[Vol-users] Volatility 2.1/2.2 connscan/sockets/sockscan not supported for profile Win7SP1x86

Jamie Levy jamie.levy at gmail.com
Fri Jan 4 16:06:02 CST 2013


Connections/conscan/sockets/sockscan are for Windows XP/2003 only.
Use the netscan plugin for anything Vista/2008/Win7:

http://code.google.com/p/volatility/wiki/CommandReference20#Networking



On Fri, Jan 4, 2013 at 4:58 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> I have found that in Volatility 2.1 and 2.2 connscan is not supported for
> profile Win7SP1x86. Volatility 2.0 does not produce any results. (??)
> I see that sockets and sockscan are also not supported in Volatility 2.2.
> See below.
>
> pslist does work, so some commands are supported.
>
> Is this a known issue?
>
>
> ----------------cut-here-------------------
> C:\Python27\volatility-2.2>vol.py imageinfo -f g:\victim1.w32
> Volatile Systems Volatility Framework 2.2
> Determining profile based on KDBG search...
>           Suggested Profile(s) : Win7SP0x86, Win7SP1x86
>                      AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
>                      AS Layer2 : FileAddressSpace (G:\victim1.w32)
>                       PAE type : PAE
>                            DTB : 0x185000L
>                           KDBG : 0x82761be8L
>           Number of Processors : 2
>      Image Type (Service Pack) : 0
>                 KPCR for CPU 0 : 0x82762c00L
>                 KPCR for CPU 1 : 0x807c0000L
>              KUSER_SHARED_DATA : 0xffdf0000L
>            Image date and time : 2013-01-04 20:41:23 UTC+0000
>      Image local date and time : 2013-01-04 14:41:23 -0600
>
>
> C:\Python27\volatility-2.0>vol.py connscan -f h:\victim1.img
> --profile=Win7SP1x86
> Volatile Systems Volatility Framework 2.0
>  Offset     Local Address             Remote Address            Pid
> ---------- ------------------------- ------------------------- ------
>
> C:\Python27\volatility-2.1>vol.py connscan -f h:\victim1.img
> --profile=Win7SP1x86
> Volatile Systems Volatility Framework 2.1
> Offset(P)  Local Address             Remote Address            Pid
> ---------- ------------------------- ------------------------- ---
> ERROR   : volatility.plugins.connscan: This command does not support the
> selected profile.
>
>
> C:\Python27\volatility-2.2>vol.py connscan -f g:\victim1.w32
> --profile=Win7SP1x86
> Volatile Systems Volatility Framework 2.2
> Offset(P)  Local Address             Remote Address            Pid
> ---------- ------------------------- ------------------------- ---
> ERROR   : volatility.plugins.connscan: This command does not support the
> selected profile.
>
> C:\Python27\volatility-2.2>vol.py sockets -f g:\victim1.w32
> --profile=Win7SP1x86
> Volatile Systems Volatility Framework 2.2
> ERROR   : volatility.plugins.sockets: This command does not support the
> selected profile.
>
> C:\Python27\volatility-2.2>vol.py sockscan -f g:\victim1.w32
> --profile=Win7SP1x86
> Volatile Systems Volatility Framework 2.2
> Offset(P)     PID   Port  Proto Protocol        Address         Create Time
> ---------- ------ ------ ------ --------------- --------------- -----------
> ERROR   : volatility.plugins.sockscan: This command does not support the
> selected profile.
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list