jump to navigation

Computer Forensic Product Analysis: HELIX February 15, 2008

Posted by timsteiner in Research.
Tags: , , , , , , , , , ,
add a comment

Tim Steiner

SEC 220

02/06/08

Computer Forensic Product Analysis: HELIX

INTRODUCTION

Computer Forensics products and methods are the keys to a successful forensic investigation. If the products used have not been fully tested, they may damage or destroy electronic evidence. Furthermore, it is very important to select good forensics tools; doing so can make or break a case. There are many choices of computer forensics tools, utilities, boot disks, and other software. Some computer forensics tools sell for thousands of dollars. While others are freely available open source software packages (Purchase, 2008). The focus of this paper is on “HELIX”, an open source forensics boot CD used for “Computer Forensics, Incident response, and Electronic discovery” (Helix, 2005, p.1).

OVERVIEW

Helix is a customized version of Knoppix, designed with many computer forensics and incident response applications. Helix is a Live Linux CD, meaning that it is booted directly from the CD and does not need to be loaded to the hard drive (Helix, 2005). By not being put on to the hard drive, Helix can ensure that the data on the host device is not compromised or damaged in any way. It is essential that the computer forensic tool not disturb or change anything on the host computer in order for the evidence obtained to be admissible in court. Helix claims to be forensically sound, meaning that it can be used to obtain reliable data as evidence (Computer Forensics, 2008).

ANALYSIS

Helix is released under the GNU General Public License (GPL) which makes the software freely available to everyone.

Strengths

Helix is free so the price is right. It includes many useful computer forensics applications such as Sleuthkit and Autopsy. Many organizations use Helix for incident response and forensics training. When Helix is loaded, it automatically detects the system’s hardware (Helix, 2005). Helix has a very good support for Windows where many of the other forensics boot disks do not. With Helix it is possible to image a running Windows system (Bejtlich, R. 2006).

Weaknesses

The major issue with Helix is the degree to which it touches the host computer’s hard drive when it boots (Bejtlich, R. 2006). Helix claims to not make any changes to the host computer’s hard drive (Helix (Linux Distribution), 2008). Although Helix is a popular forensics utility, there are no examples to be found of it being used in actual law enforcement to conduct e-discovery.

CLOSING REMARKS

Helix is a great computer forensics tool. It can be used to acquire a live image of a windows system, repair damaged files, data acquisition, recover a virus damaged system, change Windows passwords, look for rootkits, secure file deletion, and much more (Gleason, B.J. 2006). The Helix software package is a complete professional quality forensics tool. It is my opinion that Helix could be used by law enforcement to accurately obtain and document e-evidence. At this time I see no examples of Helix being used by any law enforcement agency. Thus, I have to conclude that a court might not accept e-evidence obtained via Helix because there is no precedence to follow. It would be better to spend the money on a commercial computer forensics product already used by law enforcement to ensure that the evidence obtained would be admissible. Electronic Evidence is only valuable if it is admissible as evidence in support of a case.

REFERENCES

Bejtlich, R. (2006, August). Forensically Sound Evidence. Retrieved February 4, 2008, from http://taosecurity.blogspot.com/2006/08/forensically-sound-evidence.html

Computer Forensics. (2008, February). Wikipedia. Retrieved February 4, 2008, from http://en.wikipedia.org/wiki/Digital_Forensic_Tools

Purchase. (2008). The Farmer’s Boot CD. Retrieved February 4, 2008, from http://www.forensicbootcd.com/con/pur.html

Gleason, B.J. (2006, March). Helix 1.7 for Beginners. Retrieved February 4, 2008, from

http://www.e-fense.com/helix/Docs/Helix0307.pdf

Helix. (2005). The Helix Live CD Page. Retrieved February 4, 2008, from

http://www.e-fense.com/helix/index.php

Helix (Linux Distribution). (2008, February). Wikipedia. Retrieved February 4, 2008, from http://en.wikipedia.org/wiki/Helix_%28Linux_distribution%29

1/3

Snort EULA Analysis: The de facto standard for intrusion detection/prevention February 11, 2008

Posted by timsteiner in Research.
Tags: , , , , , , , , ,
add a comment

Tim Steiner

LES 330

11/19/07

EULA Analysis: The de facto standard for intrusion detection/prevention

INTRODUCTION

As the IT manager of a small accounting firm, you are in charge of keeping the local network and confidential information secure from unauthorized parties. After examining the network log, you notice that there is a computer on your network sending private network data to a third party. Upon further investigation, you find that someone has hacked your network and gained access to all your private client information files including SSNs, Name, Address, and Contact information. Furthermore, you have no idea how long this has been going on or how much information has leaked out. This is the kind of nightmare an IT manager can face when proper Intrusion detection system is not implemented. Unfortunately, with the expense of such systems many small businesses opt to take that chance. Snort is an open source and freely available network intrusion detection system (IDS) that can be used to detect an attack, enforce policies, and provide an audit trail. Snort is a popular IDS that is becoming the de facto standard for intrusion detection/prevention. That is why I have chosen to analyze Snort’s End User License Agreement (EULA).

ANALYSIS

Snort is released under the GNU General Public License (GPL) which makes the software freely available to everyone. In addition to the GPL, Snort’s EULA states how the software may be copied/modified and redistributed.

Strengths

Snort includes a short and very well organized EULA. The terms of warranty and legal liability show that Snort basically offers no guarantees, and is not responsible for any problems that may arise. This is clearly stated as “without any warranty” including “implied warranty of merchantability” or “fitness for a particular purpose.”

The EULA states that if the Snort source is modified and included as part of a product offering then the source code for the resulting product must be distributed under the GPL, making it open source and freely available. In this way Snort can legally enforce its copyright to all included parts of its software and keep it from being used in software marketed under a different name.

Weaknesses

While the Snort EULA is fairly straightforward, the GPL is much more complicated and lengthy. By agreeing to the Snort EULA, the user also agrees to the terms of the supplemental GPL. This important fact could easily be overlooked by a user that quickly skims through the document. In that way the EULA could be misleading if not thoroughly examined.

ASSESSMENT

Overall the Snort EULA is complete and well organized. It offers the company protection against copyright violations and unauthorized use of Snort’s intellectual property. Furthermore, the company is protected from legal liability by offering “No Warranty” they give no guarantee that the software will work or perform its desired function. This is essential as a Snort IDS has the responsibility of protecting valuable system resources from attack. By offering no warranty, risk of being sued is mitigated in case the Snort product fails to perform its IDS functions.

CLOSING REMARKS

Although fairly straightforward and easy to understand, how many people actually read the EULA before accepting it? I know that from my own experience very few including myself even attempt to read the EULA before installing software. It usually contains complex vocabulary and legal terminology that the common person has trouble reading, let alone understanding. Thus, the EULA is very effective at protecting its own assets but offers little to no protection to the end user.

1/3