[Vol-users] Hidden Network connection?

Takahiro HARUYAMA tharuyama at ji2.co.jp
Thu Apr 1 20:58:54 CDT 2010


Hi Bertens,


The connection may be thing of the past.
In that case, you should use PsScan, instead of PsList.
Otherwise, that's noise.

Best,
Takahiro

(4/1/2010 10:11 PM), K Bertens wrote:
> I did a memory and volatile data acquisition with Helix.
> While using the enscript version of volatility I found on the blog, I ran it
> against the memorydump and the TCP network connections scan showed a
> connection:
>
> 192.168.1.104:1142        81.169.145.x:80                3852
>
> The strange thing is, I cant find the process accociated with processid 3852
> in the enscript version with pslist.
> When I run the volatility program from a linux commandline I cant see any
> connection at all (with the options connscan and connscan2) and there is no
> process in plist with id 3852.
> In the volatile data report of Helix this connection isnt showing either.
>
> Of course I want to know what kind of process this is, can anyone help me?
>
> Thanks a lot,
> K Bertens
>
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


-- 
Takahiro HARUYAMA <tharuyama at ji2.co.jp>
EnCase Certified Examiner (EnCE)
Tel : +81 3 6228 0163, Fax : +81 3 6228 0164


More information about the Vol-users mailing list