So I work at an organization where forensics are few and far between. Its been 2 years since I updated my tool kit. We do not have a budget for forensics, so everything has to be open source.
Right now I need something to reliability to live forensics. So far I have been using Helix on a USB. I have been using WinAudit, to get running processes and open ports, and then using the Helix imager to do imaging.
Chances are if I find anything, my findings will be handed to the police as evidence, so I want to make sure I do everything as forensically sound as possible. Since Helix (free edition) is out of date, and no longer supported, I am looking for another open source tool I can put on my usb stick, to perform imaging and live analysis.
Can anyone recommend anything?
For logical imaging you can use FTK Imager Lite,
Memory Forensics - MoonSols Windows Memory Toolkit (Community version is free)
What type of live analysis do you typically do???
For incident response Sysinternals Suite (Microsoft) has some extremely helpful tools.
Also Harlan, Carvey's WFA books contain tons of great information on live analysis and some opensource tools to assist you.
As far as "Forensically Sound", inserting a thumb drive and executing tools from it is of course going to alter the suspect machine, but that being any true forensic examiner can dictate exactly what his/her tools have altered and why.
The key is to create your "Live Response Toolkit" and TEST it. Utilize system admin tools in order to document exactly what changes have occurred on the system. This will allow you the ability to easily explain in Court what your processes did and did not do.
Hope this helps.