Closed GoogleCodeExporter closed 9 years ago
Hi Jacob,
This is normal/expected. See the link:
https://code.google.com/p/volatility/wiki/CommandReference23#connscan
In particular:
"To find _TCPT_OBJECT structures using pool tag scanning, use the connscan
command. This can find artifacts from previous connections that have since been
terminated, in addition to the active ones. In the output below, you'll notice
some fields have been partially overwritten, but some of the information is
still accurate. For example, the very last entry's Pid field is 0, but all
other fields are still in tact. Thus, while it may find false positives
sometimes, you also get the benefit of detecting as much information as
possible."
What you're seeing could indeed be a false positive, but it could also be a
real _TCPT_OBJECT whose members have just been overwritten. Its difficult to
tell, but due to the high pid, its probably not a connection associated with
malware - just an artifact of how Windows reallocates pool memory and how
Volatility scans for connections based on patterns.
Original comment by michael.hale@gmail.com
on 11 Mar 2014 at 2:40
I forgot to mention - if you *only* want active connections (i.e. no chance of
false positives or overwritten structures), use the connections plugin instead
of connscan.
Original comment by michael.hale@gmail.com
on 11 Mar 2014 at 2:41
Original issue reported on code.google.com by
jacoboma...@gmail.com
on 11 Mar 2014 at 4:24