Hello,
I am starting to play with Volatility (2.5) and I am currently working
on a Win2008R2 image (memory dump with winpmem). I would like to
understand what is causing some network connections initiated by the
"System" process.
netscan shows those connections and I would like to be able to find
references to the IP addresses in the memory dump. I have tried
"yarascan -Y" plugin with the IP string, with the IP to integer value
(converted to Hex) but no luck finding IPs that , however, I can see in
the netscan result...
Either I am wrong with the yarascan syntax or there is something I don't
know regarding how Win2008 stores IP...
Any hints ?
Thanks,
Laurent
_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users
