Slashdot Mirror
Windows Incident Forensics with Knoppix Helix
Daehenoc writes "After finding Windows Forensics and Incident Recovery while looking around for forensics tools, I found this instead: Helix Incident Response and Forensics. It's a customized version of Knoppix which you can use in an online or offline style - put it in when Windows is running and you can retrieve a stack of useful information and send it to a network share. Or boot a suspect system with the CD and get access to useful forensics tools like sleuthkit!"
this is pretty cool and all, but I'd really like to see a Knoppix disc with a bunch of anti spyware stuff on it. Would make my life *much* easier.
Anyone know if they ever got Linux to be able to actually write to NTFS?
Someone should send a link to the CSI producers and try to get a mention of this some "airtime" on the show.
The Spoon
Updated 6/28/2011
What I would like to see is a Knoppix Based anti-virus for windows. It would be a lot easier to track down and kill viruses when you're booted into Linux and Windows is NOT running, because then the Virus is also not running. A number of viruses actually get worse when you run an anti-virus scan, such as the Chernobyl virus, so it would be benneficial to run an anti-virus while Chernobyl is completely dormant.
... and in the DRM, bind them.
I don't think Microsoft will be endorsing this any time soon, and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems. Unfortunatly, this is a case where it's a neat tidbit of information, but don't expect it to gain widespread use until the major news sources do a report on it, a la Firefox, and the IE debacle.
War isn't about who's right. It's about who's left.
Witness: I don't know what happened. i was just sitting there typing... when all of the sudden... THE BLUE SCREEN OF DEATH
Detective: Were you running Windows?
Witness: Yes... how did you know that?
Detective: Many, many days of experience, Maam.
Detective 2: Yet another case closed!
For some reason there never was a second episode.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
http://www.e-fense.com.nyud.net:8090/helix/
It keeps their server from suffering a slashdot-induced meltdown.
As per dictionary.com
Forensics: "The use of science and technology to investigate and establish facts in criminal or civil courts of law." or
"The art or study of formal debate; argumentation."
Looks like a curious choice of words for a task like this...
...they'll be booting the web server off one of these soon.
Your head a splode
Knoppicillin is what you are looking for. It has been released by the German magazin C't. Unfortunately it is not available for download because it uses 2 commercial virusscanners and a licenced NTFS driver for Linux.
-------
Warning: Slashdot may contain traces of nuts.
What will be really nice is: if we can have read write support for NTFS. Right now (AFAIK) only read only support is there. Recently my friend had a virus in his computer and Norton couldn't remove it. So I booted his computer with Knoppix only to find that the filesystem was NTFS and thus I was unable to remove the infected file. NTFS rw support would surely aid in troubleshooting.
The disk cloning tool included in the CD, g4l, looks like a ripoff of g4u, right down to the variable names.
No credit is given to the author of g4u, and he isn't very happy about the situation. More details on his web site.
To me, it seems to set a very poor example when the open source community engages in such blatant intellectual property rights violations.
60,000 of these!
sigs, as if you care.
The only good thing about this site getting Slashdotted, is that the torrent'll get some damn fine seeding.
This shouldn't take too long...
Web Design Tips
> What I would like to see is a Knoppix Based anti-virus for windows.
The german CT magazine has created such a version, called "KNOPPICILLIN":
http://www.heise.de/ct/03/09/210/
(german description, but if you skip through to the statements in
courier font, you should get the picture)
The Helix distribution is meant to serve a very specific purpose: Incident response and gathering evidence. The tools included in the distribution are excellent for both Windows and Linux incident response (i.e. penetration, compromise, etc). When inserted into a Windows machine, it provides excellent tools for gathering evidence from hardware storage and memory storage. You can also use it in two fashions for Linux incident response: 1) Immediate response (just insert the CD have access to non-compromised programs), and 2) bootable in case the target system has been shutdown (a common reaction when an admin finds a server has been compromised). Because it is based on Knoppix, it does a great job at recognizing hardware, including useful tools, etc. With the Helix distribution, and good sized USB/Firewire external harddrive, you have everything you need to gather critical evidence when a system has been compromised. I have also read the Windows Incident Recovery book. While I found it not very complete (very little discussion of the actual gathering of evidence, and discussion of evidence preservation) it did have some good Windows information. However, the best environment for analysis is Linux because of the open source nature, and the capabilities of its included toolsets. If you are interested in this area, I highly recommend the training provided by SANS (http://www.sans.org/) in their Track 8: Systems Forensics. Its expensive, but the information and tools are well worth it.
Hop on the Helix Torrent and saturate my DSL (seriously, I'm only getting 22KiB).
