Re: [Vol-users] [Newbie] Searching for specific IP addresses in memory (Win2008 R2)

Hello, I am starting to play with Volatility (2.5) and I am currently working on a Win2008R2 image (memory dump with winpmem). I would like to understand what is causing some network connections initiated by the "System" process. netscan shows those connections and I would like to be able to find references to the IP addresses in the memory dump. I have tried "yarascan -Y" plugin with the IP string, with the IP to integer value (converted to Hex) but no luck finding IPs that , however, I can see in the netscan result... Either I am wrong with the yarascan syntax or there is something I don't know regarding how Win2008 stores IP... Any hints ? Thanks, Laurent _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users