Lou,

The netscan command [1] uses pool tag scanning like connscan [2]. Thus it has the same pros/cons described - in particular "This can find artifacts from previous connections that have since been terminated, in addition to the active ones. In the output below, you'll notice some fields have been partially overwritten, but some of the information is still accurate."

In other words, you may have found remnants of a connection that was once established, but was closed before the memory dump was taken. The structure is still lingering, but some pointers within the structure (namely those that identify the owning process) are no longer valid.

HTH,

Michael

[1]. https://code.google.com/p/volatility/wiki/CommandReference23#netscan

[2]. https://code.google.com/p/volatility/wiki/CommandReference23#connscan

On Thu, May 16, 2013 at 12:57 PM, Lou LaRocca <louislarocca@gmail.com> wrote:

Greetings

I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing "established connections" but no PID or Process with it.

0x2d07480 TCPv4    10.22.41.40:58767             38.126.225.229:43405 ESTABLISHED      -------- --------------
0x1367da70 TCPv4    10.22.41.40:59302             151.213.50.211:22031 ESTABLISHED      -------- --------------

In addition I am seeing stuff "listening" and it contains the PID and Process.

0xdb838178 TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        996      svchost.exe
0xdb850ab0 TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        1440     spoolsv.exe
0xdb855e78 TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        1440     spoolsv.exe

So my question is why can I see the listening processes but im not getting the Process that are established?

Thanks for the help

Lou

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users