ToolWar | Information Security (InfoSec) Tools: Memory

Mandiant Redline (Memory and File Analysis) :: Tools

<div class="separator" style="clear: both; text-align: center;">
 <img alt="Mandiant Redline Logo" border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi85inxEf7aGj9rwDfJlLA1TZjt029HkuPRCGRhLSQHEAM3zBvwbuLTQ5KRk0_EUdzGhbt6PbzzhpzYo2kQigms2_eBtiT3rOaRdXb8fjaQlF-7JuBE_st3IAFkZd3E5dxJ-TJdPkeBzB0X/s400/Memoryze+Logo.png" title="Mandiant Redline Logo" width="400" /></div>
<div style="text-align: justify;">
<b>Redline, Mandiant’s</b> premier free tool, provides<i> host investigative</i> 
capabilities to users to find signs of <i>malicious activity through memory
 and file analysis</i>, and the development of a threat assessment profile. 
 With <b>Redline,</b> users can:</div>
<ul style="text-align: justify;">
<li>Thoroughly audit and collect all running processes and drivers 
from <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a>, file system metadata, <a href="http://www.toolwar.com/search/label/Registry" target="_blank">registry</a> data, event logs, <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a> 
information, services, tasks, and <a href="http://www.toolwar.com/search/label/Web" target="_blank">web</a> history.</li>
<li>Analyze and view imported audit data, including narrowing and 
filtering results around a given timeframe using <b>Redline’s</b> Timeline 
functionality with the TimeWrinkle™ and TimeCrunch™ features.</li>
<li>Streamline memory analysis with a proven workflow for analyzing <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a> based on relative priority.</li>
<li>Identify processes more likely worth investigating based on the <b>Redline</b> Malware Risk Index (MRI) score.</li>
<li>Perform Indicator of Compromise (IOC) <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a>. Supplied with a set 
of IOCs, the Redline Portable Agent is automatically configured to 
gather the data required to perform the IOC analysis and an IOC hit 
result review. </li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In addition, <b>Redline</b> can be used in conjunction with <b>Mandiant for Intelligent Response®(MIR®)</b> and <b>Mandiant for Security Operations™:</b></div>
<div style="text-align: justify;">
</div>
<ul style="text-align: justify;">
<li>Investigators can open audits gathered in Mandiant for 
Intelligent Response (MIR) directly in Redline to quickly identify a 
malicious process and create an IOC based on the analysis. MIR can use 
this IOC to quickly sweep a <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a> to identify all other systems 
running the same or similar malware.</li>
<li>Mandiant for Security Operations users can open triage collections 
directly in Redline in order to perform in-depth <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a> allowing the 
user to establish a timeline and the scope of an incident.</li>
</ul>
<b>Mandiant Redline 1.11</b> includes various changes to improve your user 
experience, and adds support for <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> 8 and 2012. A redesigned find 
panel remains open and offers users the ability to search and filter on a
 specific column. You can also filter lists by multiple tags at the same
 time and choose whether to include only items that do or do not have a 
comment. Finally, the Redline Collector now provides beta support for 
gathering Windows 2012 and Windows 8 data..<br />
<br />
<br />
<b>Supported Operating Systems:</b> Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit)<br />
<br />
<h3>
Tutorials ::</h3>
<b>User Guide :: </b><a href="http://www.mandiant.com/library/Redline1.11_UserGuide.pdf">Mandiant Redline 1.11 (PDF)</a><br />
<b>Redline Blog :: </b><a href="https://www.mandiant.com/blog/tag/redline/" target="_blank">Mandiant Redline Blog </a><br />
<br />
<h3>
Download ::</h3>
<b>Windows :: </b><a href="https://www.mandiant.com/library/Redline-1.11.msi" target="_blank">Mandiant Redline v1.11</a><b><br /></b><br />
<b>Official Website ::</b> <a href="https://www.mandiant.com/resources/download/redline">https://www.mandiant.com/resources/download/redline</a>

Mandiant Redline (Memory and File Analysis) :: Tools

Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity throug...

Mandiant Memoryze (Live Memory Forensic) :: Tools

<div class="separator" style="clear: both; text-align: center;">
<img alt="Memoryze Logo" border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP6Kiq6DL8HvQGQr0mM99tRZ4IPEArJ8MAgMScreZuK6ooQ73__V7_InhX_VZ_JTI3i6HMxlsvJ6HheaMaVEey7VHFt_4UHW_vW8sSMttY7brLEr-rMCOR-jWHctlRSlXt85RjFwYA_CZ2/s400/Memoryze+Logo.png" title="Memoryze Logo" width="400" /></div>
<div style="text-align: justify;">
<b>Mandiant’s Memoryze</b> is free<i> <b>memory forensic software</b></i> that helps 
incident responders <b><i>find evil in live memory.</i></b> <b>Memoryze</b> can acquire 
and/or analyze <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> images, and on live systems, can include the 
paging file in its <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Mandiant’s Memoryze</b> features:</div>
<ul style="text-align: justify;">
<li>image the full range of <a href="http://www.toolwar.com/search/label/System" target="_blank">system</a> memory (not reliant on API calls).</li>
<li>image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps and stacks.</li>
<li>image a specified driver or all drivers loaded in <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> to disk.</li>
<li>enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:</li>
<ul>
<li>report all open handles in a process (for example, all files, registry keys, etc.).</li>
<li>list the virtual address space of a given process including:</li>
<ul>
<li>displaying all loaded DLLs.</li>
<li>displaying all allocated portions of the heap and execution stack.</li>
</ul>
<li>list all <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a> sockets that the process has open, including any hidden by rootkits.</li>
<li>specify the functions imported by the EXE and DLLs.</li>
<li>specify the functions exported by the EXE and DLLs.</li>
<li>hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based.)</li>
<li>hash the EXE and DLLs in the process address space. (This is a MemD5 of the binary in memory).</li>
<li>verify the digital signatures of the EXE and DLLs. (This is disk based.)</li>
<li>output all strings in memory on a per process basis.</li>
</ul>
<li>identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can: </li>
<ul>
<li>specify the functions the driver imports.</li>
<li>specify the functions the driver exports.</li>
<li><a href="http://www.toolwar.com/search/label/Hash" target="_blank">hash</a> the driver. (MD5, SHA1, SHA256. this is disk based.)</li>
<li>verify the digital signature of the driver (This is disk based.)</li>
<li>output all strings in memory on a per driver base.</li>
</ul>
<li>report device and driver layering, which can be used to intercept network <a href="http://www.toolwar.com/search/label/Packet" target="_blank">packets</a>, keystrokes and file activity.</li>
<li>identify all loaded kernel modules by walking a linked list.</li>
<li>identify hooks (often used by rootkits) in the System Call Table, 
the Interrupt Descriptor Tables (IDTs) and driver function tables (IRP 
tables).</li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Mandiant’s Memoryze can perform all these functions on live 
system memory or memory image files – whether they were acquired by 
Memoryze or other memory acquisition tools. </b></div>
<div style="text-align: justify;">
Memoryze officially supports:</div>
<ul style="text-align: justify;">
<li><a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> 2000 Service Pack 4 (32-bit)</li>
<li>Windows XP Service Pack 2 and Service Pack 3 (32-bit)</li>
<li>Windows Vista Service Pack 1 and Service Pack 2 (32-bit)</li>
<li>*Windows Vista Service Pack 2 (64-bit)</li>
<li>Windows 2003 Service Pack 2 (32-bit and 64-bit)</li>
<li>Windows 7 Service Pack 0 (32-bit and 64-bit)</li>
<li>*Windows 2008 Service Pack 1 and Service Pack 2 (32-bit)</li>
<li>Windows 2008 R2 Service Pack 0 (64-bit)</li>
<li>*Windows 8 Service Pack 0 (32-bit and 64-bit)</li>
<li>*Windows Server 2012 Service Pack 0 (64-bit)</li>
</ul>
<div style="text-align: justify;">
* means support for a new operating system without experience on millions of host</div>
<div style="text-align: justify;">
In order to visualize Memoryze’s output, please download Redline™ or 
use an XML viewer.  Redline is Mandiant’s premier <a href="http://www.toolwar.com/search/label/Free" target="_blank">free</a> tool for 
investigating hosts for signs of malicious activity through memory and 
file <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a>, and the development of a threat assessment profile.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Tutorials :: </h3>
<b>Youtube ::</b><a href="http://www.youtube.com/watch?v=NskrZmwwV5s" target="_blank"><b> </b>Click Here</a><br />
<b>Forum :: </b><a href="https://forums.mandiant.com/" target="_blank">Mandiant Memoryze Forum</a> <br />
<b>User Guide ::  </b><a href="http://www.mandiant.com/library/MemoryzeUserGuide.pdf" target="_blank">Memoryze User Guide PDF</a><br />
<h3 style="text-align: justify;">
 </h3>
<h3 style="text-align: justify;">
Download ::</h3>
<div style="text-align: justify;">
<b>Windows :: </b><a href="https://www.mandiant.com/library/MemoryzeSetup3.0.msi" target="_blank">Mandiant Memoryze 3.0</a><b><br /></b></div>
<div style="text-align: justify;">
<b>Official Website :: </b><a href="https://www.mandiant.com/resources/download/memoryze">https://www.mandiant.com/resources/download/memoryze</a></div>
<div style="text-align: justify;">
<br /></div>

Mandiant Memoryze (Live Memory Forensic) :: Tools

Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire ...