...live Linux discs that do almost the exact same thing. Some do it better, some worse. I like FIRE and Knoppix-STD, I'm giving Whoppix a whirl right now.
Go here, hit Ctrl-F, and search for "forensics" or "recovery" - I think you'll be pleasantly surprised.
A better approach would be the Windows UBCD. Before I came across that a Linux live cd was the slickest thing since sliced bread. But for fixing broken Windows PC's, this is the best tool I've seen.
You get networking support and a ton of your favorite, trusted tools for diagnosing and repairing just about anything (and some you've never heard of yet probaby). Of course to top it all off you build it with your own applications (like a password recovery program) and make this a pretty industrial strength recovery cd suited for you.
Quack, quack.
Please mod parent "UP" for "Informative".
I also suggest getting the Mozilla extension and search plugin for Coral:
www.scs.cs.nyu.edu/coral/plugins/
Who really cares if its stolen or not. If you release your code, live with the risks and stop whining.
Be happy someone cared enough about your work to do it.
---- Booth was a patriot ----
Heh, prevent the users from hogging all the ... JPGs ... to themselves.
http://zero-to-enterprise.blogspot.com/
Knoppix STD
Helix:
I have tried out Knoppix STD before and thought it was pretty good so I guess I'll have to test this one out and compare them..
For anyone wanting to know where Knoppix STD is available from: http://knoppix-std.org
Knoppix-STD is more of a set of security tools. It has lots of pentesting tools, a honeypot, AP scanner and wep cracker for Wifi, etherreal, etc...basically all the tools a security professinal would need...
Helix sounds more like it is geared toward IT people and technicians who are trying to diagnose and/or fix machines, and contains a COMPLETELY different set of tools (including, apparantly, tools that run when you insert the disc in Windows and virus scanning w/o having to enter windows)
Well - the German computer magazine c't published three times a customized version called "Knoppicilin". You boot in text mode, get the new virus lists via net or disc and scan your windows disks for viruses. The CD includes the scanners of F-Secure, Kaspersky and Sophos. It also includes Paragon NTFS. Information are here (German).
You would be suprised how big computer forensics is, especially within government agencies. In fact, a quick Google Search can show you this.
The FBI has an entire laboratory set up for computer forensics, as a part of their Computer Analysis and Response Team.
The Secret Service has established the Electronic Crimes Special Agent Program
(ECSAP), that trains agents to conduct forensic examinations of computers.
Many local police stations are setting up Cyber Crime units.
The National Security Agency (NSA) has a huge program training people for computer forensics.
The United States Department of Justice (DoJ) has a program as well.
The National Science Foundation is setting up a Scholarship For Service program in schools all over the nation to train students to take government positions in the area of computer crime.
In fact, just about every government agency has a cyber crime program. Police units are establishing their own as well.
When you show up to a crimminal's home, you have to secure their computer and investigate it in a forensically-sound way (or bag and tag it and take it back to the lab where you will be doing a more in-depth investigation.) Forensics tools for Windows are important because a large percentage of responses are on Windows machines (following the market share trend of Windows.) You can't just tear through a system like a bull in a china shop, or you will change timestamps and volatile information, and a good defense will get the crimminal off based on the lack of integrity of the investigation. This is why getting a tested and reliable tool that can be demonstrated in court is very important.
Yes, crimes happen on and evidence is located on computers now.
-Child Porn
-Drug runner contact lists
-Pictures of Crimes in-action
-Hacking
-Credit Card fraud
-Online Fraud
-Network Intrusion
-Email exchange detailing crimes
-Electronic warfare
-Cyber-terrorism
to name a few.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I want to tag onto this comment by adding an explanation of why a forensics tool being open source in nature makes it an ideal environment.
In computer forensics, you cannot use just any tool in an investigation. Your goal is not only to obtain a forensically-sound investigation of the system (one which allows you to analyze and obtain evidence without changing the system information on the duplicate), but also to obtain this information in such a way that it is admissible in court. Finding all of the evidence in the world will not help you if you cannot put the crimminal away.
In the forensics world, there is something called the "Daubert rules" for acceptance for court. This basically tests a forensic tool's reliability and trustworthiness in being used as a form of evidence in court, to assure that the technique doesn't alter or damage the evidence in a way that it should not be admissible in court.
This tests looks at, in the case of a forensics tool:
1. whether the theory or technique can be and has been tested
2. whether it has been subjected to peer review and publication
3. the known or potential error
4. the general acceptance of the theory in the scientific community
5. whether the proffered testimony is based upon the expert's special skill
With 2., this becomes much easier if the tool is open source, although it is not impossible with closed source software. With open source, the entire community can review the software and test it, oftentimes free, as many open source tools go.
