Slashdot Mirror
Windows Incident Forensics with Knoppix Helix
Daehenoc writes "After finding Windows Forensics and Incident Recovery while looking around for forensics tools, I found this instead: Helix Incident Response and Forensics. It's a customized version of Knoppix which you can use in an online or offline style - put it in when Windows is running and you can retrieve a stack of useful information and send it to a network share. Or boot a suspect system with the CD and get access to useful forensics tools like sleuthkit!"
Anyone know if they ever got Linux to be able to actually write to NTFS?
Yeah you can write to NTFS now.
http://www.e-fense.com.nyud.net:8090/helix/
It keeps their server from suffering a slashdot-induced meltdown.
When I had Mandrake 9.0, it found my XP NTFS and was reading and writing to it with no problem.
Friends help you move...
REAL Friends help you move dead bodies... ^_^
A magazine bundled exactly this:
Knoppix with two virus scanners: C't (computer technic Dutch edition) so i guess the German edition had it the month before. Ask your favorite computer magazine to put it on their bundled CD too.
That's the only "safe" way to write. There's some expirimental code that's almost guaranteed to fubar the whole filesystem if you use it to much.
Thats just the kernel filesystem driver, though, you can access NTFS via window's own NTFS.SYS driver.
I don't need no instructions to know how to rock!!!!
If you look at the list of included software, it lists 2 antivirus scanners.
Helix does this, as do many other live Linux cds geared toward forensics and system recovery.
Look at the included apps list, f-prot and clamav are both included, and quite capable of detecting Windows viruses.
Pay more attention.
One of my custom Knoppix discs had the Captive NTFS project installed with it. I've used it quite a few times without a problem.
It's available here: http://www.jankratochvil.net/project/captive/
The Helix distribution is meant to serve a very specific purpose: Incident response and gathering evidence. The tools included in the distribution are excellent for both Windows and Linux incident response (i.e. penetration, compromise, etc). When inserted into a Windows machine, it provides excellent tools for gathering evidence from hardware storage and memory storage. You can also use it in two fashions for Linux incident response: 1) Immediate response (just insert the CD have access to non-compromised programs), and 2) bootable in case the target system has been shutdown (a common reaction when an admin finds a server has been compromised). Because it is based on Knoppix, it does a great job at recognizing hardware, including useful tools, etc. With the Helix distribution, and good sized USB/Firewire external harddrive, you have everything you need to gather critical evidence when a system has been compromised. I have also read the Windows Incident Recovery book. While I found it not very complete (very little discussion of the actual gathering of evidence, and discussion of evidence preservation) it did have some good Windows information. However, the best environment for analysis is Linux because of the open source nature, and the capabilities of its included toolsets. If you are interested in this area, I highly recommend the training provided by SANS (http://www.sans.org/) in their Track 8: Systems Forensics. Its expensive, but the information and tools are well worth it.
There is a way to get read/write support for NTFS now. It uses the real NTFS.SYS driver. Here it is: Captive
(\(\
(^v^)
(")")
This is the cute vorpal bunny virus, copy to your sig or runaway, runaway in fear!
The Gnoppix live-CD (based on Ubuntu) writes to NTFS out of the box (but like other posters have mentioned, it's not quite "safe").
...live Linux discs that do almost the exact same thing. Some do it better, some worse. I like FIRE and Knoppix-STD, I'm giving Whoppix a whirl right now.
Go here, hit Ctrl-F, and search for "forensics" or "recovery" - I think you'll be pleasantly surprised.
A better approach would be the Windows UBCD. Before I came across that a Linux live cd was the slickest thing since sliced bread. But for fixing broken Windows PC's, this is the best tool I've seen.
You get networking support and a ton of your favorite, trusted tools for diagnosing and repairing just about anything (and some you've never heard of yet probaby). Of course to top it all off you build it with your own applications (like a password recovery program) and make this a pretty industrial strength recovery cd suited for you.
Quack, quack.
Knoppix STD
Helix:
I have tried out Knoppix STD before and thought it was pretty good so I guess I'll have to test this one out and compare them..
For anyone wanting to know where Knoppix STD is available from: http://knoppix-std.org
You would be suprised how big computer forensics is, especially within government agencies. In fact, a quick Google Search can show you this.
The FBI has an entire laboratory set up for computer forensics, as a part of their Computer Analysis and Response Team.
The Secret Service has established the Electronic Crimes Special Agent Program
(ECSAP), that trains agents to conduct forensic examinations of computers.
Many local police stations are setting up Cyber Crime units.
The National Security Agency (NSA) has a huge program training people for computer forensics.
The United States Department of Justice (DoJ) has a program as well.
The National Science Foundation is setting up a Scholarship For Service program in schools all over the nation to train students to take government positions in the area of computer crime.
In fact, just about every government agency has a cyber crime program. Police units are establishing their own as well.
When you show up to a crimminal's home, you have to secure their computer and investigate it in a forensically-sound way (or bag and tag it and take it back to the lab where you will be doing a more in-depth investigation.) Forensics tools for Windows are important because a large percentage of responses are on Windows machines (following the market share trend of Windows.) You can't just tear through a system like a bull in a china shop, or you will change timestamps and volatile information, and a good defense will get the crimminal off based on the lack of integrity of the investigation. This is why getting a tested and reliable tool that can be demonstrated in court is very important.
Yes, crimes happen on and evidence is located on computers now.
-Child Porn
-Drug runner contact lists
-Pictures of Crimes in-action
-Hacking
-Credit Card fraud
-Online Fraud
-Network Intrusion
-Email exchange detailing crimes
-Electronic warfare
-Cyber-terrorism
to name a few.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I want to tag onto this comment by adding an explanation of why a forensics tool being open source in nature makes it an ideal environment.
In computer forensics, you cannot use just any tool in an investigation. Your goal is not only to obtain a forensically-sound investigation of the system (one which allows you to analyze and obtain evidence without changing the system information on the duplicate), but also to obtain this information in such a way that it is admissible in court. Finding all of the evidence in the world will not help you if you cannot put the crimminal away.
In the forensics world, there is something called the "Daubert rules" for acceptance for court. This basically tests a forensic tool's reliability and trustworthiness in being used as a form of evidence in court, to assure that the technique doesn't alter or damage the evidence in a way that it should not be admissible in court.
This tests looks at, in the case of a forensics tool:
1. whether the theory or technique can be and has been tested
2. whether it has been subjected to peer review and publication
3. the known or potential error
4. the general acceptance of the theory in the scientific community
5. whether the proffered testimony is based upon the expert's special skill
With 2., this becomes much easier if the tool is open source, although it is not impossible with closed source software. With open source, the entire community can review the software and test it, oftentimes free, as many open source tools go.
So, although it does not have to be open source, open source lends itself well to the forensics community.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Word of caution from someone who has done forensic investigations for several years -- be certain to force 'noswap' when using these self-contained Linux distributions.
Any good investigator does not have to worry about losing their original media (you do have a working copy and write-block on the original, right?) but the working copy may be corrupted by your recovery platform creating arbitrary swap space. Hopefully the latest releases default to a noswap option when in "forensic" mode...
You also have the option of using the Network Security Toolkit, which is based on Fedora Core 2, and is available here: http://www.networksecuritytoolkit.org/nst/index.ht ml
They've just released an update, v1.2.0.