Volatility (Advanced Memory Forensics Framework) :: Framework

<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<img alt="Volatility Framework (Advance Memory Framework)" border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwYsvSKFWGazVkY8HTm3e9MOP8FLgDHrNIEhfik5auQuUNypN7S2Vl_ZHpcAkdSMaAcULytu3T0GEW5lT53Towrr6YEo48gjALbDFYqIdwWgbH_SwnzwssHoTNoZWyDysqNDN1W5rFYL0S/s320/volatility+logo.png" title="Volatility Framework (Advance Memory Framework)" width="320" /></div>
<b>Volatility Framework</b> is a <i>Advanced Memory Forensics Framework. </i>The <b>Volatility Framework</b>  is a completely open collection of <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a>, implemented in <a href="http://www.toolwar.com/search/label/Python" target="_blank">Python</a> under  the GNU General Public License, for the extraction of digital artifacts  from volatile <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> (RAM) samples. The extraction techniques are  performed completely independent of the system being investigated but  offer unprecedented visibilty into the runtime state of the system.  The <a href="http://www.toolwar.com/search/label/Frameworks" target="_blank"> framework</a> is intended to introduce people to the techniques and  complexities associated with extracting digital artifacts from volatile <a href="http://www.toolwar.com/search/label/Memory" target="_blank"> memory</a> samples and provide a platform for further work into this  exciting area of research.   <br />
The <b>Volatility Framework</b>  demonstrates our commitment to and belief in the importance of open  source digital investigation <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a> . Volatile Systems is committed to  the belief that the technical procedures used to extract digital  evidence should be open to peer analysis and review.  We also believe  this is in the best interest of the digital investigation community, as  it helps increase the communal knowledge about systems we are forced to  investigate.   Similarly, we do not believe the availability of these  tools should be restricted and therefore encourage people to modify,  extend, and make derivative works, as permitted by the GPL.   </div>
<h3 style="text-align: left;">
<span style="font-size: small;">Capabilities :-</span></h3>
<div style="text-align: justify;">
The <b>Volatility Framework</b> currently provides the following extraction capabilities for memory samples   </div>
<ul style="list-style-type: disc; text-align: justify;">
<li>Image information (date, time, CPU count)</li>
<li>Running processes</li>
<li>Process SIDs and environment variables</li>
<li>Open network sockets</li>
<li>Open network connections</li>
<li>DLLs loaded for each process</li>
<li>Open handles to all kernel/executive objects (files, keys, mutexes)</li>
<li>OS kernel modules</li>
<li>Dump any process, DLL, or module to disk</li>
<li>Mapping physical offsets to virtual addresses</li>
<li>Virtual Address Descriptor information</li>
<li>Addressable memory for each process</li>
<li>Memory maps for each process</li>
<li>Extract executable samples</li>
<li>Scanning examples: processes, threads, sockets, connections, modules</li>
<li>Command histories (cmd.exe) and console input/output buffers</li>
<li>Imported and exported API functions</li>
<li>PE version information</li>
<li>System call tables (IDT, GDT, SSDT)</li>
<li>API hooks in user- and kernel-mode (inline, IAT, EAT, NT syscall, winsock)</li>
<li>Explore cached registry hives</li>
<li>Dump LM/NTLM hashes and LSA secrets</li>
<li>User assist and shimcache exploration</li>
<li>Scan for byte patterns, regular expressions, or strings in memory</li>
<li>Analyze kernel timers and callback functions</li>
<li>Report on windows services</li>
</ul>
<h3>
Tutorial ::</h3>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/zhQP07YKLL0?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div>
<h3>
</h3>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/zXh-1mK5FyU?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div>
<h3>
</h3>
<h3>
Download ::</h3>
<b>Windows :: </b><a href="https://volatility.googlecode.com/files/volatility-2.3.1.standalone.exe" target="_blank">Volatility 2.3.1 Standalone </a><b>
</b>
<b> </b><br />
<b>Linux :: </b><a href="https://volatility.googlecode.com/files/volatility-2.3.1.tar.gz" target="_blank">Volatility 2.3.1.tar.gz</a><b>
</b>
<b> </b><br />
<b>Mac :: </b><a href="https://volatility.googlecode.com/files/MacProfilesAll.zip" target="_blank">Volatility Framework </a><br />
<b></b><b>Source :: </b><a href="https://code.google.com/p/volatility/">https://code.google.com/p/volatility/</a><b>
</b>

Volatility (Advanced Memory Forensics Framework) :: Framework

Volatility Framework is a Advanced Memory Forensics Framework. The Volatility Framework is a completely open collection of tools , imp...

