Hello vol-users!
I'm working on a forensics case where I have multiple memory scrapes with
strange volatility output. This has down some rabbit holes and I'm at the
point where signs are pointing to anti-forensics. This has led me to dig
into how pool tag scanning works and I've found several articles
referencing a apparently still yet unreleased (mentioned in 2014, and 2016)
Volatility plugin called TCPScan which uses an alternative method (which
uses methods that are not detailed).
You can find references to the plugin here:
https://scudette.blogspot.com/2014/02/anti-forensics-and-
memory-analysis.html
https://findingbad.blogspot.com/2016/09/forensic-analysis-
of-anti-forensic.html
Does anyone have access to or can anyone put me in touch with anyone who
has access to this plugin? Or can anyone talk to the methods that it uses
to scan for connections?
Thanks,
Nate Subra