I viewed "Otzi" myself in Bolzano, Italy, and gained a new respect for forensics' ability to tell how Otzi had met his end. While digital forensics is a different skill set, it's one that every information security team should develop for investigating security events. Digital forensics reveals attack methods, highlights defense weaknesses and suggests which countermeasures to put in place to avoid a repeat attack.
Helix is easy to use; just put the Helix Live CD into a machine and boot from the CD drive. The Helix CD provides the OS and tools to audit and copy data from a suspect machine. Booting into Helix provides a graphical menu for accessing forensics tools. The tools allow for bit-for-bit copies of data to other media, providing the ability to recover deleted files, detect viruses (hacked systems are often booby-trapped to destroy evidence), search out rootkits (used to hide hacker tracks) and look for hidden data using stegonographic methods.
Considering the last documented update of Helix was in October 2006, its writing tools are becoming dated. New obstacles are arising as a result of the challenges posed by Windows Vista's BitLocker's AES-encrypted drive volumes. They create the need for new tools that capture memory states for assessment. Disk encryption creates the need for new tools that can capture memory states in order to recover executable strings unpacked into RAM and copy them for later analysis.
Most important to the success of a digital forensics investigation is the ability to understand and interpret the recovered data. That means not only keeping forensics tools on hand, but also continuously training our teams to decipher and understand what is meaningful within the data. All in all, Helix is a solid tool for enabling the digital forensics process.
About the author:
Scott Sidel is an Information Systems Security Officer (ISSO) with Lockheed Martin.
This was first published in May 2007