nerdexam
GIAC

GCIH · Question #776

Which volatility plugin shows information about listening and closed sockets?

The correct answer is A. netscan. The Volatility netscan plugin scans memory for network socket and connection artifacts, including sockets in listening and closed states.

Malware Analysis & Advanced Persistent Threats

Question

Which volatility plugin shows information about listening and closed sockets?

Options

  • Anetscan
  • Bdlllist
  • Cpslist
  • Dpsscan

How the community answered

(37 responses)
  • A
    86% (32)
  • B
    3% (1)
  • C
    8% (3)
  • D
    3% (1)

Why each option

The Volatility `netscan` plugin scans memory for network socket and connection artifacts, including sockets in listening and closed states.

AnetscanCorrect

`netscan` scans memory pool allocations for TCP connection objects and UDP socket objects, extracting state information (listening, closed, established), associated local and remote addresses, ports, and the owning process - making it the correct plugin for reviewing socket states.

Bdlllist

`dlllist` enumerates the loaded DLL modules for each process and has no network or socket analysis capability.

Cpslist

`pslist` walks the doubly-linked EPROCESS list to enumerate active processes and does not expose network socket data.

Dpsscan

`psscan` scans memory for EPROCESS pool tags to detect hidden or terminated processes, not network connections or sockets.

Concept tested: Volatility memory forensics network socket analysis

Source: https://volatility3.readthedocs.io/en/stable/volatility3.plugins.windows.netscan.html

Topics

#volatility#netscan plugin#memory forensics#network sockets

Community Discussion

No community discussion yet for this question.

Full GCIH Practice