Memory Forensics: Pull Process & Network Connections from a Memory Dump

In the previous article, we learned how to pull passwords from a memory dump file. This time, we will cover viewing a process list and network connections out of captured memory files.

Volatility’s “pslist” command can be used to view the processes that were running on a Windows system:

volatility pslist -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile for some reason they are showing up as a single)

From the output of the command, we see the physical memory location, process name and the PID number of all process that were running on the system. This helps deduce if something was running on the computer that should not have been and as you will see in a future article, allows you to view programs that may be running under the process.

The next step is to view all network connections that were active from the memory dump:

volatility netscan -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile)

The data returned shows all network connections, including the process name, source and destination IP addresses – including ports. This is just a short snip of what was actually returned, the actual list is easily twice as long. This information helps the analyst see if there were any strange network connections active. Or can help the penetration tester gain valuable information about the network.

The last command that we will look at this time is “bioskbd“.

volatility bioskbd -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile)

As you can see there is no data returned on this memory dump. But what does “bioskbd” actually do? This interesting command has the ability to pull passwords that are resident from the bios cache buffer. Though most newer systems (like the system that this memory dump was taken from) purge the bios keyboard buffer, many older ones did not. On an old system you might be able to retrieve BIOS boot passwords, or even the passwords for disk encryption systems.

That’s it for this post, on the next Memory Forensics post, we will take a look at pulling malware samples off of a system infected with STUXNET!

~ by D. Dieterle on November 8, 2011.

8 Responses to “Memory Forensics: Pull Process & Network Connections from a Memory Dump”

  1. […] that wraps up pulling passwords off of a memory dump, next we will learn how to view the active network connections and processes from a memory dump. LD_AddCustomAttr("AdOpt", "1"); LD_AddCustomAttr("Origin", "other"); […]

  2. […] the previous article, we learned how to Pull Process & Network Connections from a Memory Dump. It been kind of fun playing around with a memory dump from our own system, but it would be cool to […]

  3. […] Well, that wraps up pulling passwords off of a memory dump, next we will learn how to view the active network connections and processes from a memory dump. […]

  4. […] the previous article, we learned how to pull passwords from a memory dump file. This time, we will cover viewing a process list and network connections out of captured […]

  5. When trying netscan it says command does not support the selected profile. Why is this?

    Os= windows xp sp3 / home edition / version 2002

    Can someone help?

  6. Hi i am using vista SP1 home premium. When i run netscan on it says the file requested does not exit : volatility.debug

    Can anyone help please?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: