Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.
Memory Analysis ::
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.
Supported Systems ::
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:
- Supported target kernels: 2.6.x, 3.x up to 3.2
- Supported target architectures: x86 32- and 64-bit
- Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
Product features (Second Look Incident Response Edition) ::
- Memory acquisition and analysis for all 32- and 64-bit x86
(i386/i486/i586/i686, amd64/x86_64) Linux systems running 2.6- and 3-series
kernels. This includes:
- Amazon Linux 2010.11 through 2014.03, and higher;
- Debian 4 through 7, and higher;
- Fedora 2 through 20, and higher;
- Red Hat Enterprise Linux (RHEL) and CentOS 4.x, 5.x, 6.x, and higher;
- Ubuntu 4.10 through 14.04, and higher;
- and other distributions.
- Analysis via command line interface (CLI) or graphical user interface (GUI) applications which run on Ubuntu 12.04 (32- or 64-bit) or RHEL/CentOS 6.x (64-bit).
- Automatic kernel version identification — just select a memory image and go.
- Supported memory image formats:
- raw physical memory images ("mem" format — as produced by secondlook-memdump, Inception, and other tools);
- SLM memory images ("slm" format — a high-performance compressed memory image format used by Second Look Enterprise Security Edition);
- LiME memory images ("lime", "padded", or LiME "raw" formats — "lime" and LiME "raw" formats require conversion with secondlook-lime2mem or secondlook-limeraw2mem, respectively ‐ LiME "padded" is the equivalent of a raw physical memory image);
- VMware virtual machine snapshots ("vmem", "vmsn", or "vmss" formats — "vmsn" and "vmss" formats, as well as "vmem" files from VMs with >4GB RAM, require conversion with VMware's vmss2core and secondlook-core2mem);
- VirtualBox snapshots ("vbc" format — via conversion with secondlook-vbc2mem); and
- KVM Libvirt-QEMU-Save or QEMU-savevm snapshots ("lqs" or "qsv" formats — via conversion with lqs2mem, originally secondlook-lqs2mem, now an open source project).
- Support for analysis of memory images from systems running either distribution stock kernels or custom kernels.
- Support for analysis of memory images from Amazon EC2 instances (under both pv and hvm virtualization types).
- Access to a repository of over 9000 ZRKs (Zipped Reference Kernels) providing the metadata and baseline for analysis and verification of CentOS, Debian, Fedora, RHEL, and Ubuntu stock kernels.
- An easy-to-use tool for creation of ZRKs for other distributions or for custom kernels.
- Second Look ZRKs can also be used as Volatility profiles.
- Integrity verification of the kernel and processes in memory.
- Access to a pagehash database containing hashes of the executable code pages of the ELF executables and shared libraries from over 2 million software packages from the Amazon, CentOS, Debian, Fedora, RHEL, and Ubuntu distributions.
- An easy-to-use tool for the addition of pagehashes supporting verification of custom or third-party software.
- Detection of kernel rootkits, backdoors, and other kernel-mode malware (known and unknown varieties).
- Detection of shared library rootkits, keyloggers, spyware, injected libraries, injected threads, and other user-mode malware (known and unknown varieties).
- Detection of unknown or unauthorized processes.
- Recovery of device mapper crypto keys for LUKS, TrueCrypt, and other full disk encryption schemes.
- Extraction of system state from captured memory images, including loaded kernel modules, running processes, memory mappings, open files, active network connections, and more. Output is available in the GUI, in plain text from the CLI, and in JSON format for ingestion by other programs.
- Offline usage is supported via a subscription to our ZRK and pagehash reference data feeds.
More Reasons to Choose Second Look
Beyond the unique and powerful Linux Incident Response feature set listed above, what sets Second Look apart is the team behind it and the quality of the software they deliver.
- The Second Look Team provides professional support via phone and email, with on-site consulting services available. You get direct access to experts in Linux system internals and security.
- Customer feedback often quickly leads to new features.
- Second Look ships with comprehensive documentation, including a User Guide with explanations of the techniques most commonly used by attackers to maintain stealthy persistence on Linux systems.
- Second Look is regression tested against a large suite of sample memory images to ensure maximum quality and compatibility.
- If you like the visibility that Second Look gives you during investigations, you can upgrade to the Enterprise Security edition to monitor your systems on an ongoing basis.
Linux :: $1495 (USD) | Contact Here for Purchase
Official Website :: http://secondlookforensics.com/