Download presentation
Presentation is loading. Please wait.
1
Network Artifacts
2
Networking Artifacts These commands are for Windows XP and Windows 2003 Server only
connections Lists active connections Connections walks the singly-linked list of connection In the tcpip.sys module. . connscan Also finds previous connections that have since been terminated Sockets Detects listening sockets for any protocol (TCP, UDP, RAW, etc), Sockscan Finds residual data and artifacts from terminated sockets Output includes the virtual offset of the _TCPT_OBJECT The physical offset is obtained with the -P switch:
3
connections Views the active connections
Walks the singly-linked list of connection structures pointed to by a non-exported symbol in the tcpip.sys module. Windows XP and Windows 2003 Server only Virtual offset of the _TCPT_OBJECT by default Physical offset is obtained with the -P switch:
4
connections python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img connections Volatility Foundation Volatility Framework 2.3 Offset(V) Local Address Remote Address Pid 0x820869b : : 0xffa2baf : : 0x8220c : : 0x81f11e : : 0x8220d6b : : python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img connections -P Offset(P) Local Address Remote Address Pid 0x020869b : : 0x18fffaf : : 0x0220c : : 0x01f11e : : 0x0220d6b : : python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img pslist -p 2160,2392 Volatility Foundation Volatility Framework 2.3 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit 0xffaa0c10 firefox.exe :49:22 UTC+0000 0x814b13b0 iexplore.exe :51:02 UTC+0000 python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img pslist -p 2160,2392 -P Offset(P) Name PID PPID Thds Hnds Sess Wow64 Start Exit 0x186fec10 firefox.exe :49:22 UTC+0000 0x014b13b0 iexplore.exe :51:02 UTC+0000
5
connscan Connection structures using pool tag scanning
Finds artifacts from previous connections that have since been terminated May find false positives sometimes For Windows XP and Windows 2003 Server only
6
connscan python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img connscanVolatility Foundation Volatility Framework 2.3 Offset(P) Local Address Remote Address Pid 0x01370e : : 0x01ed1a : : 0x01f0e : : 0x01f11e : : 0x01f35cd : : 0x01f88e : : 0x020869b : : 0x021ca8b : : 0x021d2e : : 0x : : 0x02207ab : : 0x0220c : : 0x0220d6b : : 0x02210c : : 0x : : 0x108d2e : : 0x187a : : 0x18fffaf : : 0x1d5bde : : 0x1f4eb : : python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img pslist -p 944,1916 Volatility Foundation Volatility Framework 2.3 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit 0x PluckSvr.exe :51:00 UTC+0000 0xffadc9d0 PluckUpdater.ex :51:40 UTC :53:49 UTC+0000
7
sockets Detects listening sockets for any protocol (TCP, UDP, RAW, etc) Walks a singly-linked list of socket structures which is pointed to by a non-exported symbol in the tcpip.sys module Gives the virtual offset of the _ADDRESS_OBJECT Physical offset is obtained with the -P switch For Windows XP and Windows 2003 Server only
