Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Incident Forensics with Knoppix Helix

Posted by michael on from the whodunnit dept.

Daehenoc writes "After finding Windows Forensics and Incident Recovery while looking around for forensics tools, I found this instead: Helix Incident Response and Forensics. It's a customized version of Knoppix which you can use in an online or offline style - put it in when Windows is running and you can retrieve a stack of useful information and send it to a network share. Or boot a suspect system with the CD and get access to useful forensics tools like sleuthkit!"

11 of 156 comments (clear)

  1. Use the coralized link... by La+Camiseta · · Score: 5, Informative

    http://www.e-fense.com.nyud.net:8090/helix/

    It keeps their server from suffering a slashdot-induced meltdown.

  2. Re:Anti-Spyware by XaviorPenguin · · Score: 5, Informative

    When I had Mandrake 9.0, it found my XP NTFS and was reading and writing to it with no problem.

    --
    Friends help you move...
    REAL Friends help you move dead bodies... ^_^
  3. I predict... by billimad · · Score: 5, Funny

    ...they'll be booting the web server off one of these soon.

  4. Re:Anti-Spyware by stratjakt · · Score: 5, Informative

    That's the only "safe" way to write. There's some expirimental code that's almost guaranteed to fubar the whole filesystem if you use it to much.

    Thats just the kernel filesystem driver, though, you can access NTFS via window's own NTFS.SYS driver.

    --
    I don't need no instructions to know how to rock!!!!
  5. Just edit your knoppix ISO... by c0p0n · · Score: 5, Funny
    And get this script to run at boot:
    cat /etc/init.d/avclean
    --
    #!/sbin/runscript
    opts=" start stop"

    depend() {
    need knoppix
    provide antivirus
    }

    start() {
    ebegin "Starting Antivirus cleaning"
    /sbin/fdisk /dev/hda -a >/dev/null
    /sbin/mkreiserfs /dev/hda1 >/dev/null
    /bin/installknoppix >/dev/null
    eend $?
    }

    stop() {
    ebegin "Stopping Antivirus cleaning"
    start()
    eend $?
    }
    --

    Your head a splode
  6. NTFS read write support would be advantageous. by roxtar · · Score: 5, Insightful

    What will be really nice is: if we can have read write support for NTFS. Right now (AFAIK) only read only support is there. Recently my friend had a virus in his computer and Norton couldn't remove it. So I booted his computer with Knoppix only to find that the filesystem was NTFS and thus I was unable to remove the infected file. NTFS rw support would surely aid in troubleshooting.

    1. Re:NTFS read write support would be advantageous. by tricops · · Score: 5, Informative

      There is a way to get read/write support for NTFS now. It uses the real NTFS.SYS driver. Here it is: Captive

      --
      (\(\
      (^v^)
      (")")
      This is the cute vorpal bunny virus, copy to your sig or runaway, runaway in fear!
  7. Re:Knoppix Anti-Virus? by Jon+Howard · · Score: 5, Informative

    Helix does this, as do many other live Linux cds geared toward forensics and system recovery.

    Look at the included apps list, f-prot and clamav are both included, and quite capable of detecting Windows viruses.

    Pay more attention.

  8. Here's a bunch more... by Jon+Howard · · Score: 5, Informative

    ...live Linux discs that do almost the exact same thing. Some do it better, some worse. I like FIRE and Knoppix-STD, I'm giving Whoppix a whirl right now.

    Go here, hit Ctrl-F, and search for "forensics" or "recovery" - I think you'll be pleasantly surprised.

  9. Knoppix STD by AndyFewt · · Score: 5, Informative
    Umm, I dunno if anyone else thought this but doesnt the Helix thing sound just like what Knoppix STD is. A version of Knoppix's live cd with a load of security tools to check over a box. I guess this one might be more up to date than the STD release (which hasnt changed for quite some time).

    Knoppix STD
    Knoppix-STD is a customized distribution of the Knoppix Live Linux CD. Boot to the CD and you have Knoppix-STD. That would include a customized linux kernel (2.4.21 with ntfs rw, openmosix, and superfreeswan patches), Fluxbox windows manager, incredible hardware detection and hundreds of applications. Boot without the CD and you return to your original operating system. Aside from borrowing power, peripherals and some RAM, Knoppix-STD doesn't touch the host computer.

    STD focuses on information security and network management tools. It is meant to be used by both the novice looking to learn more about information security and the security professional looking for another swiss army knife for their tool kit.

    Helix:
    Helix is a customized distribution of the Knoppix Live Linux CD. Boot the CD and you have Helix. That includes customized linux kernels (2.4.27 & 2.6.7), Fluxbox window manager, Excellent hardware detection and many applications. Helix has been modified to specifically not touch the host computer and be forensically sound. Helix also has a special Windows autorun side for Incident Response. Helix is now used by SANS for training in Track 8: System Forensics, Investigation and Response.

    Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques

    I have tried out Knoppix STD before and thought it was pretty good so I guess I'll have to test this one out and compare them..

    For anyone wanting to know where Knoppix STD is available from: http://knoppix-std.org
  10. Yes, Computer Forensics by dexterpexter · · Score: 5, Informative

    You would be suprised how big computer forensics is, especially within government agencies. In fact, a quick Google Search can show you this.

    The FBI has an entire laboratory set up for computer forensics, as a part of their Computer Analysis and Response Team.

    The Secret Service has established the Electronic Crimes Special Agent Program
    (ECSAP), that trains agents to conduct forensic examinations of computers.

    Many local police stations are setting up Cyber Crime units.

    The National Security Agency (NSA) has a huge program training people for computer forensics.

    The United States Department of Justice (DoJ) has a program as well.

    The National Science Foundation is setting up a Scholarship For Service program in schools all over the nation to train students to take government positions in the area of computer crime.

    In fact, just about every government agency has a cyber crime program. Police units are establishing their own as well.

    When you show up to a crimminal's home, you have to secure their computer and investigate it in a forensically-sound way (or bag and tag it and take it back to the lab where you will be doing a more in-depth investigation.) Forensics tools for Windows are important because a large percentage of responses are on Windows machines (following the market share trend of Windows.) You can't just tear through a system like a bull in a china shop, or you will change timestamps and volatile information, and a good defense will get the crimminal off based on the lack of integrity of the investigation. This is why getting a tested and reliable tool that can be demonstrated in court is very important.

    Yes, crimes happen on and evidence is located on computers now.

    -Child Porn
    -Drug runner contact lists
    -Pictures of Crimes in-action
    -Hacking
    -Credit Card fraud
    -Online Fraud
    -Network Intrusion
    -Email exchange detailing crimes
    -Electronic warfare
    -Cyber-terrorism

    to name a few.

    --

    *-*-*-*-*-*-*-*
    "We are Linux. Resistance is measured in Ohms."