I viewed "Otzi" myself in Bolzano, Italy, and gained a new respect for forensics' ability to tell how Otzi had met his end. While digital forensics is a different skill set, it's one that every information security team should develop for investigating security events. Digital forensics reveals attack methods, highlights defense weaknesses and suggests which countermeasures to put in place to avoid a repeat attack.
Forensics toolkits probe potentially compromised systems while respecting Hippocrates's dictum, "First, do no harm." To forensically probe without altering key systems or data, I suggest turning to Helix. Helix is an incident response and computer forensics toolkit based on the popular Knoppix Live bootable CD. It contains dozens of tools for incident response on Windows and Linux systems.
Helix is easy to use; just put the Helix Live CD into a machine and boot from the CD drive. The Helix CD provides the OS and tools to audit and copy data from a suspect machine. Booting into Helix provides a graphical menu for accessing forensics tools. The tools allow for bit-for-bit copies of data to other media, providing the ability
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
to recover deleted files, detect viruses (hacked systems are often booby-trapped to destroy evidence), search out rootkits (used to hide hacker tracks) and look for hidden data using stegonographic methods.
Considering the last documented update of Helix was in October 2006, its writing tools are becoming dated. New obstacles are arising as a result of the challenges posed by Windows Vista's BitLocker's AES-encrypted drive volumes. They create the need for new tools that capture memory states for assessment. Disk encryption creates the need for new tools that can capture memory states in order to recover executable strings unpacked into RAM and copy them for later analysis.
Most important to the success of a digital forensics investigation is the ability to understand and interpret the recovered data. That means not only keeping forensics tools on hand, but also continuously training our teams to decipher and understand what is meaningful within the data. All in all, Helix is a solid tool for enabling the digital forensics process.
About the author:
Scott Sidel is an Information Systems Security Officer (ISSO) with Lockheed Martin.
This was first published in May 2007