Memory Analysis using Volatility - netscan

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

netscan a volatility plugin that is used to scan connections on vista, 7, 8, 10 and later image for connections and sockets.

Connection State:

      • CLOSE_WAIT
      • CLOSED
      • ESTABLISHED
      • FIN_WAIT_1
      • FIN_WAIT_2
      • LAST_ACK
      • LISTEN
      • SYN_RECEIVED
      • SYN_SEND
      • TIMED_WAIT

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

We can use the Volatility netscan plugin to enumerate network communication to our system and what process is responsible for the connection. We can also see what is the status of that connection.

Here we can see the following details:

(1) Foreign Address – outbound local ip address where our local system connects.

(2) PID – Process ID of the process responsible for the connection.

(3) Owner – Process name responsible for the connection.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> netscan

In this sample, we extract network information from a system’s memory dump that is infected with Sinowal Malware.

Using the Volatility netscan plugin we are able to detect the inbound and outbound ip address:

192.168.30.144:52467 > 108.59.6.39:80

#note: Check the system for unknown ip address both inbound and outbound. Also, see if it is using a non-standard port for connection.