Network Analysis
Network analysis from memory reveals active and recently closed connections at the time of image acquisition β including connections that may not appear in standard netstat output if a rootkit is hiding them.
Active and Recent Connectionsβ
netscan β Scan for Network Artifactsβ
Scans memory for TCP_ENDPOINT, TCP_LISTENER, UDP_ENDPOINT, and UDP_LISTENER pool tags. Returns both active connections and recently terminated sockets still resident in memory. Works on Windows Vista and later.
vol.py -f <image> --profile=<profile> netscan
vol3 -f <image> windows.netscan
Output fields: Offset, Proto, LocalAddr, ForeignAddr, State, PID, Owner, Created.
connections / connscan β Legacy Connection Plugins (Vol2, XP Only)β
For Windows XP and Server 2003 memory images, use these instead of netscan:
# Active connections only
vol.py -f <image> --profile=<profile> connections
# Pool scan β includes recently terminated connections
vol.py -f <image> --profile=<profile> connscan
connections and connscan only work on Windows XP / Server 2003 images. On Vista+, use netscan.
sockets / sockscan β Legacy Socket Plugins (Vol2, XP Only)β
Lists all open sockets (including UDP listeners) on XP/2003 images.
vol.py -f <image> --profile=<profile> sockets
vol.py -f <image> --profile=<profile> sockscan
Connection Triage Workflowβ
1 β Dump and Sort All Connectionsβ
vol.py -f <image> --profile=<profile> netscan | tee /cases/netscan.txt
2 β Filter for Established Connectionsβ
grep "ESTABLISHED" /cases/netscan.txt
3 β Identify Suspicious Remote IPsβ
# Extract all unique foreign IPs (exclude local/unroutable)
grep "ESTABLISHED" /cases/netscan.txt \
| awk '{print $4}' | cut -d: -f1 \
| grep -vE "^(127\.|0\.0\.0\.0|::)" \
| sort -u \
| tee /cases/foreign_ips.txt
4 β Cross-Reference Connections to Suspicious Processesβ
# Find connections belonging to a specific suspicious PID
grep "<PID>" /cases/netscan.txt
5 β Check Listening Ports for Backdoorsβ
# All listeners β look for unexpected listening ports
grep "LISTEN" /cases/netscan.txt
# UDP listeners (may indicate C2 or data exfil channels)
grep "^UDP" /cases/netscan.txt
| Indicator | Significance |
|---|---|
Outbound connection to public IP from lsass.exe, svchost.exe, explorer.exe | Process injection/C2 from masqueraded process |
| Listening port on non-standard port (e.g., 4444, 8888, 1337) | Backdoor/reverse shell listener |
| Connection to port 443 from unusual process | HTTPS C2 beaconing (SSL-wrapped) |
| Multiple connections to same foreign IP at regular intervals | Beaconing β C2 check-in pattern |
High-numbered source port to foreign IP with no matching ESTABLISHED in pslist | Connection from hidden/terminated process still in memory |
NetStat Comparison (Rootkit Detection)β
If a live netstat output was captured from the system before imaging, compare it against the memory-based connection list to find connections hidden by a rootkit:
# Memory-based connections
vol.py -f <image> --profile=<profile> netscan | grep "ESTABLISHED" \
| awk '{print $2, $3, $4, $5}' | sort > /cases/mem_connections.txt
# Live netstat capture (pre-collected)
cat /cases/live_netstat.txt | sort > /cases/live_connections.txt
# Find connections in memory but not in live output (rootkit-hidden)
comm -23 /cases/mem_connections.txt /cases/live_connections.txt