Active Network Connections & Listening Ports
Location
/proc/net/tcp, /proc/net/tcp6, /proc/net/udp (or ss/netstat output)Description
Live network socket state from the kernel including all established TCP connections, listening ports, UDP sockets, and UNIX domain sockets with owning process information.
Forensic Value
Enumerating active connections during live triage identifies active C2 channels, reverse shells, and unauthorized listeners. Correlating listening ports with their owning processes (via ss -tlnp or lsof -i) exposes backdoor services running on non-standard ports. Unexpected outbound connections to foreign IP addresses on ports 443, 8443, or 8080 warrant immediate investigation for beaconing behavior.
Tools Required
Collection Commands
ss
ss -tulnpa > /forensics/output/ss_all_connections.txt
netstat
netstat -tulnpa > /forensics/output/netstat_connections.txt
lsof
lsof -i -nP > /forensics/output/lsof_network.txt
cat
cat /proc/net/tcp /proc/net/tcp6 /proc/net/udp /proc/net/udp6 > /forensics/output/proc_net_sockets.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
BitLocker/Encrypted Drives Preventing Forensic Imaging
Full-disk encryption (BitLocker, FileVault, LUKS) prevents mounting or imaging the drive without the recovery key. Without decryption you cannot access the filesystem for artifact collection.
Compromised Systems Powered Off or Disconnected
Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.
Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked
Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.
Systems Already Rebooted -- Volatile Data Lost
The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.
Host Wiped Before Forensic Acquisition
The compromised host has been zeroed or securely wiped (DBAN, `dd if=/dev/zero`, `sdelete`, `shred`) before forensic imaging could begin. Traditional filesystem-carving techniques recover limited content; the investigation must pivot to peer-host artifacts, network telemetry, and cloud/identity records that survived the wipe.
Fileless Malware With Minimal On-Disk Footprint
The suspected malware runs primarily in memory with minimal or no on-disk persistence. Traditional file-hash IoC hunts return empty, and disk-image analysis misses the active payload. Response must pivot to memory forensics, ETW, PowerShell script-block logging, and AMSI telemetry.
Evidence Chain of Custody Compromised
Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.
Investigation Requires Air-Gapped Network Access
The affected systems are on an isolated network segment with no connectivity to standard IR tooling (EDR management plane, SIEM, evidence-transfer channels). Acquisition and analysis must happen via physical media or through carefully-controlled trusted-transfer workflows that do not breach the air gap.