So, although it does not have to be open source, open source lends itself well to the forensics community.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Yeah, lets use knoppix when there are plenty of tools: http://www.datarescue.com/ that allow you to diagnose system accesses in conjunction with a
multipurpose debugger like:
http://www.datarescue.com/idabase/.
Or better yet, lets become aware of our windows environment and treat it like we treat our *nix
environment, locking down services and dcom as
much as is possible.
I can't speak for knoppix, but I had a live distro called Dynebolic which could write to my win ME machine without a hitch. I haven't tried it on an xp or win2k machine however.
Word of caution from someone who has done forensic investigations for several years -- be certain to force 'noswap' when using these self-contained Linux distributions.
Any good investigator does not have to worry about losing their original media (you do have a working copy and write-block on the original, right?) but the working copy may be corrupted by your recovery platform creating arbitrary swap space. Hopefully the latest releases default to a noswap option when in "forensic" mode...
I'm currently enrolled in my final year of an intense computer forensics course, funny the topic of Helix should come up. Our program received a donation of a few dozen copies of Helix customized for us. We've been using it and studying it for a couple weeks now. It's a great tool and includes some networking tools as well. Really I can't say enough about Helix.
piss off
g4l is g4u, sad but true...
So how can you use this thing to where it won't effect the computer it's running on at all? I'd like to just inspect it, not do anything to change it, even if I use virus scanner I don't want to to change the computer.
You also have the option of using the Network Security Toolkit, which is based on Fedora Core 2, and is available here: http://www.networksecuritytoolkit.org/nst/index.ht ml
They've just released an update, v1.2.0.
http://shit.slashdot.org/article.pl?sid=04/11/26/1 624215
Whether it makes sense or not to use open source software in computer forensics is irrelevant. When you go to court with evidence and findings they are very, very strict on what they will likely allow as admissible. Unfortunately for anything that goes to court I have to use industry standard, windows-based encase...although we are using OS tools as well to try and help establish a track record to alleviate the problem..
theres some really good info at sleuthkit.org if youre interested on the value of OS forensics tools.
Avast.com has a knoppix disk setup with a windows virus scan on the disk, among other useful things. Unfortunately it is a big bucks item, but very appropriate and useful for sysadmins
"It is a greater offense to steal men's labor, than their clothes"
Actually, it is very much not irrelevant because EnCase, despite its bells and whistles, is not the end-all forensics tool.
:)
You might also consider a program like iLook, which is free to government and law-enforcement agencies, assuming that you are not an independent forensics analyst.
There are many forensics programs besides EnCase which are acceptable in court, many new ones of which I have been trained to use over the last three or four months, and many which have been available for a while. In fact, EnCase will not do everything that some of these other tools (which are admissible in court) will, although it is a nice and useful program in its own right. I don't know who gave you the impression that EnCase is the only court-admissible source of evidence recovery because I can tell you from experience that is incorrect, at least for the entities that I am familiar with... so I suppose I should ask for more details on your specific situation. I have seen a multitude of tools (used by entities such as the Secret Service, the FBI, and local police CyberCrime units, and even a team from NASA) in practice. There has been a move to use other tools such as iLook because in some cases, EnCase is prohibitively expensive or cannot handle the specific incident.
I understand the value because I have got to see them in practice. (Although I do appreciate your providing a link because others could benefit from the site as well)
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
That might be true on a single home computer where you are trying to track down intrusions while having no intention of pursuing the matter legally.
However, in the forensics world, you have to acquire evidence in a forensically-sound way that does not change system settings or alter volatile data. When dealing with digital evidence, you have special considerations that you do not want to alter any of the evidence (such as date stamps) or you cannot use that evidence in court, and you must also prove that you didn't alter the system in a way that it produces false evidence. (This is tantamount to tainted DNA)
For this, something like Knoppix is great. Not only that, it is tested and admissible in court. If something does not meet the Daubert Federal Rules of Evidence, it means squat in court. So, while boutique tools might be the right tool for the job if you just plan to plough through and only get a few pieces of evidence to satisfy immediate needs, if you plan on prosecuting, you have to approach things differently.
So, perhaps not the "best" method as far as a standalone "get it done" incident response goes (although this is a matter of opinion more than anything else), but when you're dealing with the forensics world and crimminal proseecution, there are all sorts of invisible hoops that one must jump through.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Although I mostly agree with you, I hate for people to get the wrong impression of computer forensics. Computer forensics in particular doesn't just stop at the tools, and you are correct in that it isn't terribly difficult to plug in a tool and hit the enter key. The "real" forensics analysis, however, begins after you use these tools.
