WEBVTT

00:01.740 --> 00:07.920
In previous lecture there was a discussion regarding beginning the process of analysis with the URL

00:07.950 --> 00:11.940
or IP address associated with the malicious activity.

00:11.970 --> 00:21.060
So volatility has the ability to pull out the memory image existing and even exited network connection

00:21.060 --> 00:25.220
that were still resident at the time of the acquisition.

00:25.230 --> 00:32.040
So the net scan plugin scans the memory image for network certificates.

00:32.400 --> 00:39.580
Actually I was I have to let's here clear and here.

00:39.930 --> 00:43.530
So the next scan plugin in volatility.

00:44.810 --> 00:52.660
It scans the memory image of certificates and the plugin will find the TCP and UDP endpoints and listeners

00:52.660 --> 00:56.620
as well as provide the local and foreign IP addresses.

00:56.620 --> 01:05.380
So the net scan will only work with the 32 bit and 64 bit Windows Vista Windows 7, Windows 10 and Windows

01:05.380 --> 01:08.200
2008 server or newer ones.

01:08.200 --> 01:15.430
So one key feature that is of help to the instant response analysis with the net scan plugin is that

01:15.430 --> 01:20.560
for the network connections, the process owner is indicated in the output.

01:20.560 --> 01:26.560
So this is usually useful determining whether a connection is utilizing Internet Explorer or another

01:26.560 --> 01:30.670
process, so such as remote desktop services or SMB.

01:31.210 --> 01:37.480
So now let's run the program here and run the run the plugin here net scan.

01:38.290 --> 01:39.790
And here?

01:40.120 --> 01:40.690
Yeah.

01:40.870 --> 01:42.710
Why the command provide?

01:42.790 --> 01:43.360
Yeah.

01:43.360 --> 01:48.280
The the net scan is for the newer versions for volatility.

01:48.550 --> 01:55.060
That's because, as I said earlier, the net scan will not work in the Windows XP file.

01:55.060 --> 01:59.650
This one is works with the Windows Vista, Windows 7 and Windows 10.

01:59.650 --> 02:02.440
But we have an alternative here for Windows here.

02:02.890 --> 02:05.860
So this and that's the con scan.

02:05.980 --> 02:11.350
Con scan actually pretty different but actually not, not kind of different.

02:11.350 --> 02:14.650
But yeah, the net scan is more.

02:16.120 --> 02:20.230
And this gun has more features and gives more information here.

02:20.230 --> 02:26.410
So for earlier versions of Windows such as Windows XP that we are analyzing now.

02:28.000 --> 02:28.390
Here.

02:28.420 --> 02:29.050
Yeah.

02:29.230 --> 02:31.900
Before Windows XP that we are analyzing now.

02:32.690 --> 02:39.800
The con scan plugin performs the same function as the scan plugin, so the con scan plugin finds the

02:39.800 --> 02:46.430
Twcpt object and is able to find both existing and exited connections.

02:46.430 --> 02:54.340
So this provides responders with data concerning connections in relation to processes that were running.

02:54.350 --> 03:00.440
So to determine the network connections run here.

03:00.710 --> 03:02.150
Con scan plugin.

03:03.020 --> 03:06.680
Against the R2-D2 image.

03:08.060 --> 03:09.110
And that's it.

03:09.110 --> 03:09.500
Here.

03:09.500 --> 03:10.970
This is our Trojan.

03:11.660 --> 03:14.330
This is our Trojan IP address that.

03:14.540 --> 03:16.370
That we're connected to.

03:16.370 --> 03:27.620
So the output indicates that the process ID of 1956, which is actually doesn't show the witch the which

03:27.650 --> 03:28.820
executable is that.

03:28.820 --> 03:31.550
But we will see, uh, we will see.

03:31.580 --> 03:32.420
So long.

03:32.420 --> 03:40.760
But uh, the, the, the parent process of reader as we know because we as you remember, we suspect

03:40.760 --> 03:48.560
that the reader SL dot exe file that we're running on the process and that's that is probably like 99%

03:48.950 --> 03:55.270
of this reader is a address but we will investigate and I will show you facts that how this reader cell

03:55.310 --> 03:58.970
and how how these IP address is associated with it.

03:58.970 --> 03:59.840
So.

04:00.970 --> 04:01.810
Here.

04:02.080 --> 04:03.520
Uh, the IP address.

04:03.790 --> 04:15.820
172.16.98.1. and four times six port was associated with several URLs that were communicating with malicious

04:15.850 --> 04:16.570
executables.

04:16.570 --> 04:17.230
So.

04:18.240 --> 04:22.530
Here now we can hear.

04:23.240 --> 04:23.990
Copy this.

04:29.050 --> 04:29.800
So.

04:31.320 --> 04:32.100
This year.

04:32.490 --> 04:34.650
We're going to paste it here.

04:38.400 --> 04:39.510
Suspect.

04:40.350 --> 04:41.700
Right here?

04:42.210 --> 04:42.960
Yeah.

04:44.830 --> 04:51.370
So taking the date of was right from the process analysis in conjunction with the IP address taken from

04:51.370 --> 04:52.270
the network connection.

04:52.270 --> 04:59.140
So there is enough reason to believe one or both of the explorer that exist and reader SSL, that exit

04:59.140 --> 05:04.030
process are associated with malicious code and this is the IP address connecting to them.

05:04.600 --> 05:14.530
And yeah, in next lecture the reader SSL will be extracted along with its associated files for analysis.