This blog reflects the thoughts and views of me alone. Not my employer.
Its mostly just news and what I have learned on my travels through the interwebs.
Saturday, November 12, 2011
On The Road: But answer me these questions... one
So I am currently traveling for work but one of my colleagues emailed me about the following problem: getting different results for memory analysis based on the tool he used. He specifically mentioned volatility and Mandiant's Redline. Here is his email:
I've been scratching my head on this memory image because when I do a connscan and sockscan [using volatility], I noticed some WEIRD activity, specifically, high PIDS and one with a PID of 0 and their offsets are just "-------". These PIDS have strange IPs associated with them, some of which are "blacklisted" according to www.robtex.com. Also, when doing a sockscan, one of the strange listings doesn't have a Protocol, instead of TCP or UDP it just shows a hyphen "-" . More importantly, these PIDS don't show up in pslist, psscan or psxview!!
Has anyone else ran into this issue? I am assuming it is because each program parses memory a different way. For example, does Mandiants tool show terminated connections when Volatility's connscan can do exactly that? I am not 100% sure-- so I ask the collective out there. And do not worry, you will not be thrown into a volcano or anything like that regardless of your answer :)