Hey, Did you try the IP hex value in reverse? It is likely that the IP address is stored as little endian in memory.
Thanks, Andrew (@attrc) On 05/10/2016 05:15 AM, [email protected] wrote: > Hello, > > I am starting to play with Volatility (2.5) and I am currently working > on a Win2008R2 image (memory dump with winpmem). I would like to > understand what is causing some network connections initiated by the > "System" process. > netscan shows those connections and I would like to be able to find > references to the IP addresses in the memory dump. I have tried > "yarascan -Y" plugin with the IP string, with the IP to integer value > (converted to Hex) but no luck finding IPs that , however, I can see in > the netscan result... > Either I am wrong with the yarascan syntax or there is something I don't > know regarding how Win2008 stores IP... > > Any hints ? > > Thanks, > > Laurent > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