8
sockets Virtual Offset
python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img sockets Volatility Foundation Volatility Framework 2.3 Offset(V) PID Port Proto Protocol Address Create Time 0x82004e UDP :48:02 UTC+0000 0x82052e UDP :47:48 UTC+0000 0x821cad UDP :48:00 UTC+0000 0x GRE :48:13 UTC+0000 0x TCP :48:05 UTC+0000 0x81fdf UDP :47:59 UTC+0000 0x81ffac UDP :48:02 UTC+0000 0x82089e TCP :49:27 UTC+0000 0x8136e UDP :51:23 UTC+0000 0x81ed TCP :51:26 UTC+0000 0x8208a TCP :48:00 UTC+0000 0x820f0e TCP :47:28 UTC+0000 0x82260cd TCP :47:33 UTC+0000 0x8202ee TCP :48:00 UTC+0000 0x TCP :48:05 UTC+0000 0x81eed5b TCP :51:24 UTC+0000 0x8201a9e UDP :48:00 UTC+0000 0x821d5a UDP :48:16 UTC+0000 0x81f747b UDP :47:59 UTC+0000 0x8210a UDP :48:00 UTC+0000 0x81f5be UDP :48:00 UTC+0000 0x81ffa UDP :48:02 UTC+0000 0x8202dd Reserved :47:59 UTC+0000 … Snip
9
sockets Physical Offset
python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img sockets -P Volatility Foundation Volatility Framework 2.3 Offset(P) PID Port Proto Protocol Address Create Time 0x02004e UDP :48:02 UTC+0000 0x02052e UDP :47:48 UTC+0000 0x021cad UDP :48:00 UTC+0000 0x GRE :48:13 UTC+0000 0x TCP :48:05 UTC+0000 0x01fdf UDP :47:59 UTC+0000 0x01ffac UDP :48:02 UTC+0000 0x02089e TCP :49:27 UTC+0000 0x0136e UDP :51:23 UTC+0000 0x01ed TCP :51:26 UTC+0000 0x0208a TCP :48:00 UTC+0000 0x020f0e TCP :47:28 UTC+0000 0x02260cd TCP :47:33 UTC+0000 0x0202ee TCP :48:00 UTC+0000 0x TCP :48:05 UTC+0000 0x01eed5b TCP :51:24 UTC+0000 0x0201a9e UDP :48:00 UTC+0000 0x021d5a UDP :48:16 UTC+0000 0x01f747b UDP :47:59 UTC+0000 0x0210a UDP :48:00 UTC+0000 0x01f5be UDP :48:00 UTC+0000 0x01ffa UDP :48:02 UTC+0000 0x0202dd Reserved :47:59 UTC+0000 … Snip
10
sockscan Socket structures using pool tag scanning
As with connscan, this can pick up residual data and artifacts from previous sockets Only applies to Windows XP and Windows Server.
11
sockscan lynn@Sisyphus:~/CF_III.Memory_Forensics/mem-images$ ^C
python /volatility/vol.py --profile=WinXPSP2x86 -f xp-laptop img sockscan Volatility Foundation Volatility Framework 2.3 Offset(P) PID Port Proto Protocol Address Create Time 0x GRE :48:13 UTC+0000 0x0136e UDP :51:23 UTC+0000 0x TCP :48:05 UTC+0000 0x013910e TCP :48:05 UTC+0000 0x01ebd UDP :48:00 UTC+0000 0x01ed TCP :51:26 UTC+0000 0x01eed5b TCP :51:24 UTC+0000 0x01f1e HOPOPT :31:44 UTC+0000 0x01f5be UDP :48:00 UTC+0000 0x01f65b UDP :48:00 UTC+0000 0x01f747b UDP :47:59 UTC+0000 0x01fa9d TCP :48:05 UTC+0000 0x01fada UDP :48:09 UTC+0000 0x01fb4b TCP :48:00 UTC+0000 0x01fdf UDP :47:59 UTC+0000 0x01fe5e TCP :49:27 UTC+0000 0x01fe6e TCP :48:05 UTC+0000 0x01ffa UDP :48:02 UTC+0000 0x01ffac UDP :48:02 UTC+0000 0x02004e UDP :48:02 UTC+0000 0x02006e UDP :48:05 UTC+0000 0x0201a9e UDP :48:00 UTC+0000 0x0202dd Reserved :47:59 UTC+0000
12
Networking Artifacts For Vista and Up
Netscan Scans for network artifacts in Windows Vista, Windows 2008 Server and Windows 7 memory dumps Finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners Understandds IPv4 and IPv6 Gives: local and remote IP (if applicable), the local and remote port (if applicable), the time when the socket was bound when the connection was established current state (for TCP connections only)
13
netscan python /volatility/vol.py --profile=Win7SP1x86 -f win7x86.raw netscan Volatility Foundation Volatility Framework 2.3 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x3e83a360 TCPv : : LISTENING svchost.exe 0x3e83c1d8 TCPv : : LISTENING wininit.exe 0x3e83ca20 TCPv : : LISTENING svchost.exe 0x3e83ca20 TCPv6 ::: ::: LISTENING svchost.exe 0x3e TCPv : : LISTENING wininit.exe 0x3e TCPv6 ::: ::: LISTENING wininit.exe 0x3e TCPv : : LISTENING svchost.exe 0x3e TCPv : : LISTENING svchost.exe 0x3e TCPv6 ::: ::: LISTENING svchost.exe 0x3e TCPv : : LISTENING svchost.exe 0x3e9181d8 TCPv : : LISTENING wininit.exe 0x3e918a20 TCPv : : LISTENING svchost.exe 0x3e918a20 TCPv6 ::: ::: LISTENING svchost.exe 0x3e91c248 TCPv : : LISTENING wininit.exe 0x3e91c248 TCPv6 ::: ::: LISTENING wininit.exe 0x3e93d430 TCPv : : LISTENING svchost.exe 0x3e93f840 TCPv : : LISTENING svchost.exe 0x3e93f840 TCPv6 ::: ::: LISTENING svchost.exe 0x3eb9e598 TCPv : : LISTENING System 0x3ecf52b0 TCPv : : LISTENING lsass.exe 0x3ecf52b0 TCPv6 ::: ::: LISTENING lsass.exe 0x3ecff2e8 TCPv : : LISTENING lsass.exe 0x3ed0e340 TCPv : : LISTENING svchost.exe 0x3ed25098 TCPv : : LISTENING svchost.exe 0x3ed25098 TCPv6 ::: ::: LISTENING svchost.exe 0x3ee9c588 TCPv : : LISTENING System 0x3ee9c588 TCPv6 ::: ::: LISTENING System 0x3eea50b0 TCPv : : LISTENING services.exe 0x3eea50b0 TCPv6 ::: ::: LISTENING services.exe 0x3eea7880 TCPv : : LISTENING services.exe 0x3eef1628 TCPv : :1604 SYN_SENT 0x3fb4ba70 TCPv : :1604 CLOSED
14
netscan (Part 2) 0x3e6e3710 UDPv : *:* System :04:31 UTC+0000 0x3e6eb100 UDPv : *:* conhost.exe :28:31 UTC+0000 0x3e6f4d08 UDPv6 fe80::38de:3b28:c3d4:638b:1900 *:* svchost.exe :08:28 UTC+0000 0x3e UDPv : *:* svchost.exe :04:32 UTC+0000 0x3e UDPv6 ::: *:* svchost.exe :04:32 UTC+0000 0x3e762d30 UDPv6 ::1: *:* svchost.exe :08:28 UTC+0000 0x3e7864e0 UDPv : *:* svchost.exe :19:25 UTC+0000 0x3e807df0 UDPv : *:* System :04:31 UTC+0000 0x3e810bd8 UDPv : *:* :27:07 UTC+0000 0x3e8e3df0 UDPv : *:* System :04:31 UTC+0000 0x3e8ecbd8 UDPv : *:* :27:07 UTC+0000 0x3e9bfdf0 UDPv : *:* System :04:31 UTC+0000 0x3e9c8bd8 UDPv : *:* :27:07 UTC+0000 0x3ecc0cc8 UDPv : *:* svchost.exe :19:25 UTC+0000 0x3ecc0cc8 UDPv6 ::: *:* svchost.exe :19:25 UTC+0000 0x3ee12960 UDPv6 ::1: *:* svchost.exe :08:28 UTC+0000 0x3eebe7d0 UDPv : *:* svchost.exe :08:28 UTC+0000 0x3f598d50 UDPv : *:* svchost.exe :08:28 UTC+0000 0x3f UDPv : *:* svchost.exe :08:28 UTC+0000 0x3faf01f8 UDPv : *:* svchost.exe :32:17 UTC+0000 0x3fb13868 UDPv : *:* :20:48 UTC+0000
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.