[Vol-users] netscan plugin question

Michael Hale Ligh michael.hale at gmail.com
Fri May 17 10:01:59 CDT 2013


Lou,

The netscan command [1] uses pool tag scanning like connscan [2]. Thus it
has the same pros/cons described - in particular "This can find artifacts
from previous connections that have since been terminated, in addition to
the active ones. In the output below, you'll notice some fields have been
partially overwritten, but some of the information is still accurate."

In other words, you may have found remnants of a connection that was once
established, but was closed before the memory dump was taken. The structure
is still lingering, but some pointers within the structure (namely those
that identify the owning process) are no longer valid.

HTH,
Michael

[1]. https://code.google.com/p/volatility/wiki/CommandReference23#netscan
[2]. https://code.google.com/p/volatility/wiki/CommandReference23#connscan


On Thu, May 16, 2013 at 12:57 PM, Lou LaRocca <louislarocca at gmail.com>wrote:

> Greetings
>
> I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing
> "established connections" but no PID or Process with it.
>
> 0x2d07480  TCPv4    10.22.41.40:58767             38.126.225.229:43405ESTABLISHED      -------- --------------
> 0x1367da70 TCPv4    10.22.41.40:59302             151.213.50.211:22031ESTABLISHED      -------- --------------
>
>
> In addition I am seeing stuff "listening" and it contains the PID and
> Process.
>
> 0xdb838178 TCPv4    0.0.0.0:49154                  0.0.0.0:0
> LISTENING        996      svchost.exe
> 0xdb850ab0 TCPv4    0.0.0.0:49155                  0.0.0.0:0
> LISTENING        1440     spoolsv.exe
> 0xdb855e78 TCPv4    0.0.0.0:49155                  0.0.0.0:0
> LISTENING        1440     spoolsv.exe
>
> So my question is why can I see the listening processes but im not getting
> the Process that are established?
>
> Thanks for the help
>
> Lou
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130517/ef35bd7c/attachment.html


More information about the Vol-users mailing list