[Vol-users] Hidden Network connection?

Takahiro HARUYAMA tharuyama at ji2.co.jp
Thu Apr 1 20:58:54 CDT 2010

Hi Bertens,

The connection may be thing of the past.
In that case, you should use PsScan, instead of PsList.
Otherwise, that's noise.


(4/1/2010 10:11 PM), K Bertens wrote:
> I did a memory and volatile data acquisition with Helix.
> While using the enscript version of volatility I found on the blog, I ran it
> against the memorydump and the TCP network connections scan showed a
> connection:
>        81.169.145.x:80                3852
> The strange thing is, I cant find the process accociated with processid 3852
> in the enscript version with pslist.
> When I run the volatility program from a linux commandline I cant see any
> connection at all (with the options connscan and connscan2) and there is no
> process in plist with id 3852.
> In the volatile data report of Helix this connection isnt showing either.
> Of course I want to know what kind of process this is, can anyone help me?
> Thanks a lot,
> K Bertens
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Takahiro HARUYAMA <tharuyama at ji2.co.jp>
EnCase Certified Examiner (EnCE)
Tel : +81 3 6228 0163, Fax : +81 3 6228 0164

More information about the Vol-users mailing list