ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Timeline Analysis" and "Second Look"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Papers)
 
 
Line 1: Line 1:
==Papers==
+
[[File:second_look_logo.png]]
* S. Willassen, [http://www.igi-global.com/articles/details.asp?ID=33298 "A Model Based Approach to Timestamp Evidence Interpretation"], International Journal of Digital Crime and Forensics, 1:2, 2009
+
  
* [http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument Digital Evidence with an Emphasis on Time], Jens Olsson, Master's Thesis, Blekinge Institute of Technology, September 2008.
+
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
* R. Koen, M. Olivier, [http://icsa.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf "The Use of File Timestamps in Digital Forensics"], ISSA 2008, Johannesburg, South Africa, July 2008
+
* S. Willassen, [http://www.diva-portal.org/ntnu/abstract.xsql?dbid=2145 "Methods for Enhancement of Timestamp Evidence in Digital Investigations"], PhD Dissertation, Norwegian University of Science and Technology, 2008
+
* S. Willassen, [http://www.willassen.no/svein/pub/ares08.pdf "Finding Evidence of Antedating in Digital Investigations"], ARES 2008, Barcelona, Spain, March 2008
+
* S. Willassen, [http://www.willassen.no/svein/pub/ifip08.pdf "Hypothesis Based Investigation of Digital Timestamp"], 4th IFIP WG 11.9 Workskop on Digital Evidence, Kyoto, Japan, January 2008
+
* S. Willassen, [http://www.willassen.no/svein/pub/efor08.pdf "Timestamp Evidence Correlation by model based clock hypothesis testing"], E-Forensics 2008, Adelaide, Australia, January 2008
+
* F. Buchholz, [http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf "An Improved Clock Model for Translating Timestamps"], JMU-INFOSEC-TR-2007-001, James Madison University
+
* F. Buchholz, B. Tjaden, [http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf "A brief study of time"], Digital Investigation 2007:4S
+
* K. Chow, F. Law, M. Kwan, P. Lai, [http://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf "The Rules of Time on NTFS File System"], 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007
+
* B. Schatz, G. Mohay, A. Clark, [http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf "A correlation method for establishing provenance of timestamps in digital evidence"], Digital Investigation 2006:3S
+
* P. Gladyshev, A. Patel, [http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf "Formalizing Event Time Bouding in Digital Investigation"], International Journal of Digital Evidence, vol 4:2, 2005
+
* C. Boyd, P. Forster, "Time and Date issues in forensic computing - a case study", Digital Investigation 2004:1
+
* M.W. Stevens, "Unification of relative time frames for digital forensics", Digital Investigation 2004:1
+
* M.C. Weil, [http://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf "Dynamic Time & Date Stamp Analysis"], International Journal of Digital Evidence, vol 1:2, 2002
+
  
* [http://infoviz.pnl.gov/pdf/themeriver99.pdf ThemeRiver: In Search of Trends, Patterns, and Relationships], Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999
+
== Memory Acquisition ==
* [http://www.conceptsymbols.com/web/publications/2003_timelines.pdf Timeline Visualization of Research Fronts], Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003
+
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.
* [http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists Visualizing gaps in time-based lists], Moritz Stefaner
+
  
==Programs==
+
== Memory Analysis ==
; [[Zeitline]] — Forensic timeline editor
+
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
: http://projects.cerias.purdue.edu/forensics/timeline.php
+
: http://sourceforge.net/projects/zeitline/
+
  
; [[sorter]] — [[Sleuthkit]]'s [[MAC times]] sorting program.
+
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
  
; [http://code.google.com/p/simile-widgets/ Simile Timeline and Timeplot]
+
== Supported Systems ==
 +
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of April 2012:
 +
* Supported target kernels: 2.6.x, 3.x up to 3.2
 +
* Supported target architectures: x86 32- and 64-bit
 +
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
  
==See Also==
+
== External Links ==
* http://www.timeforensics.com/
+
Second Look® is a product of [[Raytheon Pikewerks Corporation]]:
 
+
* http://secondlookforensics.com
 
+
 
+
 
+
 
+
[[Category:Tools]]
+
[[Category:Bibliographies]]
+
[[Category:Timeline Analysis]]
+

Revision as of 14:53, 17 April 2012

Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links

Second Look® is a product of Raytheon Pikewerks Corporation: