1
00:00:00,560 --> 00:00:05,490
In this lecture, we're going to analyze network services and connections in volatility.

2
00:00:05,510 --> 00:00:12,110
So volatility can be used to identify and analyze active, terminated and hidden connections along with

3
00:00:12,110 --> 00:00:13,670
the ports and processes.

4
00:00:13,670 --> 00:00:16,520
So all the protocols are supported.

5
00:00:16,520 --> 00:00:23,120
And volatility also reveals details of ports used by the processes, including the times they were started.

6
00:00:23,120 --> 00:00:33,080
So for these purposes we can use the con scan and sockets sockets plugin in volatility.

7
00:00:33,080 --> 00:00:36,350
So let's, let's start with the con scan plugin.

8
00:00:36,350 --> 00:00:43,760
So to display a list of connections that have been terminated, the con scan command is used.

9
00:00:43,760 --> 00:00:49,610
So the con scan here, we're going to just delete the ps6 view con scan.

10
00:00:49,610 --> 00:01:00,150
And so the con scan command is also only used for Windows XP and 2003 servers, both 32 bit and 64 bit

11
00:01:00,180 --> 00:01:00,720
systems.

12
00:01:01,110 --> 00:01:07,050
So you're just going to specify the profile, enter the file virtual memory file and enter the con scan

13
00:01:07,050 --> 00:01:10,830
plugin name here and click on enter.

14
00:01:10,830 --> 00:01:14,490
The output of is shown as follows here.

15
00:01:14,490 --> 00:01:29,130
So looking at this code, we see that the connection was made to 101 72.16 .98.1, 2.4 times six.

16
00:01:29,130 --> 00:01:34,330
So for those knowledgeable about port numbers.

17
00:01:34,350 --> 00:01:47,040
Port for 46666 is usually an identification of malware according to let's actually make a bit research

18
00:01:47,040 --> 00:01:48,870
on six here.

19
00:01:49,940 --> 00:01:50,960
Port number.

20
00:01:50,960 --> 00:01:53,390
We can see that actually it's a famous datagram.

21
00:01:53,840 --> 00:01:56,090
Communication for Internet network layer.

22
00:01:56,570 --> 00:01:59,900
And here this is the UDP port.

23
00:01:59,900 --> 00:02:02,570
Actually, it can be used for TCP, of course.

24
00:02:03,890 --> 00:02:12,170
And yeah it's it can be also used for another purposes but it mainly uses like it's actually there are

25
00:02:12,170 --> 00:02:22,070
more popular um Trojan and remote administrator tools that uses the this port for connection with the

26
00:02:22,070 --> 00:02:29,900
victim computer, but it also uses the IRC messaging applications and the other purposes.

27
00:02:31,270 --> 00:02:33,280
As you can see, this is a dark connection.

28
00:02:34,000 --> 00:02:34,290
Dark.

29
00:02:34,820 --> 00:02:42,400
There was a random Access Trojan named Dark Command, and it's actually most popular that uses these

30
00:02:43,300 --> 00:02:44,070
port.

31
00:02:44,080 --> 00:02:50,950
So it's actually not like 100% suspect here like, but it's actually pretty suspicious.

32
00:02:51,130 --> 00:02:52,210
So.

33
00:02:53,190 --> 00:02:59,850
We will also look into finding and analyzing traces of malware using volatility framework in next lectures

34
00:02:59,970 --> 00:03:05,010
and where we will revisit volatility and have a look at ransomware analysis.

35
00:03:05,010 --> 00:03:10,110
So as you can see here, let's actually what why we did here.

36
00:03:10,110 --> 00:03:20,310
Yeah this is let's run our command again scan here so if using this connections plugin on the other

37
00:03:20,310 --> 00:03:28,800
examples cases, you can obtain more information about the remote IP addresses using the IP lookup tools

38
00:03:28,800 --> 00:03:29,700
such as.

39
00:03:30,760 --> 00:03:33,460
The who is actually why?

40
00:03:33,460 --> 00:03:34,630
Why this ad here?

41
00:03:36,220 --> 00:03:38,070
Yeah, yeah, yeah.

42
00:03:38,080 --> 00:03:44,650
Actually you can also use foo is like ip loop lookup.

43
00:03:45,390 --> 00:03:47,190
You can also change.

44
00:03:47,400 --> 00:03:52,410
You can also get, um, like navigate IP address to somewhere.

45
00:03:54,590 --> 00:03:57,020
IP map like.

46
00:03:58,100 --> 00:04:00,080
Yeah, this is mainly.

47
00:04:01,620 --> 00:04:02,100
Here.

48
00:04:02,100 --> 00:04:03,840
And you can also use Furies here.

49
00:04:03,870 --> 00:04:08,280
Now, let's as I said earlier, this, we we were in this lecture.

50
00:04:08,280 --> 00:04:10,770
We're going to cover two plugins.

51
00:04:10,770 --> 00:04:14,880
And the second plugin is the the second plugin is.

52
00:04:15,930 --> 00:04:18,090
Cone scan here.

53
00:04:18,480 --> 00:04:20,520
No second plugin is actually sockets.

54
00:04:21,570 --> 00:04:22,890
So the sockets.

55
00:04:23,490 --> 00:04:28,590
The sockets plugin can be used to give additional information on the listening sockets.

56
00:04:28,800 --> 00:04:35,790
Although the user datagram protocol which named UDP and Transmission Control Protocol TCP are the only

57
00:04:35,790 --> 00:04:39,120
protocols listed in the output.

58
00:04:39,120 --> 00:04:42,820
So the sockets command supports actually all protocols here.

59
00:04:43,680 --> 00:04:46,770
As you can see, we got this result here actually.

60
00:04:46,920 --> 00:04:48,570
Let's copy.

61
00:04:48,610 --> 00:04:49,640
Now it's okay.

62
00:04:49,650 --> 00:04:50,610
So.

63
00:04:51,650 --> 00:04:53,750
The output is as follows here.

64
00:04:53,750 --> 00:04:58,430
So you were able to leave network and socket information in this section.

65
00:04:58,430 --> 00:05:06,530
So let's let's actually now delve into memory analysis using the plug ins to reveal programs and users

66
00:05:06,530 --> 00:05:11,380
that may have been running and active at the time of the memory acquisition.

67
00:05:11,390 --> 00:05:14,650
Now I'm waiting you in next lectures.