DFF (Digital Forensics Framework) :: Framework

<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIl1DdbsO0WfC9qJDGu02Asu8jmU-fMvvGqJMnoXYIsycbH4eFW775XwZteITm_g2b8WSSdGZMbd7O8O3wZHb-6a1jsPqXb98HsFnIMVxzOlcFkVtQFC1j5SodKKFdqH5k_nWuugslcbtP/s1600/DFF+LOgo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="DFF Logo" border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIl1DdbsO0WfC9qJDGu02Asu8jmU-fMvvGqJMnoXYIsycbH4eFW775XwZteITm_g2b8WSSdGZMbd7O8O3wZHb-6a1jsPqXb98HsFnIMVxzOlcFkVtQFC1j5SodKKFdqH5k_nWuugslcbtP/s1600/DFF+LOgo.png" title="DFF Logo" width="400" /></a></div>
<div style="text-align: justify;">
<b>DFF (Digital Forensics Framework)</b> is a free and Open Source <b>computer  forensics software</b> built on top of a dedicated Application Programming  Interface (API). It can be used both by professional and non-expert people in order to quickly  and easily collect, preserve and reveal digital evidences without  compromising systems and data.</div>
<h3 style="text-align: justify;">
Features :: </h3>
<ul style="text-align: justify;">
<li>Preserve digital chain of custody - Software write blocker, cryptographic <a href="http://www.toolwar.com/search/label/Hash" target="_blank">hash</a> calculation</li>
<li>Access to local and remote devices - Disk drives, removable devices, remote file systems</li>
<li>Read standard <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">digital forensics</a> file formats - Raw, Encase EWF, AFF 3 file formats</li>
<li><a href="http://www.toolwar.com/search/label/Virtual" target="_blank">Virtual machine</a> disk reconstruction - VmWare (VMDK) compatible</li>
<li><a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> and <a href="http://www.toolwar.com/search/label/Linux" target="_blank">Linux OS</a> forensics - <a href="http://www.toolwar.com/search/label/Registry" target="_blank">Registry</a>, Mailboxes, NTFS, EXTFS 2/3/4, FAT 12/16/32 file systems</li>
<li>Quickly triage and search for (meta-)data - Regular expressions, dictionaries, content search, tags, time-line</li>
<li><a href="http://www.toolwar.com/search/label/Recovery" target="_blank">Recover</a> hidden and deleted artifacts - Deleted files / folders, unallocated spaces, carving</li>
<li>Volatile <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory forensics</a> - Processes, local files, binary extraction, network connections</li>
</ul>
<div style="text-align: justify;">
<b>Digital Forensics Framework (DFF)</b> is an open source computer forensics software. It advertises the ability to be used by both professionals and non-experts to collect, preserve, and reveal digital evidence without compromising systems and data. </div>
<div style="text-align: justify;">
<b>Digital Forensics Framework</b> offers two user interfaces, a graphical one developed in PyQt and providing classical tree view but also more advanced features such as recursive view, tagging, live search or bookmarking. Its command line interface enables to perform <a href="http://www.toolwar.com/search/label/Investigation" target="_blank">digital investigation</a> remotely and comes with usual functionnalities available in common shell such as completion, tasks management, globing or keyboard shortcuts. DFF can also run batch scripts at startup to automate repetitive tasks. Advanced users and developers can also use DFF directly from a <a href="http://www.toolwar.com/search/label/Python" target="_blank">Python</a> interpreter to script their investigation.</div>
<h3 style="text-align: justify;">
Tutorials ::</h3>
<div style="text-align: justify;">
<b>DFF Blog :: </b><a href="http://www.digital-forensic.org/blog/" target="_blank">Click Here</a><b><br />
</b></div>
<b>DFF Wiki :: </b><a href="http://wiki.digital-forensic.org/" target="_blank">Click Here</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/02uZv72KS88?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div>
<h3 style="text-align: justify;">
Download ::</h3>
<div style="text-align: justify;">
<b>Linux | Windows :: </b><a href="http://www.digital-forensic.org/en/downloads/dff/" target="_blank">DFF v1.3.0</a> (Free Edition)</div>
<div style="text-align: justify;">
<b>Official Website ::</b> <a href="http://wiki.digital-forensic.org/index.php/Main_Page">http://wiki.digital-forensic.org/index.php/Main_Page</a></div>

DFF (Digital Forensics Framework) :: Framework

DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Progra...

Second Look (Linux Memory Forensics) :: Tools

<div style="text-align: justify;">
<div class="separator" style="clear: both;">
 <img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj3s-HN2dZGFNYEv4wk6IGLmblttBSVAhyiADK6Tcg_sE6ucHyhB_M1xINBz418Iy8K5vLizCBYB253oHqRxFsyyY8VZykHyveoJ2XteU5fG4hbI2gGuQ-r6z4iNVCrNR0thbZCaMasHa_/s1600/secondlook.jpg" width="640" /></div>
The Incident Response edition of <b>Second Look®: Linux Memory Forensics</b> is designed for use by investigators who need quick, easy, and effective <a href="http://www.toolwar.com/search/label/Linux" target="_blank">Linux</a> <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory acquisition</a> and analysis capabilities. Second Look® is a product of Raytheon Pikewerks Corporation. </div>
<h3 style="text-align: justify;">
 <span class="mw-headline" id="Memory_Acquisition"> Memory Acquisition::</span></h3>
<div style="text-align: justify;">
<b>Second Look®</b> preserves the volatile system state, capturing evidence  and information that does not exist on disk and may otherwise be lost as  an investigation proceeds.  A <a href="http://www.toolwar.com/search/label/CLI" target="_blank">command-line</a> script allows for  acquisition of <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> from running systems without introducing any  additional software.  A memory access driver is provided for use on  systems without a native interface to physical memory. </div>
<h3 style="text-align: justify;">
 <span class="mw-headline" id="Memory_Analysis"> Memory Analysis ::</span></h3>
<div style="text-align: justify;">
<b>Second Look® </b>interprets live system memory or captured memory images,  detecting and <a href="http://www.toolwar.com/search/label/Reverse" target="_blank">reverse engineering</a> malware, including stealthy kernel <a href="http://www.toolwar.com/search/label/Rootkit" target="_blank"> rootkits</a> and backdoors.  A kernel integrity verification approach is  utilized to compare the Linux kernel in memory with a reference kernel.   Pikewerks provides thousands of reference kernels derived from original  distribution kernel packages, and a script for creating reference  kernels for other systems, such as those running custom kernels. </div>
<div style="text-align: justify;">
<b>Second Look®</b> also applies an integrity verification approach for  the analysis of each process in memory.  This enables it to detect  unauthorized applications as well as stealthy user-level <a href="http://www.toolwar.com/search/label/Malware" target="_blank">malware</a>. </div>
<h3 style="text-align: justify;">
 <span class="mw-headline" id="Supported_Systems"> Supported Systems ::</span></h3>
<div style="text-align: justify;">
Second Look® is regularly updated to support analysis of the latest  kernels and the most commonly used <a href="http://www.toolwar.com/search/label/Distribution" target="_blank">Linux distributions</a>.  The following  are its capabilities as of April 2012: </div>
<ul style="text-align: justify;">
<li> Supported target kernels: 2.6.x, 3.x up to 3.2 </li>
<li> Supported target architectures: x86 32- and 64-bit </li>
<li> Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more! </li>
</ul>
<h3 style="text-align: justify;">
Product features (Second Look Incident Response Edition) ::</h3>
<ul style="text-align: justify;">
<li>Memory acquisition and analysis for all 32- and 64-bit x86
(i386/i486/i586/i686, amd64/x86_64) Linux systems running 2.6- and 3-series
kernels. This includes:
<ul>
<li>Amazon Linux 2010.11 through 2014.03, and higher;</li>
<li>Debian 4 through 7, and higher;</li>
<li>Fedora 2 through 20, and higher;</li>
<li>Red Hat Enterprise Linux (RHEL) and CentOS 4.x, 5.x, 6.x, and higher;</li>
<li>Ubuntu 4.10 through 14.04, and higher;</li>
<li>and other distributions.</li>
</ul>
</li>
<li>Analysis via command line interface (CLI) or graphical user interface
(GUI) applications which run on Ubuntu 12.04 (32- or 64-bit) or RHEL/CentOS 6.x
(64-bit).</li>
<li>Automatic kernel version identification — just select a memory image
and go.</li>
<li>Supported memory image formats:
<ul>
<li>raw physical memory images ("mem" format — as produced by
secondlook-memdump, Inception, and other
tools);</li>
<li>SLM memory images ("slm" format — a high-performance compressed
memory image format used by Second Look Enterprise Security Edition);</li>
<li>LiME memory images ("lime", "padded", or LiME "raw" formats — "lime"
and LiME "raw" formats require conversion with secondlook-lime2mem or
secondlook-limeraw2mem, respectively ‐ LiME "padded" is the equivalent of
a raw physical memory image);</li>
<li>VMware virtual machine snapshots ("vmem", "vmsn", or "vmss" formats —
"vmsn" and "vmss" formats, as well as "vmem" files from VMs with >4GB RAM,
require conversion with VMware's vmss2core
and secondlook-core2mem);</li>
<li>VirtualBox snapshots ("vbc" format — via conversion with
secondlook-vbc2mem); and</li>
<li>KVM Libvirt-QEMU-Save or QEMU-savevm snapshots ("lqs" or "qsv" formats
— via conversion with lqs2mem, originally
secondlook-lqs2mem, now an open source project).</li>
</ul>
</li>
<li>Support for analysis of memory images from systems running either
distribution stock kernels or custom kernels.</li>
<li>Support for analysis of memory images from
Amazon EC2 instances (under both pv and hvm virtualization types).</li>
<li>Access to a repository of over 9000 ZRKs (Zipped Reference Kernels)
providing the metadata and baseline for analysis and verification of CentOS,
Debian, Fedora, RHEL, and Ubuntu stock kernels.</li>
<li>An easy-to-use tool for creation of ZRKs for other distributions or for
custom kernels.</li>
<li>Second Look ZRKs
can also be used as Volatility profiles.</li>
<li>Integrity verification of the kernel and processes in memory.</li>
<li>Access to a pagehash database containing hashes of the executable code
pages of the ELF executables and shared libraries from over 2 million
software packages from the Amazon, CentOS, Debian, Fedora, RHEL, and Ubuntu
distributions.</li>
<li>An easy-to-use tool for the addition of pagehashes supporting verification
of custom or third-party software.</li>
<li>Detection of kernel rootkits, backdoors, and other kernel-mode malware
(known and unknown varieties).</li>
<li>Detection of shared library rootkits, keyloggers, spyware, injected
libraries, injected threads, and other user-mode malware (known and unknown
varieties).</li>
<li>Detection of unknown or unauthorized processes.</li>
<li>Recovery of device mapper crypto keys
for LUKS, TrueCrypt, and other full disk encryption schemes.</li>
<li>Extraction of system state from captured memory images, including loaded
kernel modules, running processes, memory mappings, open files, active network
connections, and more.  Output is available in the GUI, in plain text from the
CLI, and in JSON format for ingestion by other programs.</li>
<li>Offline usage is supported via a subscription to our ZRK and pagehash reference data
feeds.</li>
</ul>
<h3 style="text-align: justify;">
More Reasons to Choose Second Look</h3>
<div style="text-align: justify;">

