Forensic Analysis with Helix

Helix is an incident response and forensic bootable Live CD which can also run on Windows. It has Adepto, AIR and Linen to acquire the system image, and Autopsy and PyFlag forensic tools to analyze it

Friday, May 05, 2006

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Computer forensics is the investigation of computer media for discovering and analyzing available, deleted, or 'hidden' information. It seeks to find out exactly what happened on a digital system and who was responsible for it. This is very critical in legal matters given the fact a hacker, rather a cracker in this case, always leaves some tracks behind. Once digital evidence has been found it can be used by law in depositions and litigations to determine the extent and nature of the crime. There are essentially three phases for recovering evidence from a computer system or storage medium. In this article we peek into the role software plays in this field by using Helix, a Live CD based distro that focuses on Incident Response and Forensic tools. It's a modified version of Knoppix, with terrific tools for forensics.

The best part about the Helix Live CD is its additional functionality for Windows, where it runs as a standard application and collects information from a 'live' (still turned on and logged in) Windows session.

When a system is 'live,' its state is constantly changing but collecting information from such systems is handy  when they cannot be turned off. Because on shutting down a hacked or compromised machine, all the evidence available in the volatile memory, cache and sometimes in the disks, are lost. While working with Helix, the system is not affected, which is important because if it would install itself to the system, the original state of the system would be altered. Therefore, some tracks of the criminal might be lost.

From acquiring images to analyzing, Helix creates an md5 checksum file of every file created or imported to ensure the integrity of the files, ie, the files are not modified by anyone. This is crucial, as even if one bit of a file is tampered with, its md5 checksum will change.

Helix can acquire images from live Windows as well as Linux systems, but to analyze this image, you need to boot into Helix

The Helix toolset for Windows doesn't install itself on the system; instead, it runs directly from the CD. The distro has applications such as FTK Imager (a physical disk image acquiring tool), Windows Forensic Toolchest (an automated Incident Response tool) and Incident Response Collection Report (a system report generation tool). Helix can be used as a portable forensic environment since it provides access to many Windows-based utilities such as Putty, File Recovery tools, VNC Server, Registry Viewer and Asterisk Logger.

Using Helix 
Using Helix in Linux is easy. When Helix boots, it runs entirely off CD and mounts the hard drives in read only mode to prevent modification. This is very useful for an in-depth analysis of 'dead' (power off) systems. Helix has some very good forensic tools in Linux mode. It has Adepto, AIR and Linen, which are GUI tools to acquire image of a system.

For Incident Response it has tools such as Ethereal and anti-viruses like ClamAV and F-Prot.

It also comes with popular tools such as Autopsy and PyFlag for analysis of acquired images, drives. To start Helix in Windows, you need to first download the Helix ISO image from the its URL and burn it as a regular bootable CD.

Analyzing acquired image
To start forensic analysis of a Windows based system, we first need to acquire its image. To do so, select the Live Acquisition button. The Live Acquisition application will appear in a new window, which is a Windows graphical front end of 'dd'. Now, choose the source drive, ie the drive or physical memory to be analyzed forensically.

Once the acquired image is imported into Autopsy, copies of the file can be moved to the locker folder with MD5 checksums

Next, you need to give the destination for the image file you are about to acquire. If you want this image to be stored locally, check Attached/Share option and in the destination field define the path for saving the image. If you want to save the image over the network, check the Netcat option and define destination IP as well as the port number. Next, click on Acquire button to acquire the image. After the image has been acquired, you need something like Autopsy or PyFlag for analyzing. Unfortunately, for Windows, Helix doesn't have any application to analyze the image. To do so, you need to boot a system with Helix (i.e. Linux mode). 

Once the system is booted with Helix, launch Autopsy from Helix's forensic menu in the main menu and create a New Case. Then, you will be asked to add hosts. Click on Add Host button and a new page will appear. It will ask you to add an image to  investigate. Here, give the location of the image you just acquired.

Below the image-location field, you will find three radio boxes to select between copy, move or create a link to the actual image file to your locker directory.

This directory contains the files that Autopsy reads and writes. It contains all the investigation details including a file called 'Autopsy.log.'

The best option is to copy the entire image file to the locker directory. Finally, click on the Add Image button. Now, its time to run tests on the case you just created. From the Case Gallery, first select the case, host and the image on which you want to run the tests. For example, if you want to know all the deleted files in the image, click on the File Analysis button and then hit 'All Deleted Files' button. This will show you the names and dates of all the deleted files. Autopsy by default generates md5 values for all the files imported or created, which ensures integrity of the files.  

Bottom line
That was a small window on Helix's functionality. Its muliplatform functionality makes it a handy tool for security professionals to carry along.

Swapnil Arora

Page(s)   1