I posted that question 3 weeks ago on the Helix Forums but despite more than 140 views I didn't get a single reply
Statement from the Helix Website
What is Helix
"Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices."Is there any documentation in which way the Ubuntu-LiveCD which Helix is based on has been modified to guarantee that Helix does'nt touch the system in any way ?
Has nobody ever asked that question ? Perhaps somebody hanging around can shed some light ?
Helix is a toolbox. Like any tool, it can be used in a forensically sound manner or not. As long as you follow forensically sound practices and document them, you shouldn't have any problems from the perspective of defending your actions.
If you mean has evidence acquire and analyzed using Helix been accepted in a court of law, the answer is yes.
I should add, however, this link to a presentation regarding Linux-based dd acquisitions. It is worth a read
http//
I posted that question 3 weeks ago on the Helix Forums…
Count yourself lucky, I've tried twice to create an account and still can't get in!
Jamie
Helix is a toolbox. Like any tool, it can be used in a forensically sound manner or not. As long as you follow forensically sound practices and document them, you shouldn't have any problems from the perspective of defending your actions.
I'm perfectly aware of that. What I'm talking about is the fact that the Ubuntu LiveCD - without being modified - will try to automount any recognized partition during the boot process.
What I wanted to know is in which way the LiveCD has been altered to prevent that.
We use Helix quite a bit along with the usual commercial tools. In fact at this moment I am cloning a drive with it. BTW the current version of Helix seems better at hardware detection than the Knoppix based one. The only glitch I have seen so far is mounting SAMBA shares in the ADEPTO imager. I can get at the SAMBA shares from root, but can't get at them in ADEPTO.
When you run Helix you will not necessarily see the scripts that are used to auto- mount the media but you can easily see the results if you run mount at the root terminal. All the partitions are automounted read only, including hot swapped USB and 1394 devices. The only way that you can write to anything that Helix has automounted is to re-mount the media as root with the apporpriate options.
Hi chris2792,
This could be a test for you to perform - grab the Ubuntu CD and the Helix CD, boot both of them, and review the scripts for differences. I haven't looked at either of these CD environments, but it would seem likely that where the Ubuntu auto-mounts R/W if support for the FS TYPE is available Helix has altered it to mount it R/O.
Cheers!
farmerdude
chris2792, the reason the Helix people have not replied to your question (as far as I can see) is that Helix is not based on Ubuntu, but on Knoppix (as per the Helix FAQ), which in turn is based on Debian Linux.
Now, Ubuntu is also based on Debian but has some differences with regards to processes/services etc to both Debian and Knoppix (and Helix, therefore).
Your question, thus, was not phrased correctly and was very possibly ignored (it could have been worse). Or they may not have had time to answer your question (how much time did you allow for responses?). I am leaning towards the first reason, though.
As for the whole automount issue, I would advise that you look up how mounting is done on linux generally, and ubuntu specifically. Plenty of pages on ubuntu automounting, plus plenty of manpages on the actual tools/processes. Having gone through them, you should be able to then check configuration files in Helix and see what they've done to disable automounting.
Hints modifications needed in udev, fstab, gnome-volume-manager, hal, dbus, autofs, possibly in the kernel itself.
You might, however, want to consider actually building a customised ubuntu livecd, and configuring it to not automount, using something like
- Reconstructor http//reconstructor.aperantis.com
- Remastersys http//
- Other ubuntu-based customised distro making tools
And a piece of advice, here… if you go down that path, it is a good idea to make a i386 customised distro, which will work in both i386 and amd64 architectures.
All of that aside, should you not be using a physical write-blocker when plugging in drives, in any case?
With regards to court admissibility, generally speaking, its the process that counts, not the tools one uses.
As long as one is ready and willing to fully explain the operation of the programs in detail in a court of law, there should not be a problem using any Linux distro/tool/toolkit.
I hope this helps.
Cheers
DarkSYN
Helix v2.0 is based on Ubuntu.
psu89, yes, according to this (http//
Ticking off the kernel changes from the hints list of changes required (possibly).
Can anyone find some more specific information that suggests they have copied the rest of the Ubuntu 8.04 distribution?
Cheers
DarkSYN
@farmerdude
I have no problem using Linux for my daily work - but I'm not an expert and have no deeper knowledge of the Linux Boot Process and how to analyze the content and working of an initial RAM Disk, so it would be a tedious task for me to find out what's going on when Helix boots. I thought that it would not be that much effort to publish a piece of documentation for the person who makes Helix.
@Beetle
When Helix has finished the Boot Process there are NO partitions mounted automatically, there is just an applet per partition created on the top bar. By klicking on that applet one can mount the respective partition (and in that case the partition is mounted read only) - so far so good.
But what happens during the Boot Process ? Even if there is no partition mounted afterwards nobody knows if they really were never mounted for whatever reason.
@DarkSYN
even if a question is not worded correctly (and I think my question was clear) that should not be reason a not to post a reply, that would make a forum worthless
All of that aside, should you not be using a physical write-blocker when plugging in drives, in any case?
There are cases where it is not possible to use a write blocker. In my last case I found that certain raid controllers makes use of the ATA Security feature to guarantee that the drives are not used with another controller.
Can anyone find some more specific information that suggests they have copied the rest of the Ubuntu 8.04 distribution?
From the
What is Helix
Helix is a customized distribution of Ubuntu Linux.