Difference between pages "Tools:Data Recovery" and "Second Look"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Data Recovery)
 
 
Line 1: Line 1:
= Partition Recovery =
+
[[File:second_look_logo.png]]
  
*[http://www.ptdd.com/index.htm Partition Table Doctor]
+
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
: Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).
+
  
*[http://www.stud.uni-hannover.de/user/76201/gpart/ gpart]
+
== Memory Acquisition ==
: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
+
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.
  
*[http://www.cgsecurity.org/wiki/TestDisk Testdisk]
+
== Memory Analysis ==
: TestDisk is OpenSource software and is licensed under the GNU Public License (GPL).  
+
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
  
== See Also ==
+
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
  
* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]
+
== Supported Systems ==
 +
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of April 2012:
 +
* Supported target kernels: 2.6.x, 3.x up to 3.2
 +
* Supported target architectures: x86 32- and 64-bit
 +
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
  
== Notes ==
+
== External Links ==
 
+
Second Look® is a product of [[Raytheon Pikewerks Corporation]]:
* "fdisk /mbr" restores the boot code in the [[Master boot record]], but not the partition itself.
+
* http://secondlookforensics.com
 
+
= Data Recovery =
+
 
+
*[http://www.toolsthatwork.com/bringback.htm BringBack]
+
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.
+
 
+
*[http://www.runtime.org/raid.htm RAID Reconstructor]
+
: Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives.
+
 
+
*[http://www.salvationdata.com Salvation Data]
+
: Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.
+
 
+
* [http://www.e-rol.com/en/ e-ROL]
+
: Erol allows you to recover through the internet files erased by mistake. Recover your files online for free.
+
 
+
* [http://www.recuva.com/ Recuva]
+
: Recuva is a freeware Windows tool that will recover accidentally deleted files.
+
 
+
* [http://www.geocities.jp/br_kato/ Restoration]
+
: Restoration is a freeware Windows software that will allow you to recover deleted files
+
 
+
=Carving=
+
*[http://www.datalifter.com/products.htm DataLifter® - File Extractor Pro]
+
: Data carving runs on multiple threads to make use of modern processors
+
 
+
*[http://foremost.sourceforge.net/ Foremost]
+
: Foremost is a console program to recover files based on their headers, footers, and internal data structures.
+
 
+
*[http://www.digitalforensicssolutions.com/Scalpel/ Scalpel]
+
: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
+
 
+
*[[EnCase]]
+
: EnCase comes with some eScripts that will do carving.
+
 
+
*[http://ocfa.sourceforge.net/libcarvpath/ CarvFs]
+
: A virtual filesystem (fuse) implementation that can provide carving tools with the posibility to do recursive multi tool zero-storage carving (also called in-place carving). Patches and scripts for scalpel and foremost are provided. Works on raw and encase images.
+
 
+
*[http://ocfa.sourceforge.net/libcarvpath/ LibCarvPath]
+
: A shared library that allows carving tools to use zero-storage carving on carvfs virtual files.
+
 
+
*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
+
: PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory.
+
 
+
* [https://www.uitwisselplatform.nl/projects/revit RevIt]
+
: RevIt (Revive It) is an experimental carving tool, initially developed for the DFRWS 2006 carving challenge. It uses 'file structure based carving'. Note that RevIt currently is a work in progress.
+

Revision as of 10:53, 17 April 2012

Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links

Second Look® is a product of Raytheon Pikewerks Corporation: