Difference between revisions of "Second Look"

From ForensicsWiki
Jump to: navigation, search
(Created page with "File:second_look_logo.jpg The Incident Response edition of '''Second Look™: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effect...")
 
(External Links)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[File:second_look_logo.jpg]]
+
{{Infobox_Software |
 +
  name = Second Look |
 +
  maintainer = [[Raytheon Pikewerks Corporation]] |
 +
  os = {{Linux}} |
 +
  genre = {{Memory analysis}} |
 +
  license = commercial |
 +
  website = [http://secondlookforensics.com/ secondlookforensics.com/] |
 +
}}
  
The Incident Response edition of '''Second Look™: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
+
[[File:second_look_logo.png]]
 +
 
 +
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
 +
Second Look® is a product of [[Raytheon Pikewerks Corporation]].
  
 
== Memory Acquisition ==
 
== Memory Acquisition ==
Second Look™ preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
+
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
  
 
== Memory Analysis ==
 
== Memory Analysis ==
Second Look™ interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
+
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
 +
 
 +
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
  
 
== Supported Systems ==
 
== Supported Systems ==
Second Look™ is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of May 2011:
+
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of April 2012:
* Supported target kernels: 2.6.8 - 2.6.38
+
* Supported target kernels: 2.6.x, 3.x up to 3.2
 
* Supported target architectures: x86 32- and 64-bit
 
* Supported target architectures: x86 32- and 64-bit
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-11.04, and more!
+
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
 +
 
 +
== External Links ==
 +
* [http://secondlookforensics.com Second Look®]

Latest revision as of 00:59, 31 July 2012

Second Look
Maintainer: Raytheon Pikewerks Corporation
OS: Linux
Genre: Memory Analysis
License: commercial
Website: secondlookforensics.com/
Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities. Second Look® is a product of Raytheon Pikewerks Corporation.

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links