SCOTT SIDEL'S DOWNLOADS
Digital forensics tool Helix 'does no harm'
Scott Sidel
04.20.2007
Rating: --- (out of 5)
|
Around 5,300 years ago, a man traveled through the Otz Valley in the Austrian Alps. High up in the icy mountains, he met his death. He laid buried beneath a glacier for millennia, until the melting glacier revealed his body in 1991. Sixteen years later, forensics discovered that the Glacier Mummy (nicknamed "Otzi") had been murdered.
I viewed "Otzi" myself in Bolzano, Italy, and gained a new respect for forensics' ability to tell how Otzi had met his end. While digital forensics is a different skill set, it's one that every information security team should develop for investigating security events. Digital forensics reveals attack methods, highlights defense weaknesses and suggests which countermeasures to put in place to avoid a repeat attack.
Forensics toolkits probe potentially compromised systems while respecting Hippocrates's dictum, "First, do no harm." To forensically probe without altering key systems or data, I suggest turning to Helix. Helix is an incident response and computer forensics toolkit based on the popular Knoppix Live bootable CD. It contains dozens of tools for incident response on Windows and Linux systems.
Helix is easy to use; just put the Helix Live CD into a machine and boot from the CD drive. The Helix CD provides the OS and tools to audit and copy data from a suspect machine. Booting into Helix provides a graphical menu f
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
or accessing forensics tools. The tools allow for bit-for-bit copies of data to other media, providing the ability to recover deleted files, detect viruses (hacked systems are often booby-trapped to destroy evidence), search out rootkits (used to hide hacker tracks) and look for hidden data using stegonographic methods.
Considering the last documented update of Helix was in October 2006, its writing tools are becoming dated. New obstacles are arising as a result of the challenges posed by Windows Vista's BitLocker's AES-encrypted drive volumes. They create the need for new tools that capture memory states for assessment. Disk encryption creates the need for new tools that can capture memory states in order to recover executable strings unpacked into RAM and copy them for later analysis.
Most important to the success of a digital forensics investigation is the ability to understand and interpret the recovered data. That means not only keeping forensics tools on hand, but also continuously training our teams to decipher and understand what is meaningful within the data. All in all, Helix is a solid tool for enabling the digital forensics process.
Read Sidel's previous article: BackTrack is one forward-thinking penetration testing tool.
About the author:
Scott Sidel is an Information Systems Security Officer (ISSO) with Lockheed Martin.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
