Difference between pages "Windows Shadow Volumes" and "Second Look"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
==Volume Shadow Copy Service==
+
[[File:second_look_logo.png]]
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP.  The Shadow Copy Service creates differential backups periodically to create restore points for the user.  Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
+
  
== Also see ===
+
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
* [[Mount shadow volumes on disk images]]
+
 
 +
== Memory Acquisition ==
 +
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
 +
 
 +
== Memory Analysis ==
 +
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
 +
 
 +
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
 +
 
 +
== Supported Systems ==
 +
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of April 2012:
 +
* Supported target kernels: 2.6.x, 3.x up to 3.2
 +
* Supported target architectures: x86 32- and 64-bit
 +
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
  
 
== External Links ==
 
== External Links ==
* [http://computer-forensics.sans.org/blog/2010/03/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows]
+
Second Look® is a product of [[Raytheon Pikewerks Corporation]]:
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics]
+
* http://secondlookforensics.com
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows]
+
* [http://code.google.com/p/libvshadow/ Project to read VSS Volumes]
+
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
+
* [http://justaskweg.com/?p=466 Mounting Shadow Volumes], by [[Jimmy Weg]], July 2012
+
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], July 2012
+

Revision as of 10:53, 17 April 2012

Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links

Second Look® is a product of Raytheon Pikewerks Corporation: