Memory Forensics: Pull Process and Network Connections from a Memory Dump

Wednesday, November 23, 2011

Dan Dieterle


In the previous article, we learned how to pull passwords from a memory dump file.

This time, we will cover viewing a process list and network connections out of captured memory files.

Volatility’s “pslist” command can be used to view the processes that were running on a Windows system:

volatility pslist -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile for some reason they are showing up as a single) (click image to enlarge)


From the output of the command, we see the physical memory location, process name and the PID number of all processes that were running on the system. This helps deduce if something was running on the computer that should not have been and as you will see in a future article, allows you to view programs that may be running under the process.

The next step is to view all network connections that were active from the memory dump:

volatility netscan -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile) (click image to enlarge)


The data returned shows all network connections, including the process name, source and destination IP addresses – including ports. This is just a short snip of what was actually returned, the actual list is easily twice as long.

This information helps the analyst see if there were any strange network connections active. Or can help the penetration tester gain valuable information about the network.

The last command that we will look at this time is “bioskbd“.

volatility bioskbd -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile) (click image to enlarge)


As you can see there is no data returned on this memory dump. But what does “bioskbd” actually do? This interesting command has the ability to pull passwords that are resident from the bios cache buffer.

Though most newer systems (like the system that this memory dump was taken from) purge the bios keyboard buffer, many older ones did not. On an old system you might be able to retrieve BIOS boot passwords, or even the passwords for disk encryption systems.

That’s it for this post, on the next Memory Forensics post, we will take a look at pulling malware samples off of an infected system!

Cross-posted from Cyber Arms

Possibly Related Articles:
Information Security
Memory Forensics Windows Tools Processes SysAdmin BIOS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.