I definitely get you point about EnCase.   Windows FE would be a little different however.   The idea is that you would be able to boot from a CD and conduct imaging and investigations on an internal drive.   This is particularly useful when it comes to those annoying 12" Sony Vaio laptops.   The CD is supposed to make certain that no data gets written to your evidence.   It's a software-based write protection method.

With Encase, you would either use an image, or connect a drive on a hardware write protector.   

Don, this seems like an interesting idea.  Most folks doing forensics these days are ex-government employees.   For some reason our government doesn't do much linux training.  This would be a very valuable tool in the forensics world. 

I guess we just need a couple of precedents of where a Windows FE CD was used and the testimony stood in court.

I was thinking about this after I posted this.  One thing that worries me is that Windows is closed source.  It also has way too many parts that are completely undocumented.   How can we ever be certain that some registry value we didn't consider won't allow an evidence drive to be formatted or that scandisk won't automatically kick in.   With Nix, we can at least look at the source code and reasonable say that no, we can't write to the drive if this flag is set.   

To be honest with you, I am not sure.   I carry both, 1.9a and 2.0 (Although it says Helix 3 on the new one) with me all the time.  1.9a seems to have less issues with detecting hardware.   The most issues I have had is that the toolbar in X doesn't come up.   In the new version, we have had quite a few of those dreaded Ubuntu errors where it drops you to a shell complaining about a GUID mount point.   

What was the older version based on?   Was it debian or redhat?   

It's not that big of a deal if you have both versions.   You start with the newer Helix boot CD.   If that doesn't boot, you switch to 1.9.

Yep, that's the site for Raptor.  Sorry, I mean to post a link.   It's a pretty decent tool, despite being in BETA.   I am not sure if it will remain free.

I agree with you on the Forensics workstation option.   I just think that should be a separate disc.   The boot disc should be pristine without the option to install, in my opinion.   I have seen too many IT departments attempting to do their own forensics without proper training; and it usually doesn't turn out well.  The HD install can be quite dangerous in the wrong hands.    I do see your point on a workstation option though.

I am a little disappointed with the recent release of Helix.   I've been using the CD for quite some time now, and the new version has a couple of annoyances to me:

1.  New build based on Ubuntu.   I have had some issues getting the disc to boot with some systems.   Ubuntu seems to be less forgiving when it comes to hardware.   I carry around version 1.9a and the new version.

2.  There is now an option to Install Helix to Hard Drive.   I realize that this could be cool, but I think its a dumb option on a forensics CD that is supposed to not modify original evidence.   How many people who aren't familiar with evidence handling rules and Helix will attempt to install the software onto a drive they are attempting to analyze?   

3.  The disc mounting and formatting is still confusing to a novice Linux users.   Many forensics investigators do not have Linux ops training.   They are only familiar with the OS from an investigative point of you.   Many of my coworkers are switching to RAPTOR, which makes this task much easier for them.

I watched it, actually used it as a CPE for a couple of certs    It was definitely a good presentation.  I guess a couple of browsers from now, some of the issues will be fixed to limit this attacks' effectiveness.  It's just one thing after another for SSL, isn't it?   Session hijacking, sidejacking, ssl stripping, oh my.

I agree with everyone, C/C++ is a much better alternative than either of these.   However, it may be too much to plunge into if you don't have a basic understand of programming.   C# is more rooted in C/C++.   Pointers and more low level code are available to C#.   VB.NET is an easier language.   

With either one of them, if you want to do some "hacking,"  you would have to make a lot of API calls.   These are not fun and many datatypes from C do not translate well into any Managed language.

Yeah, this one is fun indeed.  I am still going through the last bits of it, but it's definitely a fun one.

Nice! I am glad to see that they got a taste of their own medicine!

That's a great list.   

I also use foremost for data carving, but I do believe it is included on the Helix CD. 

forensicswiki.org has great information.   

Thank you much!

Thanks, but I can't seem to find the maintenance information.   Does anyone know if you have to re-certify periodically like an IT Vendor cert, or is it CPEs you have to maintain like most security certs?

I am thinking about doing the online Pentesting with Backtrack course and possibly going after OSCP certification.   I wish I was able to do the live classroom training, but I don't think my boss will pay for it.   Does anyone know what the maintenance is like for the certification?   Is it the usual 40 hours of CPEs per year, or are you required to re-certify periodically?

I wish I could have been there, but I completely missed registration deadlines -doh.   Any idea if they are going to be posting videos like previous years?

We use the digital intelligence ones too.  Helix, Raptor, and a couple of other forensics boot discs work very well too.   You still have to be careful. 

One other we use in case of emergency and as a last option is the usb write protect option in XP and Vista.  You can configure this through Group Policies or the Registry.   There is also software that will switch the setting on and off nicely.   From what I understand, this method has been used a few times and was accepted in court.