RE: [Vol-users] format of UDP record in memory

Date: Thu, 21 Jun 2012 14:00:14 -0400 From: ggarner_online(a)gmgsystemsinc.com To: vol-users(a)volatilityfoundation.org Subject: Re: [Vol-users] format of UDP record in memory Mike, UDP is a stateless protocol, btw, so strictly speaking there never was any connection to leave artifacts. It is a crude method, however, you can try scanning memory for the remote IP address. At a minimum you need to look for the IP encoded as an ascii and Unicode string and as an integer value in both network and host byte order. You can also try searching for the ROT13 encoding of the ascii and Unicode string representations. Once you find the IP address in memory you can use (often) use the PFN database to determine which process owns the memory block. Also, sometimes you can find the raw packet in a deallocated ndis common buffer. Would have to look up how to find those, though. XP is a distant memory for me. Trying to remember stuff from 5 or 6 years ago. :-) Regards, George. _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users