Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Incident Forensics with Knoppix Helix

Posted by michael on from the whodunnit dept.

Daehenoc writes "After finding Windows Forensics and Incident Recovery while looking around for forensics tools, I found this instead: Helix Incident Response and Forensics. It's a customized version of Knoppix which you can use in an online or offline style - put it in when Windows is running and you can retrieve a stack of useful information and send it to a network share. Or boot a suspect system with the CD and get access to useful forensics tools like sleuthkit!"

17 of 156 comments (clear)

  1. Anti-Spyware by lordkuri · · Score: 4, Insightful

    this is pretty cool and all, but I'd really like to see a Knoppix disc with a bunch of anti spyware stuff on it. Would make my life *much* easier.

    Anyone know if they ever got Linux to be able to actually write to NTFS?

    1. Re:Anti-Spyware by LurkerXXX · · Score: 2, Insightful

      Really? I tried it. It seemed to search around for some windows drivers for NTFS, then just abruptly quit running. I've had no sucess writing to NTFS with it.

    2. Re:Anti-Spyware by siliconjunkie · · Score: 3, Insightful

      I didn't extensively test it, but I'm fairly certain the latest version (I have 0.8.2.2) has write support enabled for NTFS.

      I can't remember if I mounted the internal IDE or a firewire drive, but I remember being surprised that it had writes enabled (especially odd for a live CD that is semi-noob oriented).

      I'll give it a check and post back here if I can verify.

    3. Re:Anti-Spyware by siliconjunkie · · Score: 2, Insightful

      O.K. My bad.

      I just loaded up Warty 0.8.2.2 on a Win2K box, and it was a NO GO on writing to NTFS. I must have gotten my live CDs mixed up, I know I have one around here that writes to NTFS, but I can't for the life of me remember which one...

      On a side note, i was going to protest being modded flamebait in my GP post above (still not exactly sure who I was baiting flames from), but seeing as I was wrong, I suppose I deserve it.

  2. Re:Knoppix Anti-Virus? by LiquidCoooled · · Score: 2, Insightful

    If you have a system thats already infected and spewing out gobs of spam etc, then an extra couple of minutes monitoring and identifying the running processes/folders in use etc will save a large amount of time than panicing and shutting it down instantly.

    --
    liqbase :: faster than paper
  3. Windows under investigation ? by Vulcann · · Score: 2, Insightful

    As per dictionary.com
    Forensics: "The use of science and technology to investigate and establish facts in criminal or civil courts of law." or
    "The art or study of formal debate; argumentation."

    Looks like a curious choice of words for a task like this...

  4. Re:To those that matter, don't mind. by Psychotext · · Score: 3, Insightful

    You'd be amazed just how many Microsoft ITs read slashdot. I'm one, and I just added this very useful set of tools to my armoury. I'm also going to make sure as many of my peers know about it as possible too. I think I might pass a couple of links and some information over to "The Register" or "The Inquirer" and see if they'll pick it up for a little more exposure (At least for UK based techs).

    Just don't expect the poor overworked low-level techs to be looking into its use. They're all too busy firefighting virus and spyware outbreaks.

    --
    People that believe in their opinions don't post AC.
  5. Re:Knoppix Anti-Virus? by ticktockticktock · · Score: 3, Insightful

    The main problem with scanning for viruses with an infected machine is that the antivirus program may be infected with a virus itself and that may interfere with its ability to find or disinfect that same virus it is also infected with. It is always best to scan for viruses using a known clean setup, such as a bootable floppy or bootable CDROM, to do the scanning.

  6. NTFS read write support would be advantageous. by roxtar · · Score: 5, Insightful

    What will be really nice is: if we can have read write support for NTFS. Right now (AFAIK) only read only support is there. Recently my friend had a virus in his computer and Norton couldn't remove it. So I booted his computer with Knoppix only to find that the filesystem was NTFS and thus I was unable to remove the infected file. NTFS rw support would surely aid in troubleshooting.

    1. Re:NTFS read write support would be advantageous. by Kyrka · · Score: 2, Insightful
      For recovery purposes, you are correct. In the Forensics environment, however, you should NEVER CHANGE a file system.

