe	0x20d3c50	7	0	0	False	2011-11-30 11:05:07.000000 	N/A	Disabled
+932	668	svchost.exe	0x2107160	10	-	0	False	2011-11-30 11:05:07.000000 	N/A	Disabled
+1080	676	svchost.exe	0x2296748	5	-	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+688	624	lsass.exe	0x22a3aa8	24	362	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+940	676	svchost.exe	0x2300b28	9	261	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+1124	676	svchost.exe	0x239d578	15	210	0	False	2011-11-30 11:10:41.000000 	N/A	Disabled
+1132	1032	wuauclt.exe	0x23a1650	8	177	0	False	2011-11-30 11:10:54.000000 	N/A	Disabled
+512	676	VMUpgradeHelper	0x23a23c0	6	97	0	False	2011-11-30 11:10:54.000000 	N/A	Disabled
+3708	3632	svchost.exe	0x23d7da0	5	144	0	False	2011-11-30 11:12:28.000000 	N/A	Disabled
+1368	676	alg.exe	0x23e3260	7	104	0	False	2011-11-30 11:10:56.000000 	N/A	Disabled
+1988	1032	wscntfy.exe	0x23ea4c0	1	39	0	False	2011-11-30 11:10:56.000000 	N/A	Disabled
+416	1828	svchost.exe	0x23fb3d8	4	138	0	False	2011-11-30 11:10:53.000000 	N/A	Disabled
+1772	1512	VMwareUser.exe	0x2403da0	6	211	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+1512	1460	explorer.exe	0x240ac08	16	424	0	False	2011-11-30 11:10:42.000000 	N/A	Disabled
+1752	1512	VMwareTray.exe	0x24149f8	1	58	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+552	4	smss.exe	0x24224c8	3	19	N/A	False	2011-11-30 11:10:38.000000 	N/A	Disabled
+844	676	vmacthlp.exe	0x2425020	1	25	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+860	676	svchost.exe	0x2428020	19	204	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+624	552	winlogon.exe	0x24479c0	24	522	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+3968	3692	rundll32.exe	0x248c400	1	59	0	False	2011-11-30 11:14:06.000000 	N/A	Disabled
+3832	3692	dumprep.exe	0x248dd48	0	-	0	False	2011-11-30 11:12:31.000000 	2011-11-30 11:12:31.000000 	Disabled
+1032	676	svchost.exe	0x2493728	84	1552	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+676	624	services.exe	0x249db68	15	259	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+600	552	csrss.exe	0x24aaae0	10	431	0	False	2011-11-30 11:10:39.000000 	N/A	Disabled
+4	0	System	0x25c8830	56	252	N/A	False	N/A	N/A	Disabled
diff --git a/report.tex b/report.tex
index 6167c7c..d208415 100644
--- a/report.tex
+++ b/report.tex
@@ -4,6 +4,22 @@
 \usepackage[english]{babel}
 \usepackage{microtype}
 \usepackage{hyperref}
+\usepackage{listings}
+\usepackage{graphicx}
+
+\lstdefinestyle{mystyle}{
+    basicstyle=\ttfamily\footnotesize,
+    breakatwhitespace=false,
+    breaklines=true,
+    captionpos=b,
+    keepspaces=true,
+    showspaces=false,
+    showstringspaces=false,
+    showtabs=false,
+    tabsize=2
+}
+
+\lstset{style=mystyle}
 
 \setlength{\parindent}{0pt}
 
@@ -16,11 +32,79 @@
 
 \section{Introduction}
 
+This report documents the findings and the analysis of those findings while
+performing extensive forensic analysis on a RAM dump. The RAM dump was obtained
+after a computer showed suspicious activity and was subsequently shut down. The
+dump is provided via a zip file which is extracted to be able to perform
+forensic analysis.
+
+A second RAM dump is analyzed to find information about a PC running in the
+server room which has no apparent owner or user. This dump is also provided as a
+zip file and is password protected with the password \texttt{infected}.
 
 \section{Findings}
 
+All information is obtained through the use of the open soure \texttt{Volatility
+3 Framework} at version \texttt{1.0.1} except for the screenshot for the first
+RAM dump, because this command requires the \texttt{Volatility Framework 2.6}.
+
+\subsection{Image 1}
+
+\subsubsection{Basic Information}
+
+This image is running Windows XP with the Service Pack 2. It was created on
+2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
+\texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
+\texttt{Administrator} user. This information is provided by the volatility
+\texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands.
+
+\subsubsection{Processes and Network Connections}
+
+The process list is obtained with the \texttt{pslist} command. It includes
+common Windows processes as well as \texttt{AcroRd32.exe} and
+\texttt{VMWareUser.exe}. There are also multiple \texttt{svchost.exe} processes
+running.
+
+\subsubsection{Other Information}
+
+Interesting information can also be found with the \texttt{iehistory},
+\texttt{screenshot} and \texttt{malfind} commands. \texttt{IEHistory} shows that
+the user \texttt{Administrator} accessed a file on the filesystem called
+\texttt{navy procurement.pdf}. Furthermore, the \texttt{screenshot} command
+attempts to reconstruct the user's view just before the dump was created. The
+image shows that the \texttt{navy procurement.pdf} file was opened in Adobe
+Acrobat Reader with a message saying that Windows has closed this program to
+protect the computer.
+
+\begin{center}
+    \begin{figure}
+        \includegraphics[width=1\textwidth]{./screenshot.png}
+        \caption{\texttt{navy procurement.pdf} open in Adobe Acrobat Reader}
+    \end{figure}
+\end{center}
+
+\subsection{Image 2}
 
 \section{Analysis}
 
+\subsection{Image 1}
+
+The information gathered with volatility strongly suggests that the computer had
+been infected with malware. The malware seems to have been installed after
+opening the \texttt{navy procurement.pdf} file and is also most likely running
+as an additional \texttt{svchost.exe} process. This process could be responsible
+for the connection made to the IP-address \texttt{99.1.23.71}. A WHOIS lookup
+provides the company who has the address: \texttt{SUN COUNTRY MEDICAL
+EQUIPMENT} based in Texas, US.
+
+\subsection{Image 2}
+
+\section{Appendix}
+
+\lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
+\lstinputlisting[caption=Image1 Processes List]{processes-image1.txt}
+\lstinputlisting[caption=Image1 Connections]{connections-image1.txt}
+\lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
+\lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}
 
 \end{document}
diff --git a/screenshot.png b/screenshot.png
new file mode 100644
index 0000000..d440d11
Binary files /dev/null and b/screenshot.png differ