.

Helix - Live Linux Distro for Forensics

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Mar 03, 2006 1:15 pm

Helix - Live Linux Distro for Forensics

There are a few cool things about Helix:

  • As the title of this post indicates, this is a bootable, live linux CD. It is a heavily modified version of Knoppix.
  • It is specifically for forensics and incident response. For this reason, such features as never using swap space are always on. This distro is also updated every 3 months to stay current.
  • In addition to a bootable CD, it can also be used as a Windows application.

The quote below and much more can be found in their document, Helix for Beginners.

Helix operates in two different modes – Windows and Linux.

Helix is a forensically sound bootable Linux environment much like Knoppix, but a whole lot more. The “other side” of Helix, a Microsoft Windows executable feature, contains approximately 90 MB of incident response tools for Windows. The rationale behind this was that a majority of incidents require interaction with a live Windows system, the dominant operating system in the computer market.


For the whole scoop:
http://www.e-fense.com/helix/index.php

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

jimbob

Post Mon Aug 14, 2006 9:17 am

Re: Helix - Live Linux Distro for Forensics

It's also worth pointing out that as well as being a bootable Linux CD, it also provides tools for forensics on a Live windows system. A top notch contribution to the digital forensic world.

Along with all the tools are plenty of documentation, and it's very focused on preserving evidence and chain of custody. This is built for LEOs to collect data you can present in court (insert all the relevant caveats here). I keep a copy in my jacket for special occasions ;)
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Mon Aug 14, 2006 2:29 pm

Re: Helix - Live Linux Distro for Forensics

I've used Helix quite a bit and the way it logs every action your perform makes it most valuable. The only complaint I would have is that is that it will not automount usb sticks and often will not have the correct video drivers available when booting to linux.
<<

LSOChris

Post Mon Aug 14, 2006 4:52 pm

Re: Helix - Live Linux Distro for Forensics

any interest in a tutorial on this?  i have some content around here somewhere...
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Aug 14, 2006 4:53 pm

Re: Helix - Live Linux Distro for Forensics

Hell Yeah!!

You are a machine, my friend!

Don
CISSP, MCSE, CSTA, Security+ SME
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Tue Aug 15, 2006 11:32 am

Re: Helix - Live Linux Distro for Forensics

[quote=oleDB]The only complaint I would have is that is that it will not automount usb sticks [/quote]
I wouldn't consider using a distro for forensic purposes if it would automount anything. A system has no way to differentiate between an USB Stick that I want to image from another one that I'd like to use as a storage medium, so I think it's the right way to do that by hand.

I think it is a strong pro for that distro that automount is disabled in Helix.
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Aug 15, 2006 12:18 pm

Re: Helix - Live Linux Distro for Forensics

Thats a good point, however automounting in read only mode would save somebody from making the mistake of mounting in write mode, which is more common then you would think.
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Tue Aug 15, 2006 12:37 pm

Re: Helix - Live Linux Distro for Forensics

If you want to image a drive you don't have to mount it anyway, so I think that shouldn't be a problem even for not so skilled people (or these that are possibly too lazy to take care of what they are doing)

BTW, even when you mount a drive read-only sometimes that may change the content that way that a hash before and after mounting will not match any more. It depends on what filesystem is on the drive, if it's some kind of journaling file system parts of the journal can change without writing to the drive.
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Aug 15, 2006 2:10 pm

Re: Helix - Live Linux Distro for Forensics

pcsneaker wrote:If you want to image a drive you don't have to mount it anyway, so I think that shouldn't be a problem even for not so skilled people (or these that are possibly too lazy to take care of what they are doing)

I'm guessing you mean the opposite of what you wrote. Automounting in R/O saves a step and reduces errors, which is why so much of the initial info gathering and imaging in forensics is automated and scripted. It lends to repeatability and accuracy.

pcsneaker wrote:BTW, even when you mount a drive read-only sometimes that may change the content that way that a hash before and after mounting will not match any more. It depends on what filesystem is on the drive, if it's some kind of journaling file system parts of the journal can change without writing to the drive.