Beyond the unique and powerful Linux Incident Response feature set listed
above, what sets Second Look apart is the team behind it and the quality
of the software they deliver.

</div>
<ul style="text-align: justify;">
<li>The Second Look Team provides professional support via phone and
email, with on-site consulting services available.  You get direct access to
experts in Linux system internals and security.</li>
<li>Customer feedback often quickly leads to new features.</li>
<li>Second Look ships with comprehensive documentation, including a
User Guide with explanations of the techniques most commonly used by
attackers to maintain stealthy persistence on Linux systems.</li>
<li>Second Look is regression tested against a large suite of sample
memory images to ensure maximum quality and compatibility.</li>
<li>If you like the visibility that Second Look gives you during
investigations, you can upgrade to the Enterprise Security edition to monitor
your systems on an ongoing basis.</li>
</ul>
<ul style="text-align: justify;">
</ul>
<h3 style="text-align: justify;">
Tutorial ::</h3>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/wt326aXmDMA?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div>
<div style="text-align: justify;">
</div>
<h3 style="text-align: justify;">
Download ::</h3>
<div style="text-align: justify;">
<b>Linux :: </b>$1495 (USD) | <a href="http://secondlookforensics.com/contact/" target="_blank">Contact Here</a> for Purchase</div>
<div style="text-align: justify;">
<b>Official Website :: </b><a href="http://secondlookforensics.com/">http://secondlookforensics.com/</a></div>

Second Look (Linux Memory Forensics) :: Tools

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and e...

