Re: [Vol-users] format of UDP record in memory
22 Jun
2012
22 Jun
'12
3:18 p.m.
Yeah some plugins for carving ndis stuff have been on my list of things to do for a while.
That would be a useful addition. Also ikelos started porting the packetscan plugin from
1.3 but it probably won't be ready until 2.2 (unless someone wants to pitch in and
help with it). See http://code.google.com/p/volatility/issues/detail?id=233.
MHL
Sent from my iPad
On Jun 21, 2012, at 2:00 PM, "George M. Garner J.r (online)"
<ggarner_online(a)gmgsystemsinc.com> wrote:
Mike,
For example I'm looking for
from a connection UDP 192.168.136.129:1044 to 204.13.161.100:6600
UDP is a stateless protocol, btw, so strictly speaking there never was any connection to
leave artifacts. It is a crude method, however, you can try scanning memory for the
remote IP address. At a minimum you need to look for the IP encoded as an ascii and
Unicode string and as an integer value in both network and host byte order. You can also
try searching for the ROT13 encoding of the ascii and Unicode string representations.
Once you find the IP address in memory you can use (often) use the PFN database to
determine which process owns the memory block.
Also, sometimes you can find the raw packet in a deallocated ndis common buffer. Would
have to look up how to find those, though. XP is a distant memory for me. Trying to
remember stuff from 5 or 6 years ago. :
Regards,
George.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users