Hi I am new to this site so if this topic has been covered in a previous post please forgive me. I am curently planning a computer forensic lab for my current employer as an externship for college. They want to use Helix as their primary forensic software at least initially. I have no experience with it at all and know very little in terms of Unix/Linux. For those of you who have or currently use Helix how is it as an aquisition tool as well as an investigative tool? Can Helix be used to investigate an image that was not aquired using Helix? Any help and information about the pros and cons of Helix from current or past users would be greatly appreciated.
Thanks again!
Mike
Mike,
Helix itself isn't a tool. Helix is a live distribution that contains a series of forensics tools.
Acquisition Is accomplished via Adepto/Grab. It's essentially a front end for various types of DD. Beware that in the current version of helix the path must be manually set for md5deep and sha1[256] deep. (the 7/28/05 version) The acquisition is straight forward enough.
Investigative tools
TSK -sleuthkit.org provides several utilities which I won't bother to discuss the finer points of. Needless to say it provides the majority of utilities neccessary to carry out an investigation.
Autopsy - A front end for TSK.
Foremost - data carving tool
The existance of perl is nice ) and the fact that your session is logged is also helpful.
We use helix as one of our primary investigative tools.
CON It's a live CD and requires a bit of memory. I've had instances where I've crashed helix and lost all of my work(sorting files on a large disk). If you are going to use helix, use it on a system that is preconfigured for it, and hack up the helix iso and rebuild it for your system. Namely, have it auto-direct output to a device that you use for case output rather than the ramdisk.
newest verison is out for helix
I've started writing a "Helix for Beginners" manual, and the current version is available at http//
For the immediate future, I plan on updating it on the 1st of each month, correcting errors, and adding in any suggestions, feedback, or comments I get from the users.
I'd be interested in hearing what you all think about it. You can discuss the manual here or at the e-fense website, or email your feedback to me at helixmanual<at>gmail<dot>com.
bj
BJ,
The section regarding my First Responder Utility is incorrect. I'm sure you *can* run a netcat listener, but it's much better to run the FSP, instead, because of all the logging and file management at the FSP does for you.
Harlan
The section regarding my First Responder Utility is incorrect. I'm sure you *can* run a netcat listener, but it's much better to run the FSP, instead, because of all the logging and file management at the FSP does for you.
Thanks… I'll fix it.
bj
I've just been testing the changes that are made to the system when Helix is booted to its Windows side. Any use to anyone if I publish them all? Its a fair list, 35+.
Nick
I'm interested, either post them here or email them if you like. Thanks.
I've just been testing the changes that are made to the system when Helix is booted to its Windows side.
I'm very interested. Please post them or email them…
Thanks,
bj
Nick, I don't think Helix will "boot" to a Windows side in the conventional meaning of the word. You can put the CD in your machine with Windows running, and it will provide you with some Windows & DOS tools, but I don't think its meant to be 'forensically sound'. Whereas the Linux side is.
Andy