Hello vol-users! 

I'm working on a forensics case where I have multiple memory scrapes with strange volatility output. This has down some rabbit holes and I'm at the point where signs are pointing to anti-forensics. This has led me to dig into how pool tag scanning works and I've found several articles referencing a apparently still yet unreleased (mentioned in 2014, and 2016) Volatility plugin called TCPScan which uses an alternative method (which uses methods that are not detailed).

You can find references to the plugin here:

https://scudette.blogspot.com/2014/02/anti-forensics-and-memory-analysis.html

https://findingbad.blogspot.com/2016/09/forensic-analysis-of-anti-forensic.html

Does anyone have access to or can anyone put me in touch with anyone who has access to this plugin? Or can anyone talk to the methods that it uses to scan for connections?

Thanks,

Nate Subra

_______________________________________________
Vol-users mailing list
Vol-users@lists.volatilityfoundation.org
https://lists.volatilityfoundation.org/mailman/listinfo/vol-users

One-click Unsubscribe:
https://lists.volatilityfoundation.org/mailman/options/vol-users/jared703%40gmail.com?unsub=1&unsubconfirm=1