So I went out looking for the Helix Forensics Live CD today…
Sniff.
So what’s a guy to do?
Well, I whined about it for a while. I raged about it for a while. I bargained with myself to see if it was worth the $179 for the once or twice a year I needed it. I got depressed because yet another company has taken off with “monetizing it’s community” and finally, I decided to go looking for the ISO of the last version before they went sideways.
I learned about what happened…
and some (partial) alternatives…
- Raptor by Forward Discovery, Inc.
- Windows FE
- and more Windows FE
- and even more Windows FE
- The nebulous promise of HelixCE (community edition)
- C.A.IN.E. (Computer Aided Investigative Environment) Live CD
I’d just about given up when I came across this posting from one of my #sectwits friends – Rob Fuller (@mubix): Ask and you shall receive – SumoLinux
It seems that another one of the #sectwits – Marcus J. Carey has put together a fantastic DVD-based or USB-based distro called SUMO Linux which just happens to contain:
a compilation of the best Information Security distributions:
- Backtrack 3
- Helix 2.0
- Samurai Linux
- DBAN
- DVL
It’s available through the always impressive Pirate Bay torrent tracker here.
And just like that – the answer to my problem could have been found not through endless Google searches, but through a quick query to some of the fantastic folks on Twitter who have come together in an intensely supportive community with Zach Lanier (@quine) as it’s leader and (often) lead jokester.
(I’m so gonna pay for that last link…)
(CC licensed image from Todd Binger’s Flickr Stream)
[tags]helix3, livecd, hunting, mubix, marcusjcarey, awesome[/tags]
Eh. My bewbs are making the rounds right now. No worries. ๐
Hi James – great post.
I had been keeping an eye out for the next Helix release and was shocked when I landed on the new pages. Puzzled it out myself like you did as well. I see their side about wanting to make a buck or two, but it still seems like a loss. Quite a large community had grown up around it. I’m going to have to guard my ISO files of it like gold and keep some masters squirreled away for safe keeping…
Fortunately, as you have shared others are hard at work keeping the forensics LiveCD field rich wth new life and projects.
One more active forensic LiveCD project you might want to take a look at (you may already know of it) is DEFT Linux – http://www.deftlinux.net
They seem to be actively working on updating and tweaking it.
I like the “dual-nature” of CAINE (Linux boot / Windows auto-run menu). I do wonder if they might get into some “redistribution issues” by including some of the Windows-side utilities along with the CD ISO. Some developers frown on that practice. So I hope it survives that test.
I’ve not independently confirmed it myself, but I’ve read that WinFE might in fact somehow change disk media anyway. There are reports that it may not be forensically sound. Some comments are that if you take a hash of a drive before using it (using another forensics tool) then boot a system with Win FE and then take a 2nd hash when done using the original tool, the hash is different. Don’t know more than those details and they might not bear out to be factual…I hesitated to even mention it, but it might be worth validating before using in a “live-fire” response with it. Could be limited to specific storage devices. I’ve got some homework to do on this one. I’ve been doing a lot of Win PE building so I am curious in particular with Windows FE behaviour as it is based on Windows PE, but with two registry tweaks: Windows FE รขโฌโ Details Teased out of the Web – http://grandstreamdreams.blogspot.com/2009/02/windows-fe-details-teased-out-of-web.html
John Sawyer posted a followup article to the Windows FE one you linked to posing that very question:
Tool Validation: Trust, But Verify – http://darkreading.com/blog/archives/2009/02/tool_validation.html
Anyway, great blog and I am enjoying your perspective on things.
Cheers.
–Claus V.
@Zach If you weren’t so hawt, your bewbs wouldn’t be news.
Hi James,
I finally found the time to do some testing on Windows FE builds to see if the claims against Windows FE not being “forensically sound” were true.
Posted the results here:
Windows FE: Forensically Sound? – http://grandstreamdreams.blogspot.com/2009/03/windows-fe-forensically-sound.html
Long post short: It seemed to check out just fine in my MD5 hashing tests of both a Windows system and a non-Windows system and matched the same MD5’s generated by DEFT Linux forensics LiveCD results.
Felt duty-bound to do the work and share here after my previous comment.
Cheers.
–Claus V.