Re: [Vol-users] determining a system's ip address
24 Jul
2013
24 Jul
'13
12:30 p.m.
To add on what Jamie suggested, you can also use the Volatlity RegistryAPI
and volshell to get the information as well. In Windows 7/Vista/XP the
location of the registry key for the IP address is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{service
name}
The name of the value in that key is IPAddress.
To get the service name of the specific interface, you can enumerate all
the keys in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
The value you'll be looking for in the key is ServiceName. The Description
value is the name of the adapter (i.e. Intel(R) PRO/1000 GT Desktop Adapter)
The specific API functions you'll want to look into are:
reg_get_all_subkeys()
reg_get_value()
See http://code.google.com/p/volatility/wiki/CommandReferenceRegistryApi22
On Tue, Jul 23, 2013 at 7:27 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
try the connscan plugin-
http://code.google.com/p/volatility/wiki/CommandReference23#connscan you
can see both the local and remote address below:
$ python vol.py -f zeus.vmem connscan
Volatile Systems Volatility Framework 2.3_beta
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x02214988 172.16.176.143:1054 193.104.41.75:80 856
0x06015ab0 0.0.0.0:1056 193.104.41.75:80 856
All the best,
-gleeda
On Tue, Jul 23, 2013 at 2:40 PM, Don Raikes <don.raikes(a)oracle.com> wrote:
Hello,****
** **
As part of an assignment for a security and privacy class I am taking I
need to determine the ip address of a windowsXP system whose memory dump I
have. Actually, it is the zeus.vmem dump from the volatility dump images
download page.****
** **
I have done a lot of searching in google, but haven’t been able to find
much about hwo to get this information.****
** **
I tried the technique outlined at:****
http://code.google.com/p/volatility/wiki/CommandReference****
** **
in the area concerning strings.****
When I use the perl script provided the only obvious ip address is
172.16.176.143 which is a private network address. My assignment is to
determine the country of origin of the ip address, but so far I see no
addresses which are not private addresses.****
** **
Does anyone have any suggestions on how to proceed with finding the
system’s ip address?****
** **
--
Best Regards, Donald****
[image: Oracle] <http://www.oracle.com/>
Donald raikes | Accessibility Specialist/ QA Engineer
Phone: +15202717608 | Mobile: +15202717608
Oracle Quality Assurance
| Tucson, Arizona ****
[image: Green Oracle] <http://www.oracle.com/commitment>****
Oracle is committed to developing practices and products that help
protect the environment****
** **
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 7.3 KB)