Second Look

From ForensicsWiki
Revision as of 20:35, 26 May 2011 by Andrewtappert (Talk | contribs) (Created page with "File:second_look_logo.jpg The Incident Response edition of '''Second Look™: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effect...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

File:Second look logo.jpg

The Incident Response edition of Second Look™: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

Memory Acquisition

Second Look™ preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look™ interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Supported Systems

Second Look™ is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of May 2011:

  • Supported target kernels: 2.6.8 - 2.6.38
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-11.04, and more!