Computer Forensic Product Analysis: HELIX February 15, 2008

INTRODUCTION

Computer Forensics products and methods are the keys to a successful forensic investigation. If the products used have not been fully tested, they may damage or destroy electronic evidence. Furthermore, it is very important to select good forensics tools; doing so can make or break a case. There are many choices of computer forensics tools, utilities, boot disks, and other software. Some computer forensics tools sell for thousands of dollars. While others are freely available open source software packages (Purchase, 2008). The focus of this paper is on “HELIX”, an open source forensics boot CD used for “Computer Forensics, Incident response, and Electronic discovery” (Helix, 2005, p.1).

OVERVIEW

Helix is a customized version of Knoppix, designed with many computer forensics and incident response applications. Helix is a Live Linux CD, meaning that it is booted directly from the CD and does not need to be loaded to the hard drive (Helix, 2005). By not being put on to the hard drive, Helix can ensure that the data on the host device is not compromised or damaged in any way. It is essential that the computer forensic tool not disturb or change anything on the host computer in order for the evidence obtained to be admissible in court. Helix claims to be forensically sound, meaning that it can be used to obtain reliable data as evidence (Computer Forensics, 2008).

ANALYSIS

Helix is released under the GNU General Public License (GPL) which makes the software freely available to everyone.

Strengths

Helix is free so the price is right. It includes many useful computer forensics applications such as Sleuthkit and Autopsy. Many organizations use Helix for incident response and forensics training. When Helix is loaded, it automatically detects the system’s hardware (Helix, 2005). Helix has a very good support for Windows where many of the other forensics boot disks do not. With Helix it is possible to image a running Windows system (Bejtlich, R. 2006).

Weaknesses

The major issue with Helix is the degree to which it touches the host computer’s hard drive when it boots (Bejtlich, R. 2006). Helix claims to not make any changes to the host computer’s hard drive (Helix (Linux Distribution), 2008). Although Helix is a popular forensics utility, there are no examples to be found of it being used in actual law enforcement to conduct e-discovery.

CLOSING REMARKS

Helix is a great computer forensics tool. It can be used to acquire a live image of a windows system, repair damaged files, data acquisition, recover a virus damaged system, change Windows passwords, look for rootkits, secure file deletion, and much more (Gleason, B.J. 2006). The Helix software package is a complete professional quality forensics tool. It is my opinion that Helix could be used by law enforcement to accurately obtain and document e-evidence. At this time I see no examples of Helix being used by any law enforcement agency. Thus, I have to conclude that a court might not accept e-evidence obtained via Helix because there is no precedence to follow. It would be better to spend the money on a commercial computer forensics product already used by law enforcement to ensure that the evidence obtained would be admissible. Electronic Evidence is only valuable if it is admissible as evidence in support of a case.

REFERENCES

Bejtlich, R. (2006, August). Forensically Sound Evidence. Retrieved February 4, 2008, from http://taosecurity.blogspot.com/2006/08/forensically-sound-evidence.html

Computer Forensics. (2008, February). Wikipedia. Retrieved February 4, 2008, from http://en.wikipedia.org/wiki/Digital_Forensic_Tools

Purchase. (2008). The Farmer’s Boot CD. Retrieved February 4, 2008, from http://www.forensicbootcd.com/con/pur.html

Gleason, B.J. (2006, March). Helix 1.7 for Beginners. Retrieved February 4, 2008, from

http://www.e-fense.com/helix/Docs/Helix0307.pdf

Helix. (2005). The Helix Live CD Page. Retrieved February 4, 2008, from

http://www.e-fense.com/helix/index.php

Helix (Linux Distribution). (2008, February). Wikipedia. Retrieved February 4, 2008, from http://en.wikipedia.org/wiki/Helix_%28Linux_distribution%29