Re: [Vol-users] format of UDP record in memory

Mike, On Thu, Jun 21, 2012 at 12:10 AM, Mike Lambert <dragonforen(a)hotmail.com> wrote: Volatility *can* find old artifacts (i.e. no longer in use by the OS), but that doesn't mean it *will* find *all* old artifacts. In other words, if a system sends 5 UDP packets, you may find all 5 in memory, or you may find none, depending on how quickly the memory dump was taken after the 5 UDP packets were constructed and how many allocations/deallocations the kernel is making during those times. Don't forget volatility is open source. The file with UDP structures for different OS can be viewed here: http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/… This is a string "UDP to 204.13.161.100" which is a completely different artifact from the UDP structure itself. If an application logs outgoing UDP packets (such as a firewall or event log), then its very likely to stay in memory longer than the UDP structure. Also, if you're analyzing a memory dump by suspending the VM, that has significant impact on the lifetime and availability of network structures. When you suspend/pause a VMware guest, VMware tools runs a bat script on the guest (I think its vm-suspend.bat) which forcefully closes TCP/UDP and frees the IP. Hope this helps, MHL