Difference between pages "Data Compass" and "Second Look"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(What can Data Compass do?)
 
 
Line 1: Line 1:
== Overview ==
+
[[File:second_look_logo.png]]
Data Compass is a hardware and software data recovery tool produced by [[SalvationDATA]].
+
  
According to our [[3+1 Data Recovery]] process, the stage following the drive restoration will be data recovery using Data Compass.
+
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
  
After bringing the failed drive back to life, as a data recovery professional, you know now you need to recover the damaged file system by using file system recovery software; and maybe you know also you need to do a disk imaging in order to work from an accurate, stable hard drive image.
+
== Memory Acquisition ==
 +
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
  
Unfortunately, traditional disk imaging tools and methods are designed for and work on good HDDs only, not the patient HDDs that are unstable or inaccessible because of media defects and instable head, which are common challenges of Stage 2 in practice. Even more, with those traditional imaging tools, the time involved and the ordinary user-level repeated-read access to the media bring a risk of damaging the disk and head, making data lost irretrievable.
+
== Memory Analysis ==
 +
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
  
But now there's a better way: The disk probing equipment included in the Data Compass suite bypassing the disk-level problems such as multiple bad sectors, damaged surfaces, malfunctioning head assembly, or corrupted servo info, In the meantime you can use the default software or any other defined software you have been familiar with (R-studio, Winhex, any) to perform file recovery. Through the Data Compass, problem drives will become intact hard drives and ready for file recovery attempts..
+
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
  
== What can Data Compass do? ==
+
== Supported Systems ==
 +
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of April 2012:
 +
* Supported target kernels: 2.6.x, 3.x up to 3.2
 +
* Supported target architectures: x86 32- and 64-bit
 +
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
  
 
+
== External Links ==
Data recovery from physically damaged HDDs is what Data Compass designed for.
+
Second Look® is a product of [[Raytheon Pikewerks Corporation]]:
 
+
* http://secondlookforensics.com
' Data recovery from HDDs with severe multiple BAD sectors, which appear because of platter surface scratch or malfunction or instability of the magnetic head assembly (MHA).
+
 
+
' Data recovery from HDDs that start to produce "clicking" sounds, which may be caused by corruption of sector servo labels or a MHA malfunction. If some heads or surfaces are damaged it is possible (before installation of MHA replacement) to create a copy of data using the remaining good surfaces or drive heads.
+
 
+
' Availability of tools for logical analysis of FAT and NTFS file systems in the software complex allows data recovery in cases, when a drive is functional and only logical data structure is corrupted.
+
 
+
'When used with malfunctioning drives, Data Compass complex often allows selective extraction of data necessary to your customers without reading all data from a drive ("recover data by file" without creating a complete disk image) saving a lot of time. In some cases, when drive malfunctions cause constant self-damage (like scratches on disks or instable MHA) these are the only means to accomplish this task. With the [[ShadowDisk]] technology adopted, users need not to worry about the drive degradation problem.
+
 
+
Some technologies of the Data Compass
+
'[[SA Emulation]]™ Technology: Feel that too difficult to conduct firmware repair? Or you have come across media defects in the SA (so far no tool in the world can fix this kind of problem)? AnalogT enables us to directly generate key information for booting drive in RAM; therefore, users can initialize the drive and access data area independent of the drive SA. We can disable the read attempt to the damaged SA and access the data directly, no need to try hard to find suitable firmware donor.
+
'[[DBER]] Dynamic Balancing Enhanced Reading Technology: This easily helps you to extract data from partially damaged bad sectors which can't be copied/ imaged by other tools. Experiments have proved that you will have 30% more data recovery and file opening success rate using DC, compared with other image devices.
+
'[[ShadowDisk]]™ Technology: It images every sector of the source drive you read to an external shadow disk, any following read request towards those "read" sectors will be directly transferred to the corresponding sectors on the shadow disk; which means each sector of the source drive will experience one read operation during the whole process. ShadowDiskT technology ensures the minimum read towards the source drive; therefore effectively avoid further damage to the media and head, helps you to get rid of the situation before ShadowDiskT Technology: that's the head stack collapses halfway of the disk image and gives clicking sound.
+
 
+
== Related links ==
+
 
+
[http://www.salvationdata.com Official Webiste]
+
 
+
[http://www.salvationdata.com/downloads/pdf/grow-your-business-with-dc.pdf Data Sheet of Data Compass]
+
 
+
[http://www.salvationdata.com/data-recovery-equipment/data-compass.htm Customer Reviewer]
+
 
+
[http://www.salvationdata.com/blog/category/data-compass-case-studies Case Studies]
+
 
+
[[Category:Disk_imaging]]
+
[[Category:Tools]]
+

Revision as of 09:53, 17 April 2012

Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links

Second Look® is a product of Raytheon Pikewerks Corporation: