In the Network connections methodology section, there was a discussion regarding beginning the process of analysis with a URL or IP address associated with malicious activity. Volatility has the ability to pull out of the memory image existing and even exited network connections that were resident at the time of acquisition.

The netscan plugin scans the memory image for network artifacts. The plugin will find TCP and UDP endpoints and listeners as well as providing the local and foreign IP addresses. netscan will only work with 32-bit and 64-bit Windows Vista, Windows 7, Windows 10, and Windows 2008 Server or newer. One key feature that is of help to incident response analysts with the netscan plugin is that, for the network connections, the process owner is indicated in the output. This is useful in determining whether a connection is utilizing Internet Explorer or another process, such as Remote Desktop Services or SMB.