WEBVTT 00:00.560 --> 00:05.490 In this lecture, we're going to analyze network services and connections in volatility. 00:05.510 --> 00:12.110 So volatility can be used to identify and analyze active, terminated and hidden connections along with 00:12.110 --> 00:13.670 the ports and processes. 00:13.670 --> 00:16.520 So all the protocols are supported. 00:16.520 --> 00:23.120 And volatility also reveals details of ports used by the processes, including the times they were started. 00:23.120 --> 00:33.080 So for these purposes we can use the con scan and sockets sockets plugin in volatility. 00:33.080 --> 00:36.350 So let's, let's start with the con scan plugin. 00:36.350 --> 00:43.760 So to display a list of connections that have been terminated, the con scan command is used. 00:43.760 --> 00:49.610 So the con scan here, we're going to just delete the ps6 view con scan. 00:49.610 --> 01:00.150 And so the con scan command is also only used for Windows XP and 2003 servers, both 32 bit and 64 bit 01:00.180 --> 01:00.720 systems. 01:01.110 --> 01:07.050 So you're just going to specify the profile, enter the file virtual memory file and enter the con scan 01:07.050 --> 01:10.830 plugin name here and click on enter. 01:10.830 --> 01:14.490 The output of is shown as follows here. 01:14.490 --> 01:29.130 So looking at this code, we see that the connection was made to 101 72.16 .98.1, 2.4 times six. 01:29.130 --> 01:34.330 So for those knowledgeable about port numbers. 01:34.350 --> 01:47.040 Port for 46666 is usually an identification of malware according to let's actually make a bit research 01:47.040 --> 01:48.870 on six here. 01:49.940 --> 01:50.960 Port number. 01:50.960 --> 01:53.390 We can see that actually it's a famous datagram. 01:53.840 --> 01:56.090 Communication for Internet network layer. 01:56.570 --> 01:59.900 And here this is the UDP port. 01:59.900 --> 02:02.570 Actually, it can be used for TCP, of course. 02:03.890 --> 02:12.170 And yeah it's it can be also used for another purposes but it mainly uses like it's actually there are 02:12.170 --> 02:22.070 more popular um Trojan and remote administrator tools that uses the this port for connection with the 02:22.070 --> 02:29.900 victim computer, but it also uses the IRC messaging applications and the other purposes. 02:31.270 --> 02:33.280 As you can see, this is a dark connection. 02:34.000 --> 02:34.290 Dark. 02:34.820 --> 02:42.400 There was a random Access Trojan named Dark Command, and it's actually most popular that uses these 02:43.300 --> 02:44.070 port. 02:44.080 --> 02:50.950 So it's actually not like 100% suspect here like, but it's actually pretty suspicious. 02:51.130 --> 02:52.210 So. 02:53.190 --> 02:59.850 We will also look into finding and analyzing traces of malware using volatility framework in next lectures 02:59.970 --> 03:05.010 and where we will revisit volatility and have a look at ransomware analysis. 03:05.010 --> 03:10.110 So as you can see here, let's actually what why we did here. 03:10.110 --> 03:20.310 Yeah this is let's run our command again scan here so if using this connections plugin on the other 03:20.310 --> 03:28.800 examples cases, you can obtain more information about the remote IP addresses using the IP lookup tools 03:28.800 --> 03:29.700 such as. 03:30.760 --> 03:33.460 The who is actually why? 03:33.460 --> 03:34.630 Why this ad here? 03:36.220 --> 03:38.070 Yeah, yeah, yeah. 03:38.080 --> 03:44.650 Actually you can also use foo is like ip loop lookup. 03:45.390 --> 03:47.190 You can also change. 03:47.400 --> 03:52.410 You can also get, um, like navigate IP address to somewhere. 03:54.590 --> 03:57.020 IP map like. 03:58.100 --> 04:00.080 Yeah, this is mainly. 04:01.620 --> 04:02.100 Here. 04:02.100 --> 04:03.840 And you can also use Furies here. 04:03.870 --> 04:08.280 Now, let's as I said earlier, this, we we were in this lecture. 04:08.280 --> 04:10.770 We're going to cover two plugins. 04:10.770 --> 04:14.880 And the second plugin is the the second plugin is. 04:15.930 --> 04:18.090 Cone scan here. 04:18.480 --> 04:20.520 No second plugin is actually sockets. 04:21.570 --> 04:22.890 So the sockets. 04:23.490 --> 04:28.590 The sockets plugin can be used to give additional information on the listening sockets. 04:28.800 --> 04:35.790 Although the user datagram protocol which named UDP and Transmission Control Protocol TCP are the only 04:35.790 --> 04:39.120 protocols listed in the output. 04:39.120 --> 04:42.820 So the sockets command supports actually all protocols here. 04:43.680 --> 04:46.770 As you can see, we got this result here actually. 04:46.920 --> 04:48.570 Let's copy. 04:48.610 --> 04:49.640 Now it's okay. 04:49.650 --> 04:50.610 So. 04:51.650 --> 04:53.750 The output is as follows here. 04:53.750 --> 04:58.430 So you were able to leave network and socket information in this section. 04:58.430 --> 05:06.530 So let's let's actually now delve into memory analysis using the plug ins to reveal programs and users 05:06.530 --> 05:11.380 that may have been running and active at the time of the memory acquisition. 05:11.390 --> 05:14.650 Now I'm waiting you in next lectures.