Helix Linux Forensic Live CD

You may already know of the FIRE live forensic CD and the Knoppix-STD security tools CD. Last week I attended a free talk by Ed Skoudis, who spoke about his favorite forensic live CD -- Helix, by Drew Fahey of e-fense. I downloaded Helix 1.4 (2004-07-04), burned it to CD, and it started without incident on a Dell PowerEdge 750.

The major issues with forensic-minded live CDs is the degree to which they avoid touching the host computer's hard drive on boot. You don't want a live CD to mount the host hard drives, since you don't need to mount drives to image them. Helix is safe in this regard; it doesn't touch the drive unless you tell it to. Helix also sports the sorts of tools you'd expect on a forensic CD, including a nice graphical interface to dd and variants sdd and dcfldd.

Probably the most amazing aspect of Helix is its support for Windows. The Helix CD provides distributable Windows binaries, including a Windows shell, that run within Windows. I recommend browsing the Helix screen shots to see how useful this can be. Essentially you could image a running Windows system using Helix. (I don't think this is the best idea, but it's nice to have options.) I recommend the Helix developers also look at the sort of "live response" processes documented in books like Incident Response: Computer Forensics (2nd Ed) and incorporate those features into their great free CD.

It pays to keep an eye on Open Source Digital Forensics for developments in the forensics realm.

Comments

can0beans said…
Hey Richard -- happened to run across your blog while searching for a recent Forensics focused Linux Live CD. The blog is great. I was wondering it you knew of any decent (recently updated) Forensics focused live CD's. I seem to be coming up empty....
Chris, no -- I haven't looked recently.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics