Linux forensics - Part 1: Helix

Discussion in 'all things UNIX' started by Mrkvonic, Feb 24, 2009.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello all,

    Part 2 of the Linux forensics!!

    For intro to subject, please go here:

    http://www.dedoimedo.com/computers/forensics-intro.html

    Today, we'll talk about Helix.


    Helix is a live Linux CD carefully tailored for incident response, system investigation and analysis, data recovery, and security auditing. It is geared toward experienced users and system administrators working in small-to-medium, mixed environments where threats of data loss and security breaches are high.

    The most recent version is based on Ubuntu, promising stability and ease of use. Helix has two modes, including pure Linux bootable live CD and the Windows mode, where it can be used in-vivo on top of a running Windows desktop.


    So, if you're interested:

    http://www.dedoimedo.com/computers/helix.html

    Comments and suggestions are welcome.

    Cheers,
    Mrk
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello Mrk,

    Thank you for this review !

    I was hoping that the Boot CD version would have had more tools than it has currently. Seems like the Windows version is much more developed ?

    Also, I may be blind but I do not find a direct download link, when I go to the following link, I am redirected :
    http://www.e-fense.com/helix/ -> http://www.e-fense.com/products.php

    When I clik on HELIX 3, I am redirected there :
    http://www.e-fense.com/register-overview.php

    Am I missing something, or is this product not free ?

    The Windows password recovery is already something I have on my BartPE CD, handy when a very old machine (with an unknown local admin password) cannot connect to the network (our domain account is useless). Just boot on the CD, change the local admin account, and reboot... easy.

    So I would say good product, but it could be better, in my opinion :)

    Regards,
    gkweb.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    You must register for download via email.
    As to the available tools, it's quite good, but as you said, it could be better.
    Mrk
     
  4. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Hmm.

    It looks pretty sufficient to me. What more do you really need than the ability to write to the filesystem AND registry of the Windows partition while it's unmounted?

    Given that I'm used to fixing Windows infections right from the infected environment itself, this looks like godsend to me. :D
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  6. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Hasn't Helix just gone $$ware ??
     
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi,

    First of all TKS for Mrk for his efforts in neo Linux users education.

    With a little and short experience in computer forensic i think that one point must be noticed.
    There is off course may forensic distributions, and Mrk has fully right to point out the necessary knowledge (that covers various aspects of computing, hardware included) and to begin by the most popular forensic live CD (Helix is used in many forensic training courses, especially the SANS, and also by some forensics police departments).
    Theses distributions are not devoted to be installed on hard drive!
    A forensic computer examination (looking for child pornography evidences, sign of rootkit intrusion etc) must not modify the examined hard drive, and in forensic best practices/procedure, it is suited to use forensic disk mirroring for an later examination.
    Using Helix in vivo...why not if the goal is only personal training, but in any real investigation, it would be a professional error: the examination must have the minimum impact on the system, and by simply running Helix in vivo, the system and especially the memory can be considered as disturbed and modified (that's why physical memory acquisition must be done before disk cloning).

    Off course Protech and BackTrack (the Rolls of pentesting distro) are not considered as forensic live CD but as pentesting live CD.
    Pentesting distro are intended for network and system auditing, and they can be used bycybercriminals to gain access on a host, or by the sysadmin. or the pentester consultant in order to audit the line defense.
    Unlike forensic live cds which are devoted mostly for static analysis, and data acquisition; pentesting live cd are mostly intended for offensive taks like port scan, os finguerprint, sniffing, exploit attempts etc.
    But some live cd can also be used simply as a read only OS for connecting in hot spot as i use to do with Protech (now i use another one).

    I've been tented like mrk to post about security and forensic distro; but this would not help the neo linux user and will learn nothing to a forensic expert.
    I guess that the main question that new switchers have to face is: "how to choose a distributon?"
    And that's what i'll try to answer if some members are interested.

    Longboard, as far as i know helix is not paid, and can be downloaded on its official mirror
    http://mirrors.cmich.edu/helix/

    It would be nice if Mrk keep this thread for his next reviews.

    rgds
     
Loading...
Thread Status:
Not open for further replies.