I mean, the best tools in the world can pull potential evidence from a machine, but I have yet to see one that can interpret it. That is where the 'forensics abilities' come in. Not just anyone can do a forensics analysis well.
But yes, forensics is used a little broadly for my tastes as well. However, the poster insinuated that computer (specifically Windows) based forensics was a silly notion. I submit that computer crime, although dealing with electrons, is just as involved as traditional forensics, only we have our own version of DNA, revealing letters, robbery crime scenes, etc... It is just wears a different hat.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Do you have any comments/opinions on EnCase? http://www.guidancesoftware.com/
Expensive stuff. Just wondering whether it'd be worth it, and if so, for what situations?
They've got stuff that does hardware write blocking. Using that might look better in court when making copies of evidence. I dunno how well "Your Honour/M'lord, I swear I used knoppix 2 noswap" holds up in court.
and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems
Luckily the Incident Response and Forensics Analysts (to whom this seems to be directed) do know that you can use a Linux live CD to boot up the computer and mount the suspect drive (read only) to make a copy of it using dd if the machine is off when they arrive. It is an industry practice. This is just another potential tool to add to the toolkit.
However, you are correct in asserting that the standalone systemadmin might not know about these sort of tools. However, now those that read Slashdot are informed, and so bit by bit the information spreads.
Also, most of the system administrators I know do not get their system administration tools information from "major" news sources like CNN. Most of them get their information through searches created by need, trade magazines, word-of-mouth, or places like Slashdot. I can go back to my own program and spread this link if I was so inclined, and a fair amount of future forensics and security professionals would then know about this tool, and perhaps pass it along wherever they go. The news of these tools reach a fair amount of the audience for which it was intended.
A product does not need Microsoft endorsement to be successful, especially in these boutique fields such as forensics where Microsoft is not even a player.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I mentioned EnCase here, but gave no details.
I have used Encase, among other toolkits. While it is a fine program and has lots of bells and whistles, it cannot do everything that some of the cheaper forensics suites can do, and vice versa. I also did not find its interface quite as intuitive. It really depends on your intended application for it. If you are working for a company and would like something in place for network-based intrusion response, EnCase Enterprise is set up for that. However, if you are looking at work as a forensics analyst, there are other tools out there that are a bit more budget-friendly that are also admissible in court, some of which do a better job in certain areas. EnCase is indeed prohibitively expensive for some people so, if you work for a government or law enforcement agency where budget is an issue, I suggest first checking out iLook because it is free to those agencies. There are other programs such as Foremost that you might want to look at as well, as it is quite handy in looking at header information. FTK is about (not quite) the same as EnCase or iLook, but is a cheaper version. However, if you have the budget for it, EnCase does have its place in the forensics world (I am not completely put-off by it) and is indeed the most widely accepted forensics tool that I am aware of.
Some programs handle pulling up JPGs really well, some pull hidden images embedded in other images well, some do text string searches really well...
Like I said, it really depends on what you're wanting.
I went into some detail about EnCase the last time a forensics suite was brought up in a front page story, but since I do not currently have a subscription, I cannot conveniently bring up the links to those comments, although I am sure they could be found with a little searching. However, if you have any specific questions, feel free to email me at dexterpexter@gCOWmail.com [minus the herbivore] and I can try answering any questions you might have.
(As a side note, forensics analysts do use Knoppix CDs in live responses. Ideally, you would do so with witnesses. If you arrive at a machine that is off, you use a live CD to boot up the computer and mount the suspect drive (read only) to make a copy of it using dd. This is your "working copy" that the actually investigation is done on. You should never perform an investigation on the original subject machine.)
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Start on the right side, follow the wide diagonal greenery halfway up, go right to into the narrow parking lot (past red car to end of lot), zoom for the round blue bicycle-crossing sign on this side of the brick road. To the right of the thin fir trees and blue round sign, you'll see the "ghost".
There's another artifact-human further to the right, which may be the same guy, frozen earlier in time.
I can't find the URL, but there is a whole slew of government reports on forensic copying tools. (I'm a private investigator, among other things, so the reports were immediately relevant in my line of work.)
They were official reports on the results of copying various file systems under various loads and conditions (ext2, ext3, FAT16 and 32, NTFS, etc), and went into great detail on how well they worked.
Several versions of dd were used, but the overall winner (from my initial readings) was the dd that came with FreeBSD (can't remember the exact version). Most others did really well, but only that dd tool was able to faithfully copy NTFS volumes.
I've been working on trying to follow up so I can be prepared in case a client ever needs those services--so far, none has, but it's just a matter of time.
Never confuse movement with action. --Hemingway