Digital forensics tool Helix 'does no harm'

Forensics isn't just for the scientists. This month, contributor Scott Sidel recommends Helix, a digital forensics tool that can do some important detective work on your system.

Around 5,300 years ago, a man traveled through the Otz Valley in the Austrian Alps. High up in the icy mountains, he met his death. He laid buried beneath a glacier for millennia, until the melting glacier revealed his body in 1991. Sixteen years later, forensics discovered that the Glacier Mummy (nicknamed "Otzi") had been murdered.

I viewed "Otzi" myself in Bolzano, Italy, and gained a new respect for forensics' ability to tell how Otzi had met his end. While digital forensics is a different skill set, it's one that every information security team should develop for investigating security events. Digital forensics reveals attack methods, highlights defense weaknesses and suggests which countermeasures to put in place to avoid a repeat attack.

For more information on digital forensics

Feds are seeking new digital forensics tools. Executive Editor Dennis Fisher explains why. 

Learn more about the "CSI" approach to information security.
Forensics toolkits probe potentially compromised systems while respecting Hippocrates's dictum, "First, do no harm." To forensically probe without altering key systems or data, I suggest turning to Helix. Helix is an incident response and computer forensics toolkit based on the popular Knoppix Live bootable CD. It contains dozens of tools for incident response on Windows and Linux systems.

Helix is easy to use; just put the Helix Live CD into a machine and boot from the CD drive. The Helix CD provides the OS and tools to audit and copy data from a suspect machine. Booting into Helix provides a graphical menu for accessing forensics tools. The tools allow for bit-for-bit copies of data to other media, providing the ability to recover deleted files, detect viruses (hacked systems are often booby-trapped to destroy evidence), search out rootkits (used to hide hacker tracks) and look for hidden data using stegonographic methods.

Considering the last documented update of Helix was in October 2006, its writing tools are becoming dated. New obstacles are arising as a result of the challenges posed by Windows Vista's BitLocker's AES-encrypted drive volumes. They create the need for new tools that capture memory states for assessment. Disk encryption creates the need for new tools that can capture memory states in order to recover executable strings unpacked into RAM and copy them for later analysis.

Most important to the success of a digital forensics investigation is the ability to understand and interpret the recovered data. That means not only keeping forensics tools on hand, but also continuously training our teams to decipher and understand what is meaningful within the data. All in all, Helix is a solid tool for enabling the digital forensics process.

  • Read Sidel's previous article: BackTrack is one forward-thinking penetration testing tool.

    About the author:
    Scott Sidel is an Information Systems Security Officer (ISSO) with Lockheed Martin.

  • Dig Deeper on Security operations and management

    Enterprise Desktop
    Cloud Computing