Bulk Extractor (Computer Forensics) :: Tools

<div class="separator" style="clear: both; text-align: center;">
<img alt="Bulk Extractor" border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSwFRjzP4nYzs-ILiilqCBkm5oZiif74oCtqJU8AR5h2mTI_uHT4qyVykTzAKntroljTwfaPMVl2vcJLfpgcd6GaTRTidtiwi8dgXrG0Sp6F0pMD2_DCiaA94q7R02Bz4t8-nz_dhg07WE/s1600/computer-forensic-analysis.jpg" title="Bulk Extractor" width="400" /></div>
<div style="text-align: justify;">
<b>Bulk Extractor</b> is a <b>computer forensics tool</b> that scans a disk  image, a file, or a directory of files and extracts useful information  without parsing the file system or file system structures. The results  can be easily inspected, parsed, or processed with automated tools. <b>Bulk Extractor</b>  also created a histograms of features that it finds, as features that  are more common tend to be more important. The program can be used for  law enforcement, defense, intelligence, and <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">cyber-investigation</a>  applications. </div>
<div style="text-align: justify;">
bulk_extractor is distinguished from other forensic tools by its  speed and thoroughness. Because it ignores file system structure, <b>Bulk Extractor</b> can process different parts of the disk in parallel. In  practice, the program splits the disk up into 16MiByte pages and  processes one page on each available core. This means that 24-core  machines process a disk roughly 24 times faster than a 1-core machine. <b>Bulk Extractor</b> is also thorough. That’s because <b>Bulk Extractor</b>  automatically detects, decompresses, and recursively re-processes  compressed data that is compressed with a variety of algorithms. Our  <a href="http://www.toolwar.com/search/label/Testing" target="_blank">testing</a> has shown that there is a significant amount of compressed data  in the unallocated regions of file systems that is missed by most  <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensic tools</a> that are commonly in use today. </div>
<div style="text-align: justify;">
Another advantage of ignoring file systems is that <b>Bulk Extractor</b>  can be used to process any digital media. We have used the program to  process hard drives, SSDs, optical media, camera cards, <a href="http://www.toolwar.com/search/label/Phone" target="_blank">cell phones</a>,  network packet dumps, and other kinds of digital information. </div>
<h3 style="text-align: justify;">
Tutorials ::</h3>
<div style="text-align: justify;">
<span style="font-family: inherit;"><span style="font-size: small;"><b>Compiling for MacOS or Linux</b> :: </span></span></div>
<div style="text-align: justify;">
<span style="font-family: inherit;"><span style="font-size: small;">From the downloaded source directory run bootstrap.sh, configure and make: </span></span> </div>
<ul style="text-align: justify;">
<li><span style="font-family: "Courier New",Courier,monospace;">$ cd bulk_extractor </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ sh bootstrap.sh </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ sh configure </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ make </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ sudo make install </span></li>
</ul>
<div style="text-align: justify;">
<b>Compiling for Windows :: </b></div>
<div style="text-align: justify;">
There are three ways to compile for Windows: </div>
<div style="text-align: justify;">
1. Cross-compiling from a Linux or Mac system with mingw. </div>
<div style="text-align: justify;">
2. Compiling natively on Windows using mingw. </div>
<div style="text-align: justify;">
3. Compiling natively on Windows using cygwin (untested)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Cross-compiling for Windows using Debian Testing (wheezy) or Ubuntu 12.04 LTS (with mingw) :: </b></div>
<div style="text-align: justify;">
You will need to install mingw-w64 and zlib-dev: </div>
<ul style="text-align: justify;">
<li><span style="font-family: "Courier New",Courier,monospace;">$ sudo apt-get update </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ sudo apt-get upgrade </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ sudo apt-get -y install mingw-w64 </span></li>
</ul>
<div style="text-align: justify;">
Next, download zlib from zlib.net </div>
<ul style="text-align: justify;">
<li><span style="font-family: "Courier New",Courier,monospace;">$ ./configure --host=i686-w64-mingw32 </span></li>
</ul>
<div style="text-align: justify;">
This allows the cross-compiling of the 64-bit and the 32-bit bulk_extractor.exe, although we do not recommend running the 32-bit version. </div>
<div style="text-align: justify;">
Now you are ready to compile: </div>
<ul style="text-align: justify;">
<li><span style="font-family: "Courier New",Courier,monospace;">$ git clone --recursive https://github.com/simsong/bulk_extractor.git </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ cd bulk_extractor </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ sh bootstrap.sh </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ mingw64-configure</span></li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Installing on a Linux/MacOS/Mingw system :: </b></div>
<ul style="text-align: justify;">
<li><span style="font-family: "Courier New",Courier,monospace;">$ ./configure </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ make </span></li>
<li><span style="font-family: "Courier New",Courier,monospace;">$ sudo make install  </span></li>
</ul>
<div style="text-align: justify;">
<b>Usages :: </b> </div>
<div style="text-align: justify;">
To get started and send an extract of image.raw to OUTPUT, use this command: </div>
<ul style="text-align: justify;">
<li><span style="font-family: "Courier New",Courier,monospace;">$ /usr/local/bin/bulk_extractor -o OUTPUT image.raw </span> </li>
</ul>
<div style="text-align: justify;">
<b>For more & Troubleshooting :: </b><a href="https://github.com/simsong/bulk_extractor" target="_blank">Click Here</a><br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/wTBHM9DeLq4?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div>
<div style="text-align: justify;">
</div>
<h3 style="text-align: justify;">
Download ::</h3>
<div style="text-align: justify;">
<b>Linux | Mac | Windows :: </b><a href="https://github.com/simsong/bulk_extractor/archive/master.zip" target="_blank">Bulk Extractor</a> (tarball)<b> | </b><a href="http://digitalcorpora.org/downloads/bulk_extractor/bulk_extractor-1.4.1-windowsinstaller.exe" target="_blank">Bulk Extractor</a> (.exe)<b> | </b><a href="http://digitalcorpora.org/downloads/bulk_extractor/bulk_extractor-1.4.4.tar.gz" target="_blank">Bulk Extractor</a> (.tar.gz)<b>
</b></div>
<div style="text-align: justify;">
<b>Official Website :: </b><a href="https://github.com/simsong/bulk_extractor">https://github.com/simsong/bulk_extractor</a></div>

