I was asking if anyone in the community would like to pick up the flag and spend some time looking at the distro too. I thought that was obvious and apologise if I was not clear.
Just sticking my oar in here..
I thought nickfx made his point without ambiguity and agree that the project would be useful, as long as everything is coordinated in the appropriate manner. I’d be willing to volunteer some of my time to this endeavour. Are we picking parts/processes randomly ourselves or do you have any ‘core’ components in mind?
Hi Fatrabbit
I've just been sat here thinking to myself about the actual point of this process. I guess, there is a purely academic side, what goes on when I use Helix, and a more serious legal justification side. Essentially if I use Helix in a live environment and then have to justify the changes that would have been made to a system in a legal environment, can I do that? The answer right now is no I cant!
In a legal setting it is extremely unlikely that I would be asked to justify Encase or FTK on a nuts and bolts level as thousands of previous cases have created the precedent for me, (that’s not justification for not knowing what's going on of course!)
However with Helix I am not aware of any legal precedents at all and that is concerning if I am to use it in anger.
So I guess the best place to start is to isolate the Helix menu application which is where I was starting, secondly to consider each of the tools that are available. Tonight when I'm back in the office I'll take a look at the main tools and perhaps a few members would volunteer to take a tool and break it down to see what goes on when it’s used.
Hogfly had already started looking at FRED and I've been impressed with his postings in the past, Harlen is obviously more than qualified and might take something if he's not too upset with me ) and I dont mind taking the main app. If there is anything that takes your fancy Fatrabbit let me know. The integrated image locator could be a good one?
Cheers
Nick
Sold! I'll take the integrated image locator. Not to get too academic but what are we aiming to provide in the way of output, posts on this thread or are we going to collate them all into a single article type document? Multiple people posting their results and answering questions could lead to a sizeable, not to mention convoluted, thread.
Single article would be nice which could be published under the 'Papers' section - back to TIME again )
Perhaps I could collate the reports from any members interested in helping and Harlen may agree to Peer review it. Again I don't think we are looking to produce an MSc thesis on the subject, just a reference work of system adjustments made to the Windows operating system when Helix and or one its primary tools is executed. Does that sound reasonable?
Nick
> You do have your caustic days don't you Harlen
Well, I've had my coffee, so don't think I'm upset that you haven't been able to spell my name right once so far. In fact, nothing could be further from the truth.
My intention was not to be caustic, but to set down some groundwork for this sort of thing. You say that you want someone who has the time to analyze this info…and I'm simply saying that you aren't collecting enough info. That's all.
From the previous posts, I do have a question about the process that deleted the USB TV keys, as illustrated in the InControl5 output. How do you know that the use of Helix had anything to do with those keys being modified?
> I thought that was obvious and apologise if I was not clear.
You were very clear…and I agree with your sentiment. I'm simply suggesting that we put together a unified, agreed upon process for collecting the data, so that we're all on the same sheet of music. Also, I'd like to see the necessary data collected to perform the analysis. Running InControl5 on a system to detect changes does nothing to tell us which process *made* the changes.
You were very clear. I'm only suggesting that we be more complete in our process.
> …there is alot going on when Helix (Windows side) is being used…
Exactly. However, the big A/V companies have over the past year stated that certain malware has modified the MUICache key…when this has not, in fact, been the case. Running RegMon during the test, and then later filtering on keys/values of interest will show us which process had a hand in modifying the key.
You seem to have been slighted by my post…that was not my intention. I did not see how making suggestions for being more complete and providing a valuable service to the community would be interpretted as "caustic" or denigrating in any way. If you would rather, I will simply implement my process and go about my business in isolation. I'd rather not see that, but if that's what it takes to get this sort of thing out the door, then so be it. For the record, though, I agree with you that this is important.
Harlan
Nickfx. Yes, very much so, a semi-informal article was what I was thinking of. I think work like this is not only beneficial to the community as a whole but also a useful learning device for the individual tester, so if you need help collating the results and/or compiling the article please drop me a line.
Firstly, so sorry for misspelling the name, I've a friend called 'Harlen' and didn’t check your spelling.
Secondly, no, not offended by your comments at all, hence the pacifying 'smiley', you just often have a, how shall we call it, direct way with words!
If you read my other posts I recognise your unarguable knowledge in this arena so please don’t take me too seriously!
Bottom line I think we agree on the basic elements but these posts are often an environment to put half baked ideas out there and see what comes back, I really benefit from that.
If you lived around the corner I'd take you out and buy you a Starbucks!
Cheers
Nick
Nick,
The sentiment (re Starbucks) is much appreciated…
I sincerely believe that a small group of us can make significant in-roads into things such as tool-testing and validation…or at the very least, documentation. The tools are out there, to paraphrase the X-Files.
I don't think you want to use a "clean VM image" necessarily…b/c how often are you going to encounter such a thing when you're responding? I do think that with the right combination of tools, and the right methodology, some very good work in this area can be done.
Harlan
PS I know that you're somewhat light-hearted in your approach, and it's appreciated.
Has there been any progress with these mini-Articles? I am interested in the results and helping with any testing.
I was hoping that Drew would create a version of Helix that did not the automagic GUI popup and either do nothing or automagically open a CMD prompt. To me, if you are going to image memory or do something else live, the GUI tramples over memory that could me useful.
If you you guys can post your progress, I will jump in where I can as Helix is one of my favorite and most used IR tools, so I would be more than happy to assist in furthering its development and use.
-jhs
> if you are going to image memory or do something else live, the GUI
> tramples over memory that could me useful.
Yes, but so does opening a command prompt, and actually running the software that "images" physical memory.
If you get a chance, go to the Blackhat media archives for the recent Federal conference. Kevin Mandia gave a presentation where he talked about imaging memory, as well as dumping the memory from specific processes (which gets physical memory *and* what's in the pagefile, as well).
Re Testing Helix…I'd strongly recommend against anyone jumping in, but rather posting/assigning tasks, developing a common testing methodology used by all, and then proceeding from there. Posting progress and then "jumping in" can be too haphazard. The whole idea behind this is to add to community by performing documented, repeatable testing.
Harlan