SIFT or HELIX?

Neither

for acqusitions
GRML

for Analysis
Debian or Ubuntu with relevant applications installed.
(e.g. photorec exiftool log2timeline-perl regripper foremost ewfacquire libpff … etc )

Last version update for GRML was a year ago….I'm not familiar with the tool but I'd be concerned with the apparent lack of currency.

Having said that I've not used SIFT and don't know how current that is either…

SIFT or HELIX for what purpose?

SIFT at least is still being maintained, not sure how up2date.
I have not seen an update for Helix in quite a while.

More alternatives are mentioned here, several of them no longer being maintained.
http//www.forensicswiki.org/wiki/CategoryLive_CD

If you're proficient with Linux anyone of them will do.

Go to, with respect to what? Acquisition? Analysis?

Last version update for GRML was a year ago….I'm not familiar with the tool but I'd be concerned with the apparent lack of currency.

Having said that I've not used SIFT and don't know how current that is either…

I still use a 3 year old forensic imaging disk for most field acquisitions. Stability is more important to me than recency for acquisitions, and I can still acquire at 100MB/s (6GB/min) on current drives.

I still use a 3 year old forensic imaging disk for most field acquisitions. Stability is more important to me than recency for acquisitions, and I can still acquire at 100MB/s (6GB/min) on current drives.

I only use the newer live CDs because of the eSATA drivers. Which one do you use? SPADA?

Go to, with respect to what? Acquisition? Analysis?

That's it
Helix Mainly Acquisition, a Linux Boot CD
SIFT Analysis

For live acquisition and fully maintained i use DEFT Linux, an italian based Forensic distribution
http//www.deftlinux.net
Works on current chipsets (most common, supporting Linux).

This survey is going to be unbalanced due to Helix being bought and closed sourced and then being commercialized. Over time, Helix seems to have dropped from popularity.

There are other distributions that are specialized toward Digital Forensics (DF) and also others that are targeted at Network Incidence Response and Security like BackTrack 5. I have noticed that these two fields seem to have interest in merging into DFIR and the specialized distributions are starting to merge the tools for these two field into their Live Distributions like Sift and Deft.

I have asked investigators over the past four years why are they not using linux more often due to the large tool sets that are provided within these distributions, and they indicate the problem of just downloading a tool package and then having difficulty getting the newly installed package to work. Over the many years in the IT field, I have witness that most application/programs/packages in any operating system does NOT install and not have any problems at all. So the real issue, I feel, that Linux is not used more for either field of DF or IR is due to not having enough experienced packagers delivering good quality distributions that are properly packaged for an easy install and use. This very topic was address (I believe if my memory serves me well) at the second Ohio Linuxfest back in 2003 with Maddog mediating the talk.

This very topic was addressed on the Yahoo Group of "Linux_Froensics" by Greg Freemyer in the thread titled " Getting DFIR apps into official linux releases ". You will also find Dr. Simson Garfinkel commenting within this thread. Here are some excerpts from this thread dated 2/20/12

Greg Freemyer

… the reality is there seem to be few if any experienced packagers in the forensic community.

But there are hundreds in the opensuse volunteer network. And many of them package mainstream dfir apps, most of those were done by people other than me.

So the point of the opensuse wiki page is really to try and get more involvement from that community (DFIR).

Jon Evans stated

Most people run SIFT via a virtual machine … Agreed there are some exotic tools out there that could be packaged and I've considered maintaining a personal package archive (ppa) for Ubuntu so that I can avoid repeating the build process for a new install etc.

Greg's reply

My first attempt to run SIFT was in a VM to try log2timeline. That was about a year ago. I was pretty disappointed with the performance. When I gave up on that and installed it I found AWK had a bug that kept it from properly parsing the body file that log2timeline generated.

I never tried the sift in a VM concept again for performance reasons. And I was already a openSUSE biggot, so the AWK bug kept me from experimenting further with that ubuntu release.

Instead I decided to package log2timeline for opensuse. That turned into a minor production, so when I finally got it done for me, I decided to push it into the semi-official opensuse security repo. It was accepted with little fanfare.

On the other hand when I tried to push it into the truly official release repo (factory), it got a true legal review and it was rejected for one of the modules not having explicit permission to be based on analyzeMFT. That's okay if the license doesn't change, but it did in this case.

That's actually an advantage of going through an official process. I know OpenSUSE will have a legal team review the package and its' licenses to make sure they are acceptable. Sift is not doing that, or so I assume based on PTK being in it. (Maybe they highlight it is for non-commercial use only somewhere ?)

It is the build process I want to avoid for all, but even more importantly the identification and installation of dependencies. The first time I manually installed log2timeline, I swear it took over a day. It just had so many semi-exotic perl modules it depended on. Each one had to be found by trial and error, then manually installed from Cpan. Being manually installed, also meant they were outside the control of the opensuse package manager. It was a mess.

Dr. Simson Garfinkel had replied

Thanks for the input. I agree that we need help in packaging. Why do you think that Open SUSE is the correct platform? Is it gaining traction over Fedora, Ubuntu and Debian?

Greg replied

But the reality is there seems to be few if any experienced packagers in the forensic community. But there are hundreds in the opensuse volunteer network. And many of them package mainstream dfir apps, so if you look at the opensuse12.1 list of apps, most of those were done by people other than me.

So the point of the opensuse wiki page is really to try and get more involvement from
that community. Once the wiki page is more stable I will look at replicating to
places like forensics wiki.

Working within the official distribution processes brings to bear all the manageability and updateability that those distributions provide to everyone else.

Look at the wiki page I posted, under the installation section. Anyone with a current opensuse install can get most of those packages installed in 5 minutes or less. And when a new package is released “ zypper up” will find it in the security repo (etc.) and update it. All smooth and easy just like it is for the rest of the opensuse packaged apps.

Greg

Greg then followed his previous post with

Opensuse has the best automated build farm (build.opensuse.com) that I am aware
of (obs). It also has the best automated boot cd creator (www.susestudio.org)
that I'm aware of.

Given that I already had a bunch of apps packaged in obs, I was able to create a boot
cd over the weekend in 30 minutes.

It doesn't have any easy to use icons, etc., but lots of apps are there for command line
use. See the list from my first post in this thread. I think they are all on the boot cd.

Fyi there is also a thumb drive image you can download. I haven't tested it yet, but in
theory if you dd it to a thumbdrive it should create 2 partitions automatically. The first
partition is for the os. The second is for data. Ie. If you boot from it and run
data_extractor, you could send the output to the second thumb drive partition. That
seems smart for triage work.

Greg

You can follow this thread in its' date order at the Yahoo Group at this link

Try the link below to the specific group and the next link is the specific thread …

http//tech.groups.yahoo.com/group/linux_forensics/messages/3374?l=1

OR

http//tech.groups.yahoo.com/group/linux_forensics/message/3378

I hope that this information sheds some light upon what I believe is the true issue regarding the use of linux for the Forensic Investigator. )