I’m one of the developers for Volatility, and while I can’t say anything for certain about the discrepancy with connections (I don’t have the source to Mandiant or HBGary’s offerings ), I can make some educated guesses.

It looks like you used connscan2 and sockscan2 to find sockets and connections in the memory image. This will search through all memory for patters that match the connection or socket data structure. This means it may also find those structures in freed memory areas (like a file carver can find deleted files in unallocated space on a drive). My guess is that the extra connections were no longer active, but were still in memory, and hence could be found by a scan.

Once again, I don’t know how MAV or Responder Pro find sockets and connections, but my suspicion is that they look at the OS’s list of active sockets and connections. Volatility can do this too, through the “connections” and “sockets” commands. I’d be curious to see if these commands give results consistent with what you saw from the commercial offerings.

Anyways, thanks for taking the time to evaluate these tools — there is a dire need for better testing of forensic tools.

Cheers,
Brendan Dolan-Gavitt