Learners are to complete the following:
Consult the TCP Connections information sheet and consider the CONSOLE OUPUT from Volatility Framework after execution of the connscann plugin on the captured memory image.
There is more than one connection listed, the next interesting aspect is to consider those network connections that remained open at the point of memory image capture.
Consult the Open Sockets information sheet and consider the CONSOLE OUPUT from Volatility Framework after execution of the sockets plugin on the captured memory image.
Remain in pairs from prior activity. Pairs have 15 minutes to identify interesting information that emerges from consideration the TCP Connections output and Open Sockets output related to the outcome of the previous block of activities on processes. The instructor will issue a ONE minute warning when time is nearly elapsed.