Difference between pages "Carver 2.0 Planning Page" and "Second Look"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Requirements)
 
 
Line 1: Line 1:
This page is for planning Carver 2.0.
+
[[File:second_look_logo.png]]
  
= License =
+
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
  
BSD
+
== Memory Acquisition ==
 +
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
  
= OS =
+
== Memory Analysis ==
 +
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
  
Linux/FreeBSD/MacOS
+
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
  
= Requirements =
+
== Supported Systems ==
* AFF and EWF file images supported from scratch.
+
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:
* File system aware layer.
+
* Supported target kernels: 2.6.x, 3.x up to 3.2
** By default, files are not carved.
+
* Supported target architectures: x86 32- and 64-bit
* Plug-in architecture for identification/validation.
+
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
** Can we exercise libmagic or at least the patterns they identify?
+
* Ship with validators for:
+
** JPEG
+
** PNG
+
** GIF
+
** MSOLE
+
** ZIP
+
** TAR (gz/bz2)
+
* Simple fragment recovery carving using gap carving.
+
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
+
* Autonomous operation (what is it? [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)).
+
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
+
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
+
* Parallelizable.
+
* Configuration:
+
** Can handle config files,like Revit07, to enter different file formats used by the carver.
+
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
+
**  Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
+
* Can output audit.txt file.
+
* Easy integration into ascription software.
+
  
= Ideas =
+
== External Links ==
* Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
+
Second Look® is a product of [[Raytheon Pikewerks Corporation]]:
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
* http://secondlookforensics.com
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
 
+
= Supported File Systems =
+
 
+
Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+

Revision as of 09:53, 17 April 2012

Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

Contents

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links

Second Look® is a product of Raytheon Pikewerks Corporation: