Monday, August 23, 2004

Helix Linux Forensic Live CD

You may already know of the FIRE live forensic CD and the Knoppix-STD security tools CD. Last week I attended a free talk by Ed Skoudis, who spoke about his favorite forensic live CD -- Helix, by Drew Fahey of e-fense. I downloaded Helix 1.4 (2004-07-04), burned it to CD, and it started without incident on a Dell PowerEdge 750.

The major issues with forensic-minded live CDs is the degree to which they avoid touching the host computer's hard drive on boot. You don't want a live CD to mount the host hard drives, since you don't need to mount drives to image them. Helix is safe in this regard; it doesn't touch the drive unless you tell it to. Helix also sports the sorts of tools you'd expect on a forensic CD, including a nice graphical interface to dd and variants sdd and dcfldd.

Probably the most amazing aspect of Helix is its support for Windows. The Helix CD provides distributable Windows binaries, including a Windows shell, that run within Windows. I recommend browsing the Helix screen shots to see how useful this can be. Essentially you could image a running Windows system using Helix. (I don't think this is the best idea, but it's nice to have options.) I recommend the Helix developers also look at the sort of "live response" processes documented in books like Incident Response: Computer Forensics (2nd Ed) and incorporate those features into their great free CD.

It pays to keep an eye on Open Source Digital Forensics for developments in the forensics realm.

3 comments:

Chris said...

Hey Richard -- happened to run across your blog while searching for a recent Forensics focused Linux Live CD. The blog is great. I was wondering it you knew of any decent (recently updated) Forensics focused live CD's. I seem to be coming up empty....

Richard Bejtlich said...

Chris, no -- I haven't looked recently.

qweaq said...
This comment has been removed by a blog administrator.