I'm not aware of linux writing to a drive mounted in r/o. Has that ever happened to you? I know it occurs on Windows, which is why most people running encase on windows use hardware write blockers.
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Wed Aug 16, 2006 12:23 am

Re: Helix - Live Linux Distro for Forensics

I mean exactly what I said.

To image a drive you don't have to mount it. Neither with encase nor any other tool like dd or others you need to mount a drive to get an image from it, so no write blocker is needed.

Yes, I saw that. After having read somewhere that it could happen I tried it with an USB pendrive with ext3 filesystem on it. The content of the filesystem as such is not altered, but obviously some changes in the journal (don't exactly know what, perhaps some update of timestamps in the journal) happens so that the hash does not match any more. It's not a problem for the data but you would have to explain what has happened in case that you have to present it in court.
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Wed Aug 16, 2006 8:33 am

Re: Helix - Live Linux Distro for Forensics

To do anything with an image in Encase and Autopsy/Sleuthkit it has to be mounted. There's more to it obviously then just taking an image.

If you have the time, can you send me some links/papers that talk about Linux writing to a r/o mounted drive. I'm very interested in that, I would like to know in what specific circumstances that happens, as I have never had the md5 hashes not match when using helix or encase. I don't doubt it, obviously theres a big market for hardware write blockers, I just haven't seen it on Linux ever. I'm guessing then that its the hash of the entire image an not specific files/partitions?
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Wed Aug 16, 2006 11:20 am

Re: Helix - Live Linux Distro for Forensics

To do anything with an image in Encase and Autopsy/Sleuthkit it has to be mounted. There's more to it obviously then just taking an image.


I think there is a misunderstanding. To work with an already taken image in Autopsy/Sleuthkit you have to mount the image, that's right. But in that case there is no problem, it's sufficient to set the image file read only to prevent any change.

But to get the image - and that's what I was talking about - there is no need to mount the original drive (the source) so the source is under no circumstances altered by the process of taking the image.

Thats two completely different things, prevent the source from being altered by the imaging process and on the other hand taking care that the image which has already been taken will not be altered by the analysis.

An in Encase you do not mount the image, you just add it to a case. Encase takes care that the image is not altered by the analysis, so that way it is even not necessary to set the image file read only (though it does not hurt).
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

jimbob

Post Wed Aug 16, 2006 11:24 am

Re: Helix - Live Linux Distro for Forensics

Hi,
At a guess some journalled filesystems drivers may be replay the journal regardless of whether it's been mounted read-only. I would imagine that this would be considered a bug since it is so counter intuitive to the whole idea of mounting read-only.

On the other hand you may support the idea that for the sake on integrity the journal should be replayed regardless of how it is mounted. I'd consider this course of action faulty and I'd suprised if it happens. If it does, open source kernels such Linux as used by Helix could be 'fixed' for the purposes of forensic use.

Mounting any primary evidence media, even in read only mode, is really bad form in my book unless there is no other option available. In UNIX/Linux you should read an image from the raw device...

$ dd if=/dev/sda of=evidence_image

If windows can't do this without mounting the device then image the it on a *nix system and import the image file into EnCase, FTK etc. for analysis.

Jim
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Wed Aug 16, 2006 12:35 pm

Re: Helix - Live Linux Distro for Forensics

yes, I was only referring to mounting the image not the original device. In most cases you can never work on the original drive it has to be sealed and locked away, unless its has to stay in production.

When you add an image to a case file in case, that is the same effect as mounting it as r/o. It makes the file system accessible to encase in read only fashion.

Which fs use journaling like what you referred to? My experience is limited to only ext/ntfs. I really want to learn more about this, in case I run into it.
<<

jimbob

Post Wed Aug 16, 2006 4:31 pm

Re: Helix - Live Linux Distro for Forensics

Again I'm making another guess but consider commands that act upon filesystems that are not mounted, the obvious one being fsck. You don't mount the filesystem but it potentially changes the raw data. Perhaps technologies such as LVM and software RAID are incapable of mounting a filesystem without modifiying the data on disk if not the files on the filesystem.

No answers, no references, just ideas at this stage. I'll do more digging.

Jim
Next

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software