      What happens if you need to present your findings in a court of law? You will find your changes are tantamount to evidence tampering - rendering whatever you have discovered inadmissible in court.

  7. g4l disk cloning tool has IP issues by Belgarath52 · · Score: 4, Insightful

    The disk cloning tool included in the CD, g4l, looks like a ripoff of g4u, right down to the variable names.
    No credit is given to the author of g4u, and he isn't very happy about the situation. More details on his web site.
    To me, it seems to set a very poor example when the open source community engages in such blatant intellectual property rights violations.

  8. Re:To those that matter, don't mind. by Dorothy+86 · · Score: 2, Insightful

    What kind of troll is this? I'm a contract IT guy, I work on all sorts of stuff, and this is really helpful to me too (the othe being the poster right above me). I'm posting this from my Powerbook, and my desktop computers have windows and linux. Not everyone here solely uses Linux... in fact, I'll be that a major portion of the traffic here is from Windows.... Don't judge lest ye be judged...

    --
    Game Overdrive - Gaming News
  9. Re:Knoppix Anti-Virus? by Anonymous Coward · · Score: 1, Insightful

    Get a C`t subscription(German,dutch), you get an up-to-date knoppix + scanner once every couple of months. Its called "Knoppicillin" You could have gotten your first one and a half year ago

    I suppose complaining to you favourite computer related montly about their ridiculous oversight in not copying this concept might help. That is, if you stay away from the "Screenshots, colors and windows for kids" magazine`s. On the months there isn`t a bootable knoppix waiting on your doorstep you will have to do with such stuff as an oracle database, a service pack (which microsoft refuses to let people redistribute} and always the latest kernel.

    If you have no need for these you will have to do with investigative journalism, benchmarks that are early but impartial and at least in the dutch case an overview of the worst lawmaking idea "for an internetworked world" of the month (EU patent "reform", passport biometrics, "traffic data" retention, internet tapping) researched and written by laywers rather then bloggers... All ideas worthy of copying in other magazines I would think.

  10. Re:To those that matter, don't mind. by JayJay.br · · Score: 2, Insightful

    Who needs Microsoft endorsing any of these anyway? Security professionals need forensics tools, this one looks nice, and could get nicer even with a small community.

    You know, it's not always all about beating microsoft or atking the lead on any market. Sometimes you just need a tool.

  11. Forensics and security are very different by siliconjunkie · · Score: 3, Insightful

    Knoppix-STD is more of a set of security tools. It has lots of pentesting tools, a honeypot, AP scanner and wep cracker for Wifi, etherreal, etc...basically all the tools a security professinal would need...

    Helix sounds more like it is geared toward IT people and technicians who are trying to diagnose and/or fix machines, and contains a COMPLETELY different set of tools (including, apparantly, tools that run when you insert the disc in Windows and virus scanning w/o having to enter windows)

  12. Re:Knoppix Anti-Virus? by deltron · · Score: 2, Insightful

    A piece of software which fulfils the requirements listed in the parent post, as well as enabling you to perform many other useful functions is available and has been for some time.
    It is essentially a Windows version of Knoppix, i.e. a Windows boot cd, and is named Bart's Preinstalled Environment (BartPE) after the creator Bart (really?!) Lagerweij.
    The software enables you to create a bootable cd from a Windows XP/Server 2003 setup disk. A very simple module functionality has been implemented, so that hundreds of third party modules are now available covering a huge scope of useful (and not so useful) programs including Ad-Aware and several anti-virus programs.

    As the homepage so rightly says "being an Admin is hard enough...", and I can say from experience that this does make clearing up infected Windows computers a whole lot easier and safer. Especially with the prevalence of particularly evil spyware and viruses which are almost impossible to remove while the host system is actually running.

    Just my £0.02...

  13. Re:To those that matter, don't mind. by Tony-A · · Score: 2, Insightful

    and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems

    Some of us do. I'm sure I'm far from being the only one.
    For some of us, /. is really the one essential news source, particularly for anything that has to do with Windows problems. This seems to hold true from Melissa on.

    I don't think Microsoft will be endorsing this any time soon
    Microsoft is unlikely to endorse anything that doesn't further its vendor lock-in.