GCIH · Question #776
Which volatility plugin shows information about listening and closed sockets?
The correct answer is A. netscan. The Volatility netscan plugin scans memory for network socket and connection artifacts, including sockets in listening and closed states.
Question
Which volatility plugin shows information about listening and closed sockets?
Options
- Anetscan
- Bdlllist
- Cpslist
- Dpsscan
How the community answered
(37 responses)- A86% (32)
- B3% (1)
- C8% (3)
- D3% (1)
Why each option
The Volatility `netscan` plugin scans memory for network socket and connection artifacts, including sockets in listening and closed states.
`netscan` scans memory pool allocations for TCP connection objects and UDP socket objects, extracting state information (listening, closed, established), associated local and remote addresses, ports, and the owning process - making it the correct plugin for reviewing socket states.
`dlllist` enumerates the loaded DLL modules for each process and has no network or socket analysis capability.
`pslist` walks the doubly-linked EPROCESS list to enumerate active processes and does not expose network socket data.
`psscan` scans memory for EPROCESS pool tags to detect hidden or terminated processes, not network connections or sockets.
Concept tested: Volatility memory forensics network socket analysis
Source: https://volatility3.readthedocs.io/en/stable/volatility3.plugins.windows.netscan.html
Topics
Community Discussion
No community discussion yet for this question.