Second Look Banner

To know when a Linux box is owned... take a Second Look®.

Second Look combines memory forensics and integrity verification to provide unparalleled assurance that the software running on Linux servers and workstations, from the kernel to system services and applications, is of known origin and has not been modified. There is no more powerful tool for uncovering malware, backdoors, unauthorized processes, and other signs of compromise on Linux systems.

Second Look can be particularly useful for detecting artifacts of malware in memory such as memory injection and system call manipulation...

Tabs within Second Look provide easy access to the extracted information associated with each process...

Second Look is a powerful tool for detecting potential [malware] concealment techniques...

Click here for additional quotes from the Malware Forensics Field Guide for Linux Systems

Whether you are investigating an incident now, or want to have the best shot at detecting intrusions going foward: if you run Linux, Second Look is your tool. Our customers include the IT security teams of major corporations, firms which have investigated numerous high-profile security breaches, and government agencies responsible for protecting extraordinarily sensitive data. We support all Linux distributions, including CentOS, Debian, Fedora, Red Hat Enterprise Linux (RHEL), and Ubuntu.


The short video above shows Second Look in action. Real-time memory analysis of a remote target system detects an unauthorized process running there. After the process is hidden with a rootkit, not only can Second Look still see the suspect process, it also produces additional alerts on the rootkit itself.

Second Look comes in two versions. The Incident Response edition provides memory acquisition and analysis tools to help you get right to the root of the problem when you're investigating a suspect system. The Enterprise Security edition has all the features of the IR edition, plus provides real-time memory forensics of remote systems that scales across large deployments for instant investigation, automated integrity verification scans, and alerts easily fed into a security event management system.