Helix Linux Forensic Live CD

You may already know of the FIRE live forensic CD and the Knoppix-STD security tools CD. Last week I attended a free talk by Ed Skoudis, who spoke about his favorite forensic live CD -- Helix, by Drew Fahey of e-fense. I downloaded Helix 1.4 (2004-07-04), burned it to CD, and it started without incident on a Dell PowerEdge 750.

The major issues with forensic-minded live CDs is the degree to which they avoid touching the host computer's hard drive on boot. You don't want a live CD to mount the host hard drives, since you don't need to mount drives to image them. Helix is safe in this regard; it doesn't touch the drive unless you tell it to. Helix also sports the sorts of tools you'd expect on a forensic CD, including a nice graphical interface to dd and variants sdd and dcfldd.

Probably the most amazing aspect of Helix is its support for Windows. The Helix CD provides distributable Windows binaries, including a Windows shell, that run within Windows. I recommend browsing the Helix screen shots to see how useful this can be. Essentially you could image a running Windows system using Helix. (I don't think this is the best idea, but it's nice to have options.) I recommend the Helix developers also look at the sort of "live response" processes documented in books like Incident Response: Computer Forensics (2nd Ed) and incorporate those features into their great free CD.

It pays to keep an eye on Open Source Digital Forensics for developments in the forensics realm.