1 00:00:01,740 --> 00:00:07,920 In previous lecture there was a discussion regarding beginning the process of analysis with the URL 2 00:00:07,950 --> 00:00:11,940 or IP address associated with the malicious activity. 3 00:00:11,970 --> 00:00:21,060 So volatility has the ability to pull out the memory image existing and even exited network connection 4 00:00:21,060 --> 00:00:25,220 that were still resident at the time of the acquisition. 5 00:00:25,230 --> 00:00:32,040 So the net scan plugin scans the memory image for network certificates. 6 00:00:32,400 --> 00:00:39,580 Actually I was I have to let's here clear and here. 7 00:00:39,930 --> 00:00:43,530 So the next scan plugin in volatility. 8 00:00:44,810 --> 00:00:52,660 It scans the memory image of certificates and the plugin will find the TCP and UDP endpoints and listeners 9 00:00:52,660 --> 00:00:56,620 as well as provide the local and foreign IP addresses. 10 00:00:56,620 --> 00:01:05,380 So the net scan will only work with the 32 bit and 64 bit Windows Vista Windows 7, Windows 10 and Windows 11 00:01:05,380 --> 00:01:08,200 2008 server or newer ones. 12 00:01:08,200 --> 00:01:15,430 So one key feature that is of help to the instant response analysis with the net scan plugin is that 13 00:01:15,430 --> 00:01:20,560 for the network connections, the process owner is indicated in the output. 14 00:01:20,560 --> 00:01:26,560 So this is usually useful determining whether a connection is utilizing Internet Explorer or another 15 00:01:26,560 --> 00:01:30,670 process, so such as remote desktop services or SMB. 16 00:01:31,210 --> 00:01:37,480 So now let's run the program here and run the run the plugin here net scan. 17 00:01:38,290 --> 00:01:39,790 And here? 18 00:01:40,120 --> 00:01:40,690 Yeah. 19 00:01:40,870 --> 00:01:42,710 Why the command provide? 20 00:01:42,790 --> 00:01:43,360 Yeah. 21 00:01:43,360 --> 00:01:48,280 The the net scan is for the newer versions for volatility. 22 00:01:48,550 --> 00:01:55,060 That's because, as I said earlier, the net scan will not work in the Windows XP file. 23 00:01:55,060 --> 00:01:59,650 This one is works with the Windows Vista, Windows 7 and Windows 10. 24 00:01:59,650 --> 00:02:02,440 But we have an alternative here for Windows here. 25 00:02:02,890 --> 00:02:05,860 So this and that's the con scan. 26 00:02:05,980 --> 00:02:11,350 Con scan actually pretty different but actually not, not kind of different. 27 00:02:11,350 --> 00:02:14,650 But yeah, the net scan is more. 28 00:02:16,120 --> 00:02:20,230 And this gun has more features and gives more information here. 29 00:02:20,230 --> 00:02:26,410 So for earlier versions of Windows such as Windows XP that we are analyzing now. 30 00:02:28,000 --> 00:02:28,390 Here. 31 00:02:28,420 --> 00:02:29,050 Yeah. 32 00:02:29,230 --> 00:02:31,900 Before Windows XP that we are analyzing now. 33 00:02:32,690 --> 00:02:39,800 The con scan plugin performs the same function as the scan plugin, so the con scan plugin finds the 34 00:02:39,800 --> 00:02:46,430 Twcpt object and is able to find both existing and exited connections. 35 00:02:46,430 --> 00:02:54,340 So this provides responders with data concerning connections in relation to processes that were running. 36 00:02:54,350 --> 00:03:00,440 So to determine the network connections run here. 37 00:03:00,710 --> 00:03:02,150 Con scan plugin. 38 00:03:03,020 --> 00:03:06,680 Against the R2-D2 image. 39 00:03:08,060 --> 00:03:09,110 And that's it. 40 00:03:09,110 --> 00:03:09,500 Here. 41 00:03:09,500 --> 00:03:10,970 This is our Trojan. 42 00:03:11,660 --> 00:03:14,330 This is our Trojan IP address that. 43 00:03:14,540 --> 00:03:16,370 That we're connected to. 44 00:03:16,370 --> 00:03:27,620 So the output indicates that the process ID of 1956, which is actually doesn't show the witch the which 45 00:03:27,650 --> 00:03:28,820 executable is that. 46 00:03:28,820 --> 00:03:31,550 But we will see, uh, we will see. 47 00:03:31,580 --> 00:03:32,420 So long. 48 00:03:32,420 --> 00:03:40,760 But uh, the, the, the parent process of reader as we know because we as you remember, we suspect 49 00:03:40,760 --> 00:03:48,560 that the reader SL dot exe file that we're running on the process and that's that is probably like 99% 50 00:03:48,950 --> 00:03:55,270 of this reader is a address but we will investigate and I will show you facts that how this reader cell 51 00:03:55,310 --> 00:03:58,970 and how how these IP address is associated with it. 52 00:03:58,970 --> 00:03:59,840 So. 53 00:04:00,970 --> 00:04:01,810 Here. 54 00:04:02,080 --> 00:04:03,520 Uh, the IP address. 55 00:04:03,790 --> 00:04:15,820 172.16.98.1. and four times six port was associated with several URLs that were communicating with malicious 56 00:04:15,850 --> 00:04:16,570 executables. 57 00:04:16,570 --> 00:04:17,230 So. 58 00:04:18,240 --> 00:04:22,530 Here now we can hear. 59 00:04:23,240 --> 00:04:23,990 Copy this. 60 00:04:29,050 --> 00:04:29,800 So. 61 00:04:31,320 --> 00:04:32,100 This year. 62 00:04:32,490 --> 00:04:34,650 We're going to paste it here. 63 00:04:38,400 --> 00:04:39,510 Suspect. 64 00:04:40,350 --> 00:04:41,700 Right here? 65 00:04:42,210 --> 00:04:42,960 Yeah. 66 00:04:44,830 --> 00:04:51,370 So taking the date of was right from the process analysis in conjunction with the IP address taken from 67 00:04:51,370 --> 00:04:52,270 the network connection. 68 00:04:52,270 --> 00:04:59,140 So there is enough reason to believe one or both of the explorer that exist and reader SSL, that exit 69 00:04:59,140 --> 00:05:04,030 process are associated with malicious code and this is the IP address connecting to them. 70 00:05:04,600 --> 00:05:14,530 And yeah, in next lecture the reader SSL will be extracted along with its associated files for analysis.