Digital forensics tool Helix 'does no harm'


Digital forensics tool Helix 'does no harm'

Around 5,300 years ago, a man traveled through the Otz Valley in the Austrian Alps. High up in the icy mountains, he met his death. He laid buried beneath a glacier for millennia, until the melting glacier revealed his body in 1991. Sixteen years later, forensics discovered that the Glacier Mummy (nicknamed "Otzi") had been murdered.

I viewed "Otzi" myself in Bolzano, Italy, and gained a new respect for forensics' ability to tell how Otzi had met his end. While digital forensics is a different skill set, it's one that every information security team should develop for investigating security events. Digital forensics reveals attack methods, highlights defense weaknesses and suggests which countermeasures to put in place to avoid a repeat attack.

Forensics toolkits probe potentially compromised systems while respecting Hippocrates's dictum, "First, do no harm." To forensically probe without altering key systems or data, I suggest turning to Helix. Helix is an incident response and computer forensics toolkit based on the popular Knoppix Live bootable CD. It contains dozens of tools for incident response on Windows and Linux systems.

Helix is easy to use; just put the Helix Live CD into a machine and boot from the CD drive. The Helix CD provides the OS and tools to audit and copy data from a suspect machine. Booting into Helix provides a graphical menu for accessing forensics tools. The tools allow for bit-for-bit copies of data to other media, providing the

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

ability to recover deleted files, detect viruses (hacked systems are often booby-trapped to destroy evidence), search out rootkits (used to hide hacker tracks) and look for hidden data using stegonographic methods.

Considering the last documented update of Helix was in October 2006, its writing tools are becoming dated. New obstacles are arising as a result of the challenges posed by Windows Vista's BitLocker's AES-encrypted drive volumes. They create the need for new tools that capture memory states for assessment. Disk encryption creates the need for new tools that can capture memory states in order to recover executable strings unpacked into RAM and copy them for later analysis.

Most important to the success of a digital forensics investigation is the ability to understand and interpret the recovered data. That means not only keeping forensics tools on hand, but also continuously training our teams to decipher and understand what is meaningful within the data. All in all, Helix is a solid tool for enabling the digital forensics process.

  • Read Sidel's previous article: BackTrack is one forward-thinking penetration testing tool.

    About the author:
    Scott Sidel is an Information Systems Security Officer (ISSO) with Lockheed Martin.

    This was first published in May 2007

  • Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.