Helix 3 - Computer Forensic Live Cd
Helix3 is a live CD for doing computer forensic investigation and incident response. It is built on top of Ubuntu and comes in both free and commercial forms. This article will cover working with the free Helix Live CD. You can download the live CD from: -fense.com/store/index.php?_a=viewProd&productId=11
Helix 3 - Computer Forensic Live Cd
Also, it is important to note that these categories can get blurred at times depending on the skill set of the staff, the lab conditions, availability of equipment, existing laws, and contractual obligations. For example, tablets without SIM cards are considered to be computers, so they would need computer forensics tools and not mobile forensics tools.
bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).
DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.
Helix3 Pro is only available through the e-fense forum. Become a member of the e-fense Forum to get support and learn from e-fense experts and other users of the number one computer forensic tool used by law enforcement, government agencies and computer forensic experts around the world. For only $239* a year the Forum membership includes:
Helix is a live response digital forensics toolkit. It comes in the form of a CD which the investigator puts into the computer. This CD is loaded with different digital forensic tools to help the investigator. It has features similar to FTK Imager and WinHex Helix is made by the company e-fense. E-fense is a company dedicated to creating different tools for forensic investigators. They have many different clients in the government, corporate businesses, legal systems, and investigations(source). Helix has two different aspects to it. The first is a toolkit. It allows the user to do many different things in a very simple user interface. The user is able to get the system information, which includes the name of the computer, the user name, the network it is attached to, and also the running processes. This is very useful as the user is now able to look at all the processes from this software on Helix rather than opening up another piece of software. Helix also has the ability to acquire a live image of the system and is able to send it out to an attached hard drive, internal or external, and also able to send it across a network to a different location. This is helpful if you wish to send the image to another computer that is already on the same network you are in at that point in time. Helix has another area called "Incident Response" which has three main features in it. The first is a link to different forensic tools such as Windows Forensic Toolkit (WFT). The second is the ability to take MD5 hash values of any file the user wishes to. The user also has the ability to take screen captures to help record what they are doing for when a case goes to court. Lastly, this tab has the ability for the user to view passwords and the internet history of a computer. Helix also has different areas for the user to scan pictures and has a built in file browser. This file browser has the ability to take a MD5 hash value of any file whenever the user wishes to. Helix's second aspect is the Linux Ubunto environment that is loaded into the disk. When the computer is restarted Helix will open a live session of Ubunto rather than the operating system that is currently installed on the computer. This version of Ubunto is very close to default, however it has a few tools to help the forensic investigator. These tools include adepto, autospy, hexeditor, a hash caculator, EnCase linen, and a password filecracker. Helix is also very dependent on another tool in a digital forensic investigator's toolkit; the write blocker. When a file is opened or a program is installed on a computer the operating system "writes" to the hard drive that these actions were taken. When the operating system writes to the hard drive the bits in the hard drive are changed, and then the evidence is considered tampered with. Write blockers stop this from happening, and a write blocker can allow Helix to do as it wishes and look through the computer and obtain forensic evidence to be shown in court. Write blockers may be physical devices that the hard drive is attached to or it may be a piece of software, such as SAFE block.A video showing Helix 3 done by certified ethical hacker and cyber security professional Charles Tendell.
During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media. This first set of tools mainly focused on computer forensics, although in recent years similar tools have evolved for the field of mobile device forensics. This list includes notable examples of digital forensic tools.
Memory forensics tools are used to acquire or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shut down, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.
Mobile forensics tools tend to consist of both a hardware and software component. Mobile phones come with a diverse range of connectors, the hardware devices support a number of different cables and perform the same role as a write blocker in computer devices.
Helix is a Ubuntu live CD customized for computer forensics. Helix has been designed very carefully to not touch the host computer in any way and it is forensically sound. Helix will not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics. Downloading of the live CD is only provided as a complement to membership in the e-fense members-only forum. An unsupported, older, no-cost version is available as well.For downloads and more information,visit the Helix homepage.
Marvin is a forensic examiner with R3 Digital Forensics. His experience includes criminal investigations and digital forensic analysis in matters involving theft of trade secrets, computer and e-mail spying, murder, crimes against children, and fraud. Marvin has over 10 years of experience in digital forensics investigations and in the handling and examination of digital evidence. He is licensed by the State of Texas as a Master Peace Officer and serves as a full-time Police Detective in the Digital Forensics Unit for a major metropolitan police department.
Marvin was licensed as a Texas Peace Officer in December 1996. Marvin has served as a detective in the Financial Crimes Unit and the High Tech Crimes Unit. As a detective in these units, Marvin routinely investigated complex crimes involving computers such as Breach of Computer Security and email tracing. In May 2007 Marvin transferred to the Digital Forensics unit and remains there as a digital forensic examiner. Marvin has testified as an expert in numerous criminal cases including cases at the municipal, state, and federal levels.
Cyber Forensics is defined as the process of gathering and documenting proof from a computing device in a form by utilizing investigation and analysis techniques that will be admissible in court. Cyber Forensics is also known as Digital Forensics or Computer Forensics. The term digital forensics was originally used as a synonym for computer forensics but has expanded its range to complete investigation of all digital devices.\nCyber Forensics aims to determine the person responsible for the illegal activity that has taken place, followed by proper documentation of the evidence during the investigation.
2. Identification\nThis forensic process step includes details like what type of evidence was present, where the evidence was found, and what format it was stored. Evidence may include electronic storage media like personal computers, mobiles, CDs, DVDs, etc.
X-Ways Forensics is also a disk and data capture tool. It provides a commercial digital forensics platform for Windows and is resource-efficient. It has a special feature capable of running off a USB Stick useful for live acquisition. The company also offers a sparse version of the platform known as X-Ways Investigator.
AccessData Forensic Toolkit (FTK) also falls under disk and data capture tools. It provides a commercial digital forensics platform that brags about its analysis speed. It performs upfront indexing, speedy analysis of forensic artifacts, and claims to be the only forensic platform to leverage multi-core computers fully.
Wireshark is the most widely used network traffic analysis tool. It can capture live traffic or ingest a saved capture file. It has various protocol dissectors and has a user-friendly interface, making it easier to inspect the contents of traffic capture and search for forensic evidence within it.
HELIX3 is a live CD-based digital forensic suite created to be used during incident response. It comes with several open-source digital forensic tools like hex editors, data carving, and password cracking tools. This tool can collect data from network connections, physical memory, scheduled jobs, Windows registry, internet history, applications, chat logs, screen captures, and drivers. Further, it analyzes and reviews the data to generate the compiled results based on reports.