It is only a matter of time before most IT professionals find themselves having to do some sort of a forensic analysis on a computer. The problem that most people come are then faced with is their lack of experience in performing these tasks.

And all of the pressure does not help either because there are often some pretty high staked involved.

This is where Helix comes in. Helix is a live CD that is designed to find out exactly what is on that computer and what individuals have done with it. From their website:

Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.

Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics.

Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques. That said Helix is used by the following organizations for Incident Response/Forensics Training:

  • Some of the tools that are on the Helix CD include:
    • sleuthkit: Brian Carrier’s replacement to TCT.
    • autopsy: Web front-end to sleuthkit.
    • mac-robber: TCT’s graverobber written in C.
    • fenris: debugging, tracing, decompiling.
    • wipe: Secure file deletion.
    • MAC_Grab: e-fense MAC time utility.
    • AIR: Steve Gibson Forensic Acquisition Utility.
    • foremost: Carve files based on header and footer.
    • fatback: Analyze and recover deleted FAT files.
    • md5deep: Recursive md5sum with db lookups.
    • sha15deep: Recursive sha1sum with db lookups.
    • dcfldd: dd replacement from the DCFL.
    • sdd: Specialized dd w/better preformance.
    • PyFLAG: Forensic and Log Analysis GUI.
    • Faust: Analyze elf binaries and bash scripts.
    • e2recover: Recover deleted files in ext2 file systems.
    • Pasco: Forensic tool for Internet Explorer Analysis.
    • Galleta: Cookie analyzer for Internet Explorer.
    • Rifiuti: “Recycle BIN” analyzer.
    • Bmap: Detect & Recover data in used slackspace.
    • Ftimes: A toolset for forensic data acquisition.
    • chkrootkit: Look for rootkits.
    • rkhunter: Rootkit hunter.
    • ChaosReader: Trace tcpdump files and extract data.
    • lshw: Hardware Lister.
    • logsh: Log your terminal session (Borrowed from FIRE).
    • ClamAV: ClamAV Anti Virus Scanner.
    • F-Prot: F-Prot Anti Virus Scanner.
    • 2 Hash: MD5 & SHA1 parallel hashing.
    • glimpse: Indexing and query system.
    • Outguess: Stego detection suite.
    • Stegdetect: Stego detection suite.
    • Regviewer: Windows Registry viewer.
    • Chntpw: Change Windows passwords.
    • Grepmail: Grep through mailboxes.
    • logfinder: EFF logfinder utility.
    • linen: EnCase Image Acquisition Tool.
    • Retriever: Find pics/movies/docs/web-mail.
    • Scalpel: Carve files based on header and footer.

    I think that digital forensics is a really cool career. Kind of like CSI for geeks!

    • Similar Posts:

    If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?

    Trackback link - http://www.dailycupoftech.com/2008/05/07/catch-the-hackers-with-helix/trackback/
    Tim Fehlman