Windows Incident Forensics with Knoppix Helix
Daehenoc writes "After finding Windows Forensics and Incident Recovery while looking around for forensics tools, I found this instead: Helix Incident Response and Forensics. It's a customized version of Knoppix which you can use in an online or offline style - put it in when Windows is running and you can retrieve a stack of useful information and send it to a network share. Or boot a suspect system with the CD and get access to useful forensics tools like sleuthkit!"
this is pretty cool and all, but I'd really like to see a Knoppix disc with a bunch of anti spyware stuff on it. Would make my life *much* easier.
Anyone know if they ever got Linux to be able to actually write to NTFS?
You'd be amazed just how many Microsoft ITs read slashdot. I'm one, and I just added this very useful set of tools to my armoury. I'm also going to make sure as many of my peers know about it as possible too. I think I might pass a couple of links and some information over to "The Register" or "The Inquirer" and see if they'll pick it up for a little more exposure (At least for UK based techs).
Just don't expect the poor overworked low-level techs to be looking into its use. They're all too busy firefighting virus and spyware outbreaks.
People that believe in their opinions don't post AC.
The main problem with scanning for viruses with an infected machine is that the antivirus program may be infected with a virus itself and that may interfere with its ability to find or disinfect that same virus it is also infected with. It is always best to scan for viruses using a known clean setup, such as a bootable floppy or bootable CDROM, to do the scanning.
What will be really nice is: if we can have read write support for NTFS. Right now (AFAIK) only read only support is there. Recently my friend had a virus in his computer and Norton couldn't remove it. So I booted his computer with Knoppix only to find that the filesystem was NTFS and thus I was unable to remove the infected file. NTFS rw support would surely aid in troubleshooting.
The disk cloning tool included in the CD, g4l, looks like a ripoff of g4u, right down to the variable names.
No credit is given to the author of g4u, and he isn't very happy about the situation. More details on his web site.
To me, it seems to set a very poor example when the open source community engages in such blatant intellectual property rights violations.
Knoppix-STD is more of a set of security tools. It has lots of pentesting tools, a honeypot, AP scanner and wep cracker for Wifi, etherreal, etc...basically all the tools a security professinal would need...
Helix sounds more like it is geared toward IT people and technicians who are trying to diagnose and/or fix machines, and contains a COMPLETELY different set of tools (including, apparantly, tools that run when you insert the disc in Windows and virus scanning w/o having to enter windows)