Bulk Extractor (Computer Forensics) :: Tools

Bulk Extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information ...

DumpIt (Memory Dumper) :: Tools

<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl1bY2gWBxFbDW6zcu5qqN5pd8LX2USAWKhJjUlLmtBS1KoN1FMMaR3s8W1oHCYpWEuPHEbHidQAWflYj5GdkPp4Q-pEW29n_qEHr12TYWvtkt0W84JFga96n0xFyymp6wnhs0Bt6O4A0a/s1600/System-Memory-icon.png" style="margin-left: 1em; margin-right: 1em;"><img alt="dumpit icon" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl1bY2gWBxFbDW6zcu5qqN5pd8LX2USAWKhJjUlLmtBS1KoN1FMMaR3s8W1oHCYpWEuPHEbHidQAWflYj5GdkPp4Q-pEW29n_qEHr12TYWvtkt0W84JFga96n0xFyymp6wnhs0Bt6O4A0a/s1600/System-Memory-icon.png" title="dumpit icon" /></a></div>
<br />
<b>DumpIt</b> is a fusion of two trusted <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a>, win32dd and win64dd, combined  into one one executable. <b>DumpIt</b> is designed to be provided to a  non-technical user using a removable USB drive. The person needs to  simply double-click the <b>DumpIt</b> executable and allow the tool to run. <b> DumpIt</b> will then take the snapshot of the host’s physical <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> and  save it to the folder where the <b>DumpIt</b> executable was located.</div>
<div style="text-align: justify;">
Memory <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensics</a> is becoming an essential aspect of digital forensics  and incident response. When a system is believed to have been  compromised or infected, the investigator needs a convenient way to take  a memory snapshot of the host. <b>DumpIt</b>, a new tool from <b>MoonSols</b>, makes this very easy, even if the person in front of the affected computer isn’t technical.</div>
<div style="text-align: justify;">
The user can then provide the investigator with the USB key, which  will contain the memory snapshot file. The administrator can use free  memory forensics tools such as The <a href="http://www.toolwar.com/2013/09/volatility-framework.html" target="_blank">Volatility Framework,</a> Mandiant Redline and HB Gary Responder Community Edition to examine the memory file’s contents for malicious artifacts.</div>
<div style="text-align: justify;">
<b>DumpIt</b> provides an easy way of obtaining a memory image of a <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a>  system even if the investigator is not physically sitting in front of  the target computer. It’s so easy to use, even a naive user can do it.  It’s not appropriate for all scenarios, but it will definitely make  memory acquisition easier in many situations.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Tutorials :: </h3>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/SEs4ZAolED0?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div>
<h3 style="text-align: justify;">
 </h3>
<h3 style="text-align: justify;">
Download ::</h3>
<div style="text-align: justify;">
<b>Windows ::  </b><a href="https://github.com/thimbleweed/All-In-USB/blob/master/utilities/DumpIt/DumpIt.exe?raw=true" target="_blank">DumpIt.exe</a><br />
<b>Official Website :: </b><a href="http://www.moonsols.com" rel="nofollow" target="_blank">http://www.moonsols.com/</a></div>
<div style="text-align: justify;">
</div>

DumpIt (Memory Dumper) :: Tools

DumpIt is a fusion of two trusted tools , win32dd and win64dd, combined into one one executable. DumpIt is designed to be provided to...

Subscribe to: Posts ( Atom )