Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Incident Forensics with Knoppix Helix

Posted by michael on from the whodunnit dept.

Daehenoc writes "After finding Windows Forensics and Incident Recovery while looking around for forensics tools, I found this instead: Helix Incident Response and Forensics. It's a customized version of Knoppix which you can use in an online or offline style - put it in when Windows is running and you can retrieve a stack of useful information and send it to a network share. Or boot a suspect system with the CD and get access to useful forensics tools like sleuthkit!"

12 of 156 comments (clear)

  1. CSI appearance... by jdray · · Score: 3, Interesting

    Someone should send a link to the CSI producers and try to get a mention of this some "airtime" on the show.

    --
    The Spoon
    Updated 6/28/2011
    1. Re:CSI appearance... by Creepy+Crawler · · Score: 2, Interesting

      That's just tro scare the small-time criminals who dont know or actually think this crap can happen.

      Hell, after knowing what I know about fingerprints, I doubt they're really that effective. A smear with 12 points of identification can say it's you, even when it could be someone else entirely.

      Or how they can take DNA samples from any surface, no matter how long ago it WAS there. 1 year, no-problemo.

      The show is glorified "|-| A > 0 R" (haxxor) logic.

      --
    2. Re:CSI appearance... by Ford+Prefect · · Score: 3, Interesting

      ie: having their forensics guy take a 320x200-ish video surveillance snapshot and enhancing it to see the bad guy in a reflection from someone's eyeball, etc...

      Kind of like this? ;-)

      I've heard of some very impressive computer forensics (I think these guys are the acknowledged experts in the UK, even if their poetry is awful), but I've also heard of some seriously cack-handed investigation, filling hard disks with irrelevant files. Something like a semi-automated Knoppix thing could be highly beneficial for some, but anything with any real legal weight would have to be done by a proper specialist...

      --
      Tedious Bloggy Stuff - hooray?
    3. Re:CSI appearance... by Anonymous Coward · · Score: 1, Interesting

      I have a friend who is a crime scene investigator, who has confirmed that fingerprints can be:

      a) tested to see whether they're fingerprints or not (as opposed to having been made with an alginate or silicon fingerprint "mold" and vegetable oil)

      b) can be lifted from underwater, provided a certain surface (presumably "glassy enough")

      c) Can often be identified even when smudged.

      also: (this surprised him, but I googled for a man with no fingerprints) Men can be identified by palms when necessary.

      try this:put fingerprints on your local window/drinking glass/shotglass. With that same finger, smudge it. Human tendency is to smudge it with a bare hand, leaving a smudge with a finger / handprint visible at the last point of contact.

  2. Knoppix Anti-Virus? by StarWreck · · Score: 3, Interesting

    What I would like to see is a Knoppix Based anti-virus for windows. It would be a lot easier to track down and kill viruses when you're booted into Linux and Windows is NOT running, because then the Virus is also not running. A number of viruses actually get worse when you run an anti-virus scan, such as the Chernobyl virus, so it would be benneficial to run an anti-virus while Chernobyl is completely dormant.

    --
    ... and in the DRM, bind them.
    1. Re:Knoppix Anti-Virus? by Zorilla · · Score: 2, Interesting

      My question is: don't most virus scanners offer a scan-on-boot option that runs it while Windows is still at the text console during bootup? Or does the Chernobyl virus retaliate when you do so much as update your definitions before said scan?

      --

      It would be cool if it didn't suck.
  3. To those that matter, don't mind. by sglider · · Score: 4, Interesting

    I don't think Microsoft will be endorsing this any time soon, and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems. Unfortunatly, this is a case where it's a neat tidbit of information, but don't expect it to gain widespread use until the major news sources do a report on it, a la Firefox, and the IE debacle.

    --
    War isn't about who's right. It's about who's left.
  4. Re:Anti-Spyware by MagiGraphX · · Score: 2, Interesting

    In the latest 2.6, you can write to NTFS, but it's just not trustworthy, at least, for me.

  5. Re:NTFS read write support would be advantageous. by DogDude · · Score: 3, Interesting

    Not just advantageous, but necessary. Honestly, who uses FAT anymore these days? It's horrible slow, 100% insecure, inefficient as hell with drives much larger than a few hundred meg, and unreliable.

    --
    I don't respond to AC's.
  6. Re:Forensics and security are very different by AndyFewt · · Score: 2, Interesting

    Yeh I know Knoppix-STD has a lot more than just security tools but it was easier to generalize it like that. Pentesting, honeypots, scanners, wepcrackers etc could come under the title of "security tools".

    Although looking at Helix's list of tools it does have what looks like the same sort of things as Knoppix-STD. Even their little bit of blurb on the front page seems to be copied from Knoppix-STD.

  7. Re:Anti-Spyware by Mattcelt · · Score: 3, Interesting

    OTOH, disabling writing is the best thing you can do with this if you want to have your evidence admissible in court. Anything which could tamper with the state of the drive after the user/cracker/process/etc. has finished with it can very easily make the courts (in the U.S. anyway, don't know about elsewhere) consider it contaminated evidence and therefore inadmissible.

    That's why professional digital forensics kits (the worthwhile ones, that is) will actually make a bit-for-bit copy of the suspect drive without the possibility of changing a thing.

    Be careful - digital forensics (just like regular forensics) is a lot harder than they make it look on TV. Google for "chain of custody" if you want to see how hard it can be...

  8. There is more than just EnCase by dexterpexter · · Score: 2, Interesting

    Actually, it is very much not irrelevant because EnCase, despite its bells and whistles, is not the end-all forensics tool.

    You might also consider a program like iLook, which is free to government and law-enforcement agencies, assuming that you are not an independent forensics analyst.

    There are many forensics programs besides EnCase which are acceptable in court, many new ones of which I have been trained to use over the last three or four months, and many which have been available for a while. In fact, EnCase will not do everything that some of these other tools (which are admissible in court) will, although it is a nice and useful program in its own right. I don't know who gave you the impression that EnCase is the only court-admissible source of evidence recovery because I can tell you from experience that is incorrect, at least for the entities that I am familiar with... so I suppose I should ask for more details on your specific situation. I have seen a multitude of tools (used by entities such as the Secret Service, the FBI, and local police CyberCrime units, and even a team from NASA) in practice. There has been a move to use other tools such as iLook because in some cases, EnCase is prohibitively expensive or cannot handle the specific incident.
    I understand the value because I have got to see them in practice. (Although I do appreciate your providing a link because others could benefit from the site as well) :)

    --

    *-*-*-*-*-*-*-*
    "We are Linux. Resistance is measured in Ohms."