First published August 2009
by BJ Gleason
A few issues ago, in my two-part series, An Introduction to Digital Forensics, the major tools being used were from the Helix3, ver 1.9, Live CD, a combined Windows/Linux forensic environment designed for e-discovery, computer forensic analysis and incident response. Since that article was published, several major events have taken place.
The first was that Helix3 2.0 was released. This was a major update, where the underlying Linux base was changed from Knoppix to Ubuntu, many tools were added, and most of the rest were updated. It was a significant, well-received update. However, in March of 2009, Drew Fahey, the lead developer of Helix3 and the good people at e-fense.com changed its distribution policies. Helix3 is now only available to paying subscribers. By the time this articles appears, the monthly fees for access to the Helix3 forums, as well as gaining access to the latest versions of the Live CD, and the updated manual, will be $14.95 per month. (Full Disclosure: I am the co-author of the Helix manual, which grew out of the materials I developed for my forensic classes. I have never received any financial compensation for my contributions, and am a paying member of the Helix3 forums).
In addition, Helix3 will be getting another major upgrade. While in the past, Helix3 was a collection of tools from various sources, the new system, Helix3 Pro is to be an all-in-one distribution, with all the tools developed and written from the ground up. This promises to be a very interesting release, and we will review it when it is available.While I am sure that this was not an easy decision to make, I believe that all developers are entitled to whatever compensation they desire for the work they do, and I wish e-fense all the best in this new venture. However, this turn of events has generated a lot of concern in the various forensic and security blogs and forums from users who have used Helix3 for free over the past six years.
With Helix3 now isolated behind a paywall, this has created a bit of a vacuum in the Forensic Live CD arena, and people have started to look for tool sets to replace it. While there are many Forensic Live CDs available, many seem to have been abandoned, or have not been updated in several years, which would mean working with out-of-date tools, and possible having problems with some of the newer hardware. It would even be possible to roll-your-own version; however, this can be quite complicated and time-consuming. While there have even been some calls for volunteers to assist in the creation of a Helix Community Edition, it appears that there may already be several worthy successors already available.
To be considered a true replacement for Helix3, a Linux Live CD would have to include tools that can be run in a Windows environment to allow the investigators to perform live system captures. Based on the discussions in the various forums, the two primary contenders appear to be CAINE and DEFT.
CAINE – Computer Aided Investigative Environment
Of the two distros, CAINE seems to be closest in look, feel, and functionality to the Helix3 environment. It is based on Ubuntu Linux 8.04, and contains a Windows autorun GUI. CAINE is available as a 643MB ISO download from http://www.caine-live.net/, and it is version 0.5 that is used in this review.
CAINE started as the graduation thesis of the lead developer, Giancarlo Giustini, at the Information Engineering Department of the University of Modena e Reggio Emilia, Italy. CAINE was designed to wrap the common forensic tools in a user-friendly GUI to help streamline the investigative process.
On the Windows side, CAINE provides WinTaylor, a point-and-click interface to many incident response and collection tools. The autorun utility pops up first, presenting the standard disclaimers, and gives the user the option to install the VB6 Runtime library, or the ability to register the .ocx files if running under Vista, if needed (see Figure 1).
Figure 1 – CAINE startup screen under Windows
An alterative to using the WinTaylor GUI is to run the forensic utilities from inside Windows Internet Explorer. As always, it is important to remember that everything done on a live system modifies the system being examined, and all efforts should be made to minimize any changes to the system (see Figure 2).
Figure 2 – WinTaylor, a GUI for a large number of Windows based forensic tools
Once WinTaylor is started, the Analysis 1 tab provides access to a number of NIRSoft and other tools used for extracting system and personal information. It is recommended that you disable any Anti-virus programs, as many of these tools are often flagged as hacking tools, trojans, or backdoors. Analysis 2 Tab contains RAM and Network tools such as MDD< Win32dd, Winen, fport, TCPView and Advanced LAN Scanner. Analysis 3 contains FTK Imager, Windows Forensic Toolchest, and Nigilant 32. The remaining two tabs provide access to the Sysinternals Suite of tools in either a GUI or command line environment. In addition, the GUI provides access screen snapshot utility and a file hash calculator.
In the Linux Live CD environment, CAINE will boot up and provide the user with the standard booting options, include an installation option for creating a forensic workstation. Once completely booted, the forensic tools are accessed via the application menu (see Figure 3).
Figure 3 – CAINE’s Linux desktop and menu
On the Forensic menu, aside from the CAINE Interface, the following tools are included:
AIR – Automated Image and Restore
GtkHash – A utility that can calculate 27 different hashes, including MD5 and SHA1
Guymager – A disk acquisition utility
Ophcrack – a password cracking toolkit
The CAINE interface is a GUI that provides easy access to a number of different tools, organized by functionality (see Figure 4).
