Forensics training, file systems, hands-on exercises. Warrant or other set of instructions that define the. Imaging RAM using tools such as dd and Helix. NIJ sponsors a variety of courses, both online and in a classroom, for criminal justice professionals. Registration and login. These courses are offered either directly by NIJ or by a grantee (e.g., RTI International, West Virginia University).

1. Digital Forensic Training
2. Helix Linux Forensics

I viewed 'Otzi' myself in Bolzano, Italy, and gained a new respect for forensics' ability to tell how Otzi had met his end. While digital forensics is a different skill set, it's one that every information security team should develop for investigating security events. Digital forensics reveals attack methods, highlights defense weaknesses and suggests which countermeasures to put in place to avoid a repeat attack. For more information on digital forensics Feds are seeking new tools. Executive Editor Dennis Fisher explains why.

Learn more about the. Forensics toolkits probe potentially compromised systems while respecting Hippocrates's dictum, 'First, do no harm.' To forensically probe without altering key systems or data, I suggest turning to Helix. Helix is an incident response and computer forensics toolkit based on the popular Knoppix Live bootable CD. It contains dozens of tools for incident response on Windows and Linux systems.

Helix is easy to use; just put the Helix Live CD into a machine and boot from the CD drive. The Helix CD provides the OS and tools to audit and copy data from a suspect machine. Booting into Helix provides a graphical menu for accessing forensics tools. The tools allow for bit-for-bit copies of data to other media, providing the ability to recover deleted files, detect viruses (hacked systems are often booby-trapped to destroy evidence), search out rootkits (used to hide hacker tracks) and look for hidden data using stegonographic methods. Considering the last documented update of Helix was in October 2006, its writing tools are becoming dated.

New obstacles are arising as a result of the challenges posed by Windows Vista's BitLocker's AES-encrypted drive volumes. They create the need for new tools that capture memory states for assessment. Disk encryption creates the need for new tools that can capture memory states in order to recover executable strings unpacked into RAM and copy them for later analysis. Most important to the success of a digital forensics investigation is the ability to understand and interpret the recovered data. That means not only keeping forensics tools on hand, but also continuously training our teams to decipher and understand what is meaningful within the data. All in all, Helix is a solid tool for enabling the digital forensics process.

Read Sidel's previous article:. About the author: Scott Sidel is an Information Systems Security Officer (ISSO) with Lockheed Martin.

Author's note: The article you are about to read was originally written in March 2009. The kind people at Linux+DVD magazine have allowed us to make my articles available after the printed version of the magazine is no longer available.

At the time it was written, all the information it contained was accurate and up-to-date but due to the somewhat lengthy process of creating and distributing a magazine, things change. Since the time this article was written, the good people at e-fense have changed their policy and have re-released the original version of Helix3, free to the masses. The versions of the software I discuss in the article have also been updated. However, even though it may seem a bit dated at this point, it does serve as a reminder of thoughts, attitudes, and concerns at the time. There is a follow-up article that will be posted (after it appears in the printed magazine), updating the re-release, and giving a review of Helix3 Pro. A few issues ago, in my two-part series, An Introduction to Digital Forensics, the major tools being used were from the Helix3, ver 1.9, Live CD, a combined Windows/Linux forensic environment designed for e-discovery, computer forensic analysis and incident response.

Since that article was published, several major events have taken place. The first was that Helix3 2.0 was released. This was a major update, where the underlying Linux base was changed from Knoppix to Ubuntu, many tools were added, and most of the rest were updated. It was a significant, well-received update. However, in March of 2009, Drew Fahey, the lead developer of Helix3 and the good people at e-fense.com changed its distribution policies. Helix3 is now only available to paying subscribers. By the time this articles appears, the monthly fees for access to the Helix3 forums, as well as gaining access to the latest versions of the Live CD, and the updated manual, will be $14.95 per month.

(Full Disclosure: I am the co-author of the Helix manual, which grew out of the materials I developed for my forensic classes. I have never received any financial compensation for my contributions, and am a paying member of the Helix3 forums). In addition, Helix3 will be getting another major upgrade. While in the past, Helix3 was a collection of tools from various sources, the new system, Helix3 Pro is to be an all-in-one distribution, with all the tools developed and written from the ground up. This promises to be a very interesting release, and we will review it when it is available. While I am sure that this was not an easy decision to make, I believe that all developers are entitled to whatever compensation they desire for the work they do, and I wish e-fense all the best in this new venture.

However, this turn of events has generated a lot of concern in the various forensic and security blogs and forums from users who have used Helix3 for free over the past six years. With Helix3 now isolated behind a paywall, this has created a bit of a vacuum in the Forensic Live CD arena, and people have started to look for tool sets to replace it. While there are many Forensic Live CDs available, many seem to have been abandoned, or have not been updated in several years, which would mean working with out-of-date tools, and possible having problems with some of the newer hardware. It would even be possible to roll-your-own version; however, this can be quite complicated and time-consuming.

While there have even been some calls for volunteers to assist in the creation of a Helix Community Edition, it appears that there may already be several worthy successors already available. To be considered a true replacement for Helix3, a Linux Live CD would have to include tools that can be run in a Windows environment to allow the investigators to perform live system captures. Based on the discussions in the various forums, the two primary contenders appear to be CAINE and DEFT. CAINE - Computer Aided Investigative Environment Of the two distros, CAINE seems to be closest in look, feel, and functionality to the Helix3 environment. It is based on Ubuntu Linux 8.04, and contains a Windows autorun GUI.

Digital Forensic Training

CAINE is available as a 643MB ISO download from and it is version 0.5 that is used in this review. CAINE started as the graduation thesis of the lead developer, Giancarlo Giustini, at the Information Engineering Department of the University of Modena e Reggio Emilia, Italy. CAINE was designed to wrap the common forensic tools in a user-friendly GUI to help streamline the investigative process. On the Windows side, CAINE provides WinTaylor, a point-and-click interface to many incident response and collection tools. The autorun utility pops up first, presenting the standard disclaimers, and gives the user the option to install the VB6 Runtime library, or the ability to register the.ocx files if running under Vista, if needed (see Figure 1). Figure 1 - CAINE startup screen under Windows An alterative to using the WinTaylor GUI is to run the forensic utilities from inside Windows Internet Explorer.

Helix Linux Forensics

As always, it is important to remember that everything done on a live system modifies the system being examined, and all efforts should be made to minimize any changes to the system (see Figure 2). Figure 2 - WinTaylor, a GUI for a large number of Windows based forensic tools Once WinTaylor is started, the Analysis 1 tab provides access to a number of NIRSoft and other tools used for extracting system and personal information. It is recommended that you disable any Anti-virus programs, as many of these tools are often flagged as hacking tools, trojans, or backdoors. Analysis 2 Tab contains RAM and Network tools such as MDD.