Computer security forensics can get pretty detailed and pretty involved. In fact, it’s almost always best left to the professionals. Even your standard, run-of-the-mill IT professional can get called into court to testify regarding evidence gathered at a scene. When it comes down to justice, you might not want to be the one that gets the blame for a case being dismissed through contamination of evidence.
There are two rules to computer forensics that I’ve heard:
- Don’t touch it.
- If you touched it, document everything (how it was before you touched it, date modified, what changes you made, when you touched it, etc. Everything!)
Helix provides a Live CD that is feature full for Incident Response. But just because you have a pipe wrench, it doesn’t make you a plumber. Similarly, just because you have some security tools, it doesn’t make you a certified computer security forensics professional. If you’re going to make a case for something with the evidence available, you might want to investigate your options first. Otherwise, if you’re just trying to analyze a machine for the fun of it or see what information you can gather, Helix is a great tool to play around with.
Helix comes as one CD with two different functionalities:
- A CD chock full of Windows-friendly, freeware security utilities.
- A Linux live CD so that the hard drive is untouched, but the system can be accessed.
When you start up Helix in a running Windows computer (or it auto-runs), you’ll first be greeted by a nice big warning. Basically, it wants to tell you that the tools you are running can (and technically already has) made changes to the system. Assuming this is what you want to do, choose your language and accept.
Along with computer information gathering utilities, the CD has three pages Incident Response tools. Everything from templates for your documentation to a lot of cool tools is on this CD. Some utilities, like the NetCat listener, are designed to be run from other computers that could see the suspect machine across the network.
Some of the other tools available on the Helix CD are very informative and help you paint a picture of what the computer has been doing recently. As a small sample, one utility called USBDeview provides a nice interface to list all the USB devices plugged into the computer and information regarding that connection. You can get the date and time the connection was created, the serial number of the device, and a lot more information. iPods, iPhones, external hard drives, mice, flash drives, they all show up on this list as you can see in this screenshot.
Another sample of the many utilities on this CD comes in the form of WinAudit. This utility gathers a lot of system information in terms of hardware, software, BIOS version, and it presents it in a pretty simple-to-understand interface. You can gather a lot of info in one place with this tool and then save it to an Excel spreadsheet, PDF, text file, or a few other formats.
Now the Linux live CD part for me would not load, so I can’t cover that part in depth. I don’t know if it was a problem with video drivers or something, but it would usually crash right after the login screen for me. Perhaps if someone has had better luck, they can add some comments as to how it worked for them and what it offers.
Even without the live CD component, Helix offers a great compilation of security related tools that might come in handy more often than you’d think. The company is shifting away from a free model and plans to launch a pro version of their Helix3 product. In order to get Helix3, you have to register and you’ll get access to the download.
The pro version of the CD is set to launch April 5th. View more about registration information from e-fense.