Monday, December 19, 2005

Helix 1.7 is out!

Did you get the message? Neither did I. Helix is an awesome Linux bootable CD for incident response and forensics. On top of being a great bootable CD, it has an excellent Windows incident response side to it. Sort of a Dr Jekyll Mr Hyde type of thing. It is bizarre to me that such a nice update didn't get any fanfare. The Helix site doesn't even state that 1.7 is available. The forum mentions it and the changelog is updated but the page doesn't state the version or an updated file hash.

Some of the highlights of the update include Linux and Windows features. Some of the Linux updates include a 2.6.14 kernel, updated tools like Autopsy, Sleuthkit, Firefox, dcfldd, and new tools like the EnCase Linen Utility, tcpxtract and hfsplus for Mac drives. For Windows, a new GUI, log files saved in PDF, updated tools like WFT, FRED. and new tools such as IRCR, Forensic Server Project and FTK Imager.

Definitely check out Helix when you have time. It is worth your time if you do any sort of Incident Response or Forensics. One beef I have with Helix is the GUI under Windows. I posted a message in the forum to see if Drew would modify Helix's behavior to open a CMD prompt first and then let the user choose to run the GUI if they want. Why? The GUI loads into RAM and could potentially overwrite important evidence. I recommend going straight to a CMD, provide some scripts for imaging memory and local drives and then let users go into a GUI for more in-depth analysis...but that is just my 2 cents. Take for a spin and decide for yourself.

2 comments:

Jordan said...

Maybe a better option would be to have a seperate auto-run entry for imaging of memory. It's easy enough to hold SHIFT when you insert the cd, and right-click on the icon and choose 'image memory'. That way you're not even running the command-prompt either, but have an automated process to dump memory and save it somewhere.

That way they can leave the 'normal' auto-run option but still have an easy method for those that want it to be a more effective forensics tool.

John H. Sawyer said...

Great idea. The newest version has some funky "licensing agreement" that the Helix creator wants you to agree to if you are using the CD. I posted your idea on the Helix forum to see if maybe he would consider changing the default or if his license would be violated if I were to make the change myself for use in our organization without distributing it to the world. Maybe I will get a response.