You can read the first part of this post here:

http://www.behindthefirewalls.com/2013/12/stuxnet-trojan-memory-forensics-with_16.html

DETECTING API CALLS

If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words...
strings evidences/process.*

Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928.
python2 vol.py -f stuxnet.vmem malfind apihooks –p 1928


These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec.

http://www.symantec.com/connect/blogs/w32stuxnet-installation-details

DETECTING MALICIOUS DRIVERS

With modscan we can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits. 
python2 vol.py -f stuxnet.vmem modscan

The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000

We get the sha256 hash of this driver...
sha256sum evidences/driver.b21d8000.sys


...and we upload it to www.virustotal.com

Here you have the report where you will see that this drivers has been  recognized as malicious.

https://www.virustotal.com/en/file/6aa1f54fbd8c79a3109bfc3e7274f212e5bf9c92f740d5a194167ea940c3d06c/analysis/


We have just detected a malicious driver but I think that it’s necessary to look for more  drivers with a similar name in order to try to find a new ones...
python2 vol.py -f stuxnet.vmem modscan | grep mrx

Ok. Let’s go to export the second suspicious driver. We will follow the same steps as described above.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xf895a000

https://www.virustotal.com/en/file/6bc86d3bd3ec0333087141215559aec5b11b050cc49e42fc28c2ff6c9c119dbd/analysis/


We have just found two malicious drivers: mrxcls.sys and mrxnet.sys.

I checked with the same commands the other two drivers and they aren’t categorized as malicious files. This is the reason I haven't show you.

DETECTING REGISTER KEYS

In this section, we will detect the register keys that have been added to the computer. With the command below, we will see a lot of them.
strings stuxnet.vmem | grep –i mrx | grep -i Services

We can obtain valuable information about some of them with the next commands.
python2 vol.py -f stuxnet.vmem printkey -K 'ControlSet001\Services\MrxNet'

python2 vol.py stuxnet .vmem printkey -K 'ControlSet001\Services\MrxCls'

With these key registers, Stuxnet will be started in each computer restart.