4:29 a.m.
Hi,
I am using Volatility to list the open sockets on my WinXP file image,
with command "sockets". It should display all the open sockets, like
"netstat -a" does, but it didnt display anything. Is that a bug, or
that is the way it supposes to work?
I tried with "sockscan" on the same image, and yes, this time it shows
a lot of open sockets. The problem is that this command is really
slow: it took a minute or so on a 400MB image.
Meanwhile, "sockscan2" is a lot faster: it returns information almost
immediately.
"connections", "connscan" and "connscan2" shows nothing. is
that expected??
I suppose that "connections" and "sockets" are about the same thing.
is that correct?
Thanks,
Jun
4:38 a.m.
Jun,
What kind of image is this? If its a hibernation file you wont see
any sockets because windows closes all sockets before hibernating.
sockscan however shows you sockets which get carved out (i.e. ones
that were once used but no longer). It takes a long time because it
has to carve out the socket structures.
same goes for conscan it scans old connections from all of memory
which is why its slow. There may not be any connections left it its a
hiber image too.
sockets and connections are different structures.
Michael.
On Mon, Feb 16, 2009 at 8:29 PM, Jun Koi <junkoi2004(a)gmail.com> wrote:
Hi,
I am using Volatility to list the open sockets on my WinXP file image,
with command "sockets". It should display all the open sockets, like
"netstat -a" does, but it didnt display anything. Is that a bug, or
that is the way it supposes to work?
I tried with "sockscan" on the same image, and yes, this time it shows
a lot of open sockets. The problem is that this command is really
slow: it took a minute or so on a 400MB image.
Meanwhile, "sockscan2" is a lot faster: it returns information almost
immediately.
"connections", "connscan" and "connscan2" shows nothing. is
that expected??
I suppose that "connections" and "sockets" are about the same thing.
is that correct?
Thanks,
Jun
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
2:50 a.m.
On Mon, Feb 16, 2009 at 6:38 PM, Michael Cohen <scudette(a)gmail.com> wrote:
Jun,
What kind of image is this?
My image is created with mdd and win32dd. I run XP-SP2 and XP-SP3.
There is no such a problem on the sample images xp-laptop-*, but only
with the images i created from my Windows machines.
Do you have any idea?
Thanks,
Jun
On Mon, Feb 16, 2009 at 8:29 PM, Jun Koi <junkoi2004(a)gmail.com> wrote:
Hi,
I am using Volatility to list the open sockets on my WinXP file image,
with command "sockets". It should display all the open sockets, like
"netstat -a" does, but it didnt display anything. Is that a bug, or
that is the way it supposes to work?
I tried with "sockscan" on the same image, and yes, this time it shows
a lot of open sockets. The problem is that this command is really
slow: it took a minute or so on a 400MB image.
Meanwhile, "sockscan2" is a lot faster: it returns information almost
immediately.
"connections", "connscan" and "connscan2" shows nothing. is
that expected??
I suppose that "connections" and "sockets" are about the same thing.
is that correct?
Thanks,
Jun
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
5747
days inactive
5750
days old
vol-dev@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Jun Koi -
Michael Cohen