In the previous section on Volatility, the IP address 41.168.5.140 was identified by using the connscan plugin. The drawback of that process of identifying IP addresses is that, if the connection has been closed and there is no activity, it may not be visible with Volatility. In that case, a way to expand the search for IP addresses resident in memory is to conduct the following Strings search:

strings cridex_laptop.mem | grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}"

This Strings search will look for any matching patterns of an IP address. When examining the Cridex memory capture, several IP addresses show up. This includes internal IP address ranges and broadcast IP addresses. An examination of the results revealed that the IP address 188.40.0.138 was at one time located within memory:

From here, a second search for the IP address can be performed using the following command:

strings cridex_laptop.mem | grep 188.40.0.138

The command produces the following output:

Next, we will look at HTTP search.