NATO UNCLASSIFIED RELEASABLE TO THE INTERNET

NCIRC Security Tools NIAPC Submission Summary “HELIX Live CD”

Document Reference: Security Tools Internal NIAPC Submission NIAPC Category: Computer Forensics Date Approved for Submission: 24-04-2007 Evaluation/Submission Agency: NCIRC Issue Number: Draft 0.01

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET

TABLE of CONTENTS

1 Product ...... 3 2 Category ...... 3 3 Role ...... 3 4 Overview...... 3 5 Certification ...... 3 6 Company...... 3 7 Country of Origin ...... 3 8 Web Link ...... 3 9 Product Description...... 3 10 Product Requirements...... 5 11 Limitations...... 5 12 Evaluation/Review Conclusions/Comments ...... 5

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET Page 2 of 5

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET

1 Product HELIX Live CD version 1.8.

2 Category Computer Forensics.

3 Role Multiple forensic capabilities, including data acquisition, analysis and reporting.

4 Overview Helix is a bootable CD originally based upon Knoppix, with an emphasis on Incident Response & Computer Forensics.

5 Certification This product has not undergone certification.

6 Company E-fense Inc.

7 Country of Origin USA.

8 Web Link http://www.e-fense.com/helix/.

9 Product Description Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized Linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.

Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix will not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows “autorun” side for Incident Response and Forensics.

Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques.

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET Page 3 of 5

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET

Figure 1: HELIX Boot Screen

The Helix CD contains among others the following programs: a) sleuthkit : Brian Carrier's replacement to TCT. b) autopsy : Web front-end to sleuthkit. c) mac-robber : TCT's graverobber written in C. d) fenris : debugging, tracing, decompiling. e) wipe : Secure file deletion. f) MAC_Grab : e-fense MAC time utility. g) AIR : Steve Gibson Forensic Acquisition Utility. h) foremost : Carve files based on header and footer. i) fatback : Analyze and recover deleted FAT files. j) md5deep : Recursive md5sum with db lookups. k) sha15deep : Recursive sha1sum with db lookups. l) dcfldd : dd replacement from the DCFL. m) sdd : Specialized dd w/better preformance. n) PyFLAG : Forensic and Log Analysis GUI. o) Faust : Analyze elf binaries and bash scripts. p) e2recover : Recover deleted files in ext2 file systems. q) Pasco : Forensic tool for Internet Explorer Analysis. r) Galleta : Cookie analyzer for Internet Explorer. s) Rifiuti : "Recycle BIN" analyzer. t) Bmap : Detect & Recover data in used slackspace. u) Ftimes : A toolset for forensic data acquisition. v) chkrootkit : Look for rootkits. w) rkhunter : Rootkit hunter. x) ChaosReader : Trace tcpdump files and extract data. y) lshw : Hardware Lister. z) logsh : Log your terminal session (Borrowed from FIRE). aa) ClamAV : ClamAV Anti Virus Scanner. bb) F-Prot : F-Prot Anti Virus Scanner. cc) 2 Hash : MD5 & SHA1 parallel hashing. dd) glimpse : Indexing and query system. ee) Outguess : Stego detection suite.

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET Page 4 of 5

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET

ff) Stegdetect : Stego detection suite. gg) Regviewer : Windows Registry viewer. hh) Chntpw : Change Windows passwords. ii) Grepmail : Grep through mailboxes. jj) logfinder : EFF logfinder utility. kk) linen : EnCase Image Acquisition Tool. ll) Retriever : Find pics/movies/docs/web-mail. mm) Scalpel : Carve files based on header and footer.

10 Product Requirements Bootable CD has its own OS, when used for live acquisition, Windows systems are supported. Helix needs lots of RAM and a x86 architecture (Intel, AMD, etc.). You need a Pentium class computer with at least 128MB RAM (although it will work – to some degree – with 48MB RAM).

Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques.

11 Limitations Some Linux / command-line work experience is required. The live option for imaging the hard drive / memory of the system has the usual limitations, e.g. if the machine to be inspected is potentially infected with a kernel-level rootkit.

NITC approval must be sought for use of as this application as inappropriate and misconfigured software can cause severe network infrastructure degradation and data loss.

12 Evaluation/Review Conclusions/Comments Helix works very well, and certainly has the advantage that it can also be used (albeit for a limited number of tasks, e.g. acquiring RAM or partitions/disks) on "live" Windows systems. Since it is based on Knoppix, it is relatively easy to use the CDROM to install (on hard disk) the basis for an investigation system. Though an upgrade of a lot of the tools should be done afterwards (using apt- get), it has the advantage of being a very good starting base. A (NATO-/Nation-/NC3A-/...)- maintained customized version of the CD is certainly an option to investigate (as with the other Live CDs).

NATO UNCLASSIFIED RELEASABLE TO THE INTERNET Page 5 of 5