Re: [Vol-users] Volatility's Network Connections

On Sunday 10 May 2009 21:34:35 AAron Walters wrote: AAron, I don't believe that any of the information presented by any of the tools is incorrect. I was just hoping to start a conversation about the differences in the outputs that I have seen recent so that these difference are pointed out and understood better. Brendran Dolan-Gavitt posted a comment to the blog post that hits the nail on the head for me and, in a way, confirmed my thoughts on what was happening. As I pointed out in the post, I think these output differences just come from different needs during the different phases of development of each tool. The people who mainly use Audit Viewer or Responder many not have even been concerned with "freed" connections. But obviously whoever wrote the connscan2 plugin for Vol had a need at one point. As I was analyzing memory from several OS types it would have been nice to have that functionality in the other two tools since I was looking for that type of information. I am very pleased about the conversation this post has generated and I hope it is helping others, new to memory analysis like myself, understand the functionality and differences between the tools. As the developers of each tool understand the inner details of memory much better than I do I hope that this helps get the ball rolling on some more collaboration and development in all the products. We are only going to need these tools more in the future. Thus far people from all three development teams have been very helpful and professional. Keep up the great work everybody. Don -- -------------------------- Don C. Weber Information Security Consultant Cutaway Security CISSP, GIAC ######################################### Website: http://www.cutawaysecurity.com