by BJ Gleason

Author's note: The article you are about to read was originally written in March 2009. The kind people at Linux+DVD magazine have allowed us to make my articles available after the printed version of the magazine is no longer available. At the time it was written, all the information it contained was accurate and up-to-date but due to the somewhat lengthy process of creating and distributing a magazine, things change. Since the time this article was written, the good people at e-fense have changed their policy and have re-released the original version of Helix3, free to the masses. The versions of the software I discuss in the article have also been updated. However, even though it may seem a bit dated at this point, it does serve as a reminder of thoughts, attitudes, and concerns at the time. There is a follow-up article that will be posted (after it appears in the printed magazine), updating the re-release, and giving a review of Helix3 Pro.

A few issues ago, in my two-part series, An Introduction to Digital Forensics, the major tools being used were from the Helix3, ver 1.9, Live CD, a combined Windows/Linux forensic environment designed for e-discovery, computer forensic analysis and incident response. Since that article was published, several major events have taken place.

The first was that Helix3 2.0 was released. This was a major update, where the underlying Linux base was changed from Knoppix to Ubuntu, many tools were added, and most of the rest were updated. It was a significant, well-received update. However, in March of 2009, Drew Fahey, the lead developer of Helix3 and the good people at e-fense.com changed its distribution policies. Helix3 is now only available to paying subscribers. By the time this articles appears, the monthly fees for access to the Helix3 forums, as well as gaining access to the latest versions of the Live CD, and the updated manual, will be $14.95 per month. (Full Disclosure: I am the co-author of the Helix manual, which grew out of the materials I developed for my forensic classes. I have never received any financial compensation for my contributions, and am a paying member of the Helix3 forums).

In addition, Helix3 will be getting another major upgrade. While in the past, Helix3 was a collection of tools from various sources, the new system, Helix3 Pro is to be an all-in-one distribution, with all the tools developed and written from the ground up. This promises to be a very interesting release, and we will review it when it is available.

While I am sure that this was not an easy decision to make, I believe that all developers are entitled to whatever compensation they desire for the work they do, and I wish e-fense all the best in this new venture. However, this turn of events has generated a lot of concern in the various forensic and security blogs and forums from users who have used Helix3 for free over the past six years.

With Helix3 now isolated behind a paywall, this has created a bit of a vacuum in the Forensic Live CD arena, and people have started to look for tool sets to replace it. While there are many Forensic Live CDs available, many seem to have been abandoned, or have not been updated in several years, which would mean working with out-of-date tools, and possible having problems with some of the newer hardware. It would even be possible to roll-your-own version; however, this can be quite complicated and time-consuming. While there have even been some calls for volunteers to assist in the creation of a Helix Community Edition, it appears that there may already be several worthy successors already available.

To be considered a true replacement for Helix3, a Linux Live CD would have to include tools that can be run in a Windows environment to allow the investigators to perform live system captures. Based on the discussions in the various forums, the two primary contenders appear to be CAINE and DEFT.

CAINE - Computer Aided Investigative Environment

Of the two distros, CAINE seems to be closest in look, feel, and functionality to the Helix3 environment. It is based on Ubuntu Linux 8.04, and contains a Windows autorun GUI. CAINE is available as a 643MB ISO download from http://www.caine-live.net/, and it is version 0.5 that is used in this review.

CAINE started as the graduation thesis of the lead developer, Giancarlo Giustini, at the Information Engineering Department of the University of Modena e Reggio Emilia, Italy. CAINE was designed to wrap the common forensic tools in a user-friendly GUI to help streamline the investigative process.

On the Windows side, CAINE provides WinTaylor, a point-and-click interface to many incident response and collection tools. The autorun utility pops up first, presenting the standard disclaimers, and gives the user the option to install the VB6 Runtime library, or the ability to register the .ocx files if running under Vista, if needed (see Figure 1).

Figure 1 - CAINE startup screen under Windows

An alterative to using the WinTaylor GUI is to run the forensic utilities from inside Windows Internet Explorer. As always, it is important to remember that everything done on a live system modifies the system being examined, and all efforts should be made to minimize any changes to the system (see Figure 2).

Figure 2 - WinTaylor, a GUI for a large number of Windows based forensic tools

Once WinTaylor is started, the Analysis 1 tab provides access to a number of NIRSoft and other tools used for extracting system and personal information. It is recommended that you disable any Anti-virus programs, as many of these tools are often flagged as hacking tools, trojans, or backdoors. Analysis 2 Tab contains RAM and Network tools such as MDD< Win32dd, Winen, fport, TCPView and Advanced LAN Scanner. Analysis 3 contains FTK Imager, Windows Forensic Toolchest, and Nigilant 32. The remaining two tabs provide access to the Sysinternals Suite of tools in either a GUI or command line environment. In addition, the GUI provides access screen snapshot utility and a file hash calculator.