Difference between revisions of "Second Look"

From ForensicsWiki
Jump to: navigation, search
(Updated with new product name and page.)
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
{{Infobox_Software |
 +
  name = Threat Protection for Linux (formerly Second Look) |
 +
  maintainer = [[Forcepoint]] |
 +
  os = {{Linux}} |
 +
  genre = {{Memory analysis}} |
 +
  license = commercial |
 +
  website = [https://www.forcepoint.com/product/security-cloud/threat-protection-linux] |
 +
}}
 +
 
[[File:second_look_logo.png]]
 
[[File:second_look_logo.png]]
  
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
+
'''Threat Protection for Linux®''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
 +
Threat Protection for Linux is a product of [[Forcepoint]].
  
 
== Memory Acquisition ==
 
== Memory Acquisition ==
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
+
Threat Protection for Linux preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
  
 
== Memory Analysis ==
 
== Memory Analysis ==
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
+
Threat Protection for Linux interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
  
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
+
Threat Protection for Linux also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
  
 
== Supported Systems ==
 
== Supported Systems ==
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of April 2012:
+
Threat Protection for Linux is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of August 2016:
* Supported target kernels: 2.6.x, 3.x up to 3.2
+
* Supported target kernels: 2.6.x through 3.x  
 
* Supported target architectures: x86 32- and 64-bit
 
* Supported target architectures: x86 32- and 64-bit
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
+
* Supported target distributions: Debian, RHEL/CentOS, Ubuntu, Fedora, SUSE, and more!
  
 
== External Links ==
 
== External Links ==
Second Look® is a product of [[Raytheon Pikewerks Corporation]]:
+
* [https://www.forcepoint.com/product/security-cloud/threat-protection-linux Threat Protection for Linux]
* http://secondlookforensics.com
+

Latest revision as of 17:50, 8 August 2016

Threat Protection for Linux (formerly Second Look)
Maintainer: Forcepoint
OS: Linux
Genre: Memory Analysis
License: commercial
Website: [1]
Second look logo.png

Threat Protection for Linux® is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities. Threat Protection for Linux is a product of Forcepoint.

Memory Acquisition

Threat Protection for Linux preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Threat Protection for Linux interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Threat Protection for Linux also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Threat Protection for Linux is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of August 2016:

  • Supported target kernels: 2.6.x through 3.x
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian, RHEL/CentOS, Ubuntu, Fedora, SUSE, and more!

External Links