Today Adam Bridge, Senior Intrusion Analyst at Context, has released a new blog. With plans to enter the Volatility Plugin Contest 2015 Adam wanted to write a plug-in that was able to retrieve the DNS cache from a Windows memory sample, but ended up stumbling across something more interesting, namely, the incoming and outgoing packet buffer for the NIC.
Adam discusses the steps he took, the challenges he faced, how he came across the packet buffer for the NIC and the plug-in he ultimately wrote that could provide some useful information or intelligence pertinent to an Incident Response investigation.