Skip to main content

Network Analysis


Network analysis from memory reveals active and recently closed connections at the time of image acquisition β€” including connections that may not appear in standard netstat output if a rootkit is hiding them.


Active and Recent Connections​

netscan β€” Scan for Network Artifacts​

Scans memory for TCP_ENDPOINT, TCP_LISTENER, UDP_ENDPOINT, and UDP_LISTENER pool tags. Returns both active connections and recently terminated sockets still resident in memory. Works on Windows Vista and later.

vol.py -f <image> --profile=<profile> netscan
Vol3 Equivalent
vol3 -f <image> windows.netscan

Output fields: Offset, Proto, LocalAddr, ForeignAddr, State, PID, Owner, Created.


connections / connscan β€” Legacy Connection Plugins (Vol2, XP Only)​

For Windows XP and Server 2003 memory images, use these instead of netscan:

# Active connections only
vol.py -f <image> --profile=<profile> connections

# Pool scan β€” includes recently terminated connections
vol.py -f <image> --profile=<profile> connscan
XP/2003 Only

connections and connscan only work on Windows XP / Server 2003 images. On Vista+, use netscan.


sockets / sockscan β€” Legacy Socket Plugins (Vol2, XP Only)​

Lists all open sockets (including UDP listeners) on XP/2003 images.

vol.py -f <image> --profile=<profile> sockets
vol.py -f <image> --profile=<profile> sockscan

Connection Triage Workflow​

1 β€” Dump and Sort All Connections​

vol.py -f <image> --profile=<profile> netscan | tee /cases/netscan.txt

2 β€” Filter for Established Connections​

grep "ESTABLISHED" /cases/netscan.txt

3 β€” Identify Suspicious Remote IPs​

# Extract all unique foreign IPs (exclude local/unroutable)
grep "ESTABLISHED" /cases/netscan.txt \
| awk '{print $4}' | cut -d: -f1 \
| grep -vE "^(127\.|0\.0\.0\.0|::)" \
| sort -u \
| tee /cases/foreign_ips.txt

4 β€” Cross-Reference Connections to Suspicious Processes​

# Find connections belonging to a specific suspicious PID
grep "<PID>" /cases/netscan.txt

5 β€” Check Listening Ports for Backdoors​

# All listeners β€” look for unexpected listening ports
grep "LISTEN" /cases/netscan.txt

# UDP listeners (may indicate C2 or data exfil channels)
grep "^UDP" /cases/netscan.txt
What to Look For
IndicatorSignificance
Outbound connection to public IP from lsass.exe, svchost.exe, explorer.exeProcess injection/C2 from masqueraded process
Listening port on non-standard port (e.g., 4444, 8888, 1337)Backdoor/reverse shell listener
Connection to port 443 from unusual processHTTPS C2 beaconing (SSL-wrapped)
Multiple connections to same foreign IP at regular intervalsBeaconing β€” C2 check-in pattern
High-numbered source port to foreign IP with no matching ESTABLISHED in pslistConnection from hidden/terminated process still in memory

NetStat Comparison (Rootkit Detection)​

If a live netstat output was captured from the system before imaging, compare it against the memory-based connection list to find connections hidden by a rootkit:

# Memory-based connections
vol.py -f <image> --profile=<profile> netscan | grep "ESTABLISHED" \
| awk '{print $2, $3, $4, $5}' | sort > /cases/mem_connections.txt

# Live netstat capture (pre-collected)
cat /cases/live_netstat.txt | sort > /cases/live_connections.txt

# Find connections in memory but not in live output (rootkit-hidden)
comm -23 /cases/mem_connections.txt /cases/live_connections.txt