Using Helix for Forensics

I had come across Helix - Incident Response & Computer Forensics Live CD by e-fense before, but hadn't done anything with it. I read an article An Introduction to Digital Forensics by BJ Gleason in Linux+DVD 3/2008 and decided to try it. Helix provides an Incident Response, Electronic Discovery, Computer Forensics Live CD. Helix is based on the Knoppix distribution of Linux. A list of the tools available on the CD is available at Incident Response / Forensics Tools. Also see Helix - Forensics Wiki for information regarding tools available on the CD.

The .iso file can be downloaded from the The Helix Live CD Page

After downloading the ISO file, I checked the md5dum of the downloaded .iso file against that listed on the website to be sure it hadn't been corruped during the download process.

$ md5sum Helix*
1b201c6f044a18b77d77672ec754451d  Helix_V1.9-07-13a-2007.iso

After burning the .iso file to a CD, I verified it with md5sum again before ejecting the CD.

$ md5sum /dev/cdrom
1b201c6f044a18b77d77672ec754451d  /dev/cdrom
$ eject

I booted the system from the Helix boot CD (version 1.9 07-13-2007). I chose GUI from the menu of options, which include the following:

GUI
CONSOLE
Expert Mode
Failsave
Copy Helix to RAM (Need 1GB+)
Boot with a persistent home
Test CD
--> EXTRA MENU

At the next window, I saw the laptop's hard drive in the upper-left hand of the window, labelled /media/hda1. There was a toolbar at the bottom of the window. Clicking on the left item on the toolbar, which was represented by a black circular icon, I was able to bring up the Helix Menu.

Clicking on the second from the left icon on the toolbar at the bottom of the window opened the Endeavor 2 File Manager. Within that program, I was able to click on Device and Mount to mount the laptop's hard disk, which was designated hda1 (see Linux Drive Designations for information on how Linux designates drives in a system). The drive was mounted under /media. Once it was mounted I was then able to access files on the hard disk. When I double-clicked on an HTML file on the hard disk, it was opened in Firefox.

I was able to mount a USB thumbdrive by clicking on the Root Terminal icon (3rd from the left) on the toolbar at the bottom of the main window. I then issued the following commands to mount the thumbdrive and then copy a directory from the laptop's hard drive to the thumbdrive (I first stretched the root terminal window to make it wider to accomodate the entire command, so I didn't have to deal with continuation lines). Note: since Helix is based on a Linux distribution, you must be careful to use the correct case of letters for filenames.

[root (knoppix)]# mkdir /mnt/usb
[root (knoppix)]# mount /dev/sda1 /mnt/usb
[root (knoppix)]# cp -r "/media/hda1/Documents and Settings/Owner/My Documents/ExampleDir" /mnt/usb/.

After copying the files I wanted, I dismounted the thumbdrive with umount /mnt/usb

I tried the Retriever tool, which can be accessed by clicking on the Helix Menu icon on the toolbar at the bottom of the main window, then clicking on Forensics, and then Retriever. I clicked on the Add button and added /media/hda1. I removed /KNOPPIX/usr/local/Retriever 2.0 from the list of paths to be searched. I then clicked on the Video button and then the Find button to have Retriever search for video files on the laptop's hard drive. Be prepared to wait quite a while for the search to complete, if you search an entire drive. For a "video" search, Retriever will look for files of type mpeg, wmv, avi, wma, etc. I also discovered it lists .cur and .ico files as well when you do a video search