Figure 4 – The CAINE interface
The tabs provide the standard set of tools for collection and analysis. The collection tab includes links to the tools we have already discussed, such as AIR and Guymager. The analysis tab includes Autopsy, Scalpel, Foremost, Stegdetect, SFDumper and Ophcrack.
Both the WinTaylor and CAINE Interfaces will create reports based on the tools being used during the session, however logging must be manually initiated before the software will keep track of what has been done.
Drives are mounted by default as read only, noatime, noexec. Collection drives, to be mounted as read/write have to be done via the mount command in a terminal window. The ntfs-3g command is included to allow writing to an NTFS collection drive.
The CAINE Live CD can also be installed on a USB Stick (1GB or larger) by opening a terminal and issuing the command liveusb.
Overall, this is an impressive package, especially for a 0.5 release. I have found it to be an easy-to-use, intuitive package, containing much of the functionality of Helix3. That is not to say that the distribution is perfect; and there are a few little annoyances. For example, since this was created in Italy, the default keyboard layout may need to be changed for your keyboard at boot time. However, the development team has been very responsive to bug reports and suggestions. The only minor complaint is the perceived tie-in to the US-based TV show CSI, which I feel distracts from the overall professionalism of the project. Once you get past that, you have a very nice forensic toolkit.
DEFT – Digital Evidence & Forensic Toolkit
DEFT v4 is based on Xubuntu Linux, and is available as a 700MB ISO download for either CD or USB, and even a special version for the EEE PC, from http://www.deftlinux.net/, and like CAINE, is based in Italy. Unlike CAINE and Helix3, DEFT presents a more compact look and feel. By default, DEFT doesnt use a GUI in either Windows or Linux. DEFT makes it very clear on it’s website that DEFT it isn’t for newbie[s]
When inserted into Windows system, not much will happen, but in many ways that is a good thing. As I have mentioned numerous times, anything you run on a live system modifies that system. The GUI interfaces of Helix3 and CAINE both consume and overwrite RAM, potentially destroying evidence. Since DEFT doesnt autorun a GUI, the user must be comfortable with command-line executables and parameters (a skill I see quickly disappearing in many college students).
The Windows based utilities are located in the deft_extra directory, and there are a lot of them. Aside from all the standard collection utilities, there are a number of other open source utilities such as Abiword, various editor, pdf viewer, antivirus utilities, and many, many more. These additional tools allow investigator to perform additional tasks while having minimal impact on the suspect system. These tools can also be transferred to a forensic workstation and installed. There is also an index.html file in this directory that will give you a better idea of all the tools that are available.
When booting to the Linux Environment, DEFT first prompts you to select your keyboard type. After that, the standard booting options are presented. Selecting the default option takes you to a command line prompt. The booting of DEFT is much quicker than CAINE or Helix3 since it is not starting up the GUI. If you are comfortable with a command line environment, you can get started. However, if you would prefer a graphical interface, issue the command deft-gui to start it up (see Figure 5).
Figure 5 – DEFT Linux’s desktop
DEFT is a professional forensic distribution with large number of extras designed for investigators or system administrators. For those who feel comfortable with command line utilities, this is an excellent choice.
And Just One More
Another interesting distribution is SUMO (Security Utilizing Multiple Options) Linux from Sun Tzu Data and Marcus J. Carey which is a multi-boot DVD image, which allows the user to select from and boot the following CDs:
Darik’s Boot and Nuke (dban)
Damn Vulnerable Linux
Sumo Linux’s boot selector
This ISO image is 3.6GB, is available from http://sumolinux.suntzudata.com/, and is distributed via bittorrent. Aside from the forensics capabilities provided by Helix and Backtrack, as well as the additional security tools provided by Backtrack and dban, this makes for a well-rounded security utility DVD that should be in all computer guru’s toolbox. And there is just enough room that you could probably squeeze CAINE and/or DEFT into it. Now that would really be something.
When a door closes, a windows opens while Helix3 will be sorely missed by many, there appear to be several excellent tools out there that can fill the void. So which one should you use? No matter which distribution you choose, the most important thing is to document your work, so that others can repeat the process and get the same results. All of these distributions are free, so get them all, find the one you are comfortable with, and learn to use it inside and out. And then double check your results with the tools from the other distribution. Finally, learn how the tools work, so you know what is really going on. Once you get there, it almost doesn’t matter what toolset you use provided you are using it properly.
If any of these tools are to grow and be a valued part of forensic community, you should think about contributing your time, skills, or expertise to these various projects. As a developer myself, I can’t even begin to tell you how important feedback (positive or negative, although we prefer positive) is to the developmental process. Contact the various developers and let them know how they are doing.