I have used several versions of Helix over the recent years. I enjoy the tool set and recommend it to forensics colleagues, sysadmins, and even family members.
Quite a substantial ruckus was raised this year when e-fense announced that Helix 3 would no longer be free to download. Instead, would-be users must pay to register as a forum user to get access to Helix 3 Pro updates for a year.
I took the plunge and purchased my forum membership. Here are the first things I noticed:
- Some of the highlights...
- The forum allows access to the Helix 3 software the member applies a registration token.
- After adding the token, I was able to download not only Helix 3 Pro, but also Helix 3, and contributed tools.
- Helix 3 Pro is really nothing like the 1.8 and 1.9 versions that came before it. Although it still provides a bootable live CD as well as executables that can be run in Windows in Linux, the interfaces for all the modes of use have been made more consistent and seamless. Also, a Mac OS X set of tools have been added.
- The Helix 3 Pro CD also provides a set of cell phone forensics tools (that I will cover in a follow-on posting).
- One of e-fense's goals with the Helix 3 release was to provide a forensics tool that did not touch