Linux forensics - Part 1: Helix

Hello all,

Part 2 of the Linux forensics!!

For intro to subject, please go here:

http://www.dedoimedo.com/computers/forensics-intro.html

Today, we'll talk about Helix.


Helix is a live Linux CD carefully tailored for incident response, system investigation and analysis, data recovery, and security auditing. It is geared toward experienced users and system administrators working in small-to-medium, mixed environments where threats of data loss and security breaches are high.

The most recent version is based on Ubuntu, promising stability and ease of use. Helix has two modes, including pure Linux bootable live CD and the Windows mode, where it can be used in-vivo on top of a running Windows desktop.


So, if you're interested:

http://www.dedoimedo.com/computers/helix.html

Comments and suggestions are welcome.

Cheers,
Mrk

 

Hello Mrk,

Thank you for this review !

I was hoping that the Boot CD version would have had more tools than it has currently. Seems like the Windows version is much more developed ?

Also, I may be blind but I do not find a direct download link, when I go to the following link, I am redirected :
http://www.e-fense.com/helix/ -> http://www.e-fense.com/products.php

When I clik on HELIX 3, I am redirected there :
http://www.e-fense.com/register-overview.php

Am I missing something, or is this product not free ?

The Windows password recovery is already something I have on my BartPE CD, handy when a very old machine (with an unknown local admin password) cannot connect to the network (our domain account is useless). Just boot on the CD, change the local admin account, and reboot... easy.

So I would say good product, but it could be better, in my opinion

Regards,
gkweb.

 

You must register for download via email.
As to the available tools, it's quite good, but as you said, it could be better.
Mrk

 

Hmm.

It looks pretty sufficient to me. What more do you really need than the ability to write to the filesystem AND registry of the Windows partition while it's unmounted?

Given that I'm used to fixing Windows infections right from the infected environment itself, this looks like godsend to me.

 

here are some more distros that might have other tools, i can't check them because i think my opendns isn't working very well and all pages are taking hours to load atm!!!!! but i've got them bookmarked
http://fire.dmzs.com/
i can't get there, but it's linked here -
http://www.dmzs.com/info/about/projects.phtml
http://s-t-d.org/
http://trinityhome.org/trk/


OT i haven't checked my connection, but does anyone else use opendns from the uk? is it working today?

 

Hasn't Helix just gone $$ware ??

 

hi,

First of all TKS for Mrk for his efforts in neo Linux users education.

With a little and short experience in computer forensic i think that one point must be noticed.
There is off course may forensic distributions, and Mrk has fully right to point out the necessary knowledge (that covers various aspects of computing, hardware included) and to begin by the most popular forensic live CD (Helix is used in many forensic training courses, especially the SANS, and also by some forensics police departments).
Theses distributions are not devoted to be installed on hard drive!
A forensic computer examination (looking for child pornography evidences, sign of rootkit intrusion etc) must not modify the examined hard drive, and in forensic best practices/procedure, it is suited to use forensic disk mirroring for an later examination.
Using Helix in vivo...why not if the goal is only personal training, but in any real investigation, it would be a professional error: the examination must have the minimum impact on the system, and by simply running Helix in vivo, the system and especially the memory can be considered as disturbed and modified (that's why physical memory acquisition must be done before disk cloning).

Off course Protech and BackTrack (the Rolls of pentesting distro) are not considered as forensic live CD but as pentesting live CD.
Pentesting distro are intended for network and system auditing, and they can be used bycybercriminals to gain access on a host, or by the sysadmin. or the pentester consultant in order to audit the line defense.
Unlike forensic live cds which are devoted mostly for static analysis, and data acquisition; pentesting live cd are mostly intended for offensive taks like port scan, os finguerprint, sniffing, exploit attempts etc.
But some live cd can also be used simply as a read only OS for connecting in hot spot as i use to do with Protech (now i use another one).

I've been tented like mrk to post about security and forensic distro; but this would not help the neo linux user and will learn nothing to a forensic expert.
I guess that the main question that new switchers have to face is: "how to choose a distributon?"
And that's what i'll try to answer if some members are interested.

Longboard, as far as i know helix is not paid, and can be downloaded on its official mirror
http://mirrors.cmich.edu/helix/

It would be nice if Mrk keep this thread for his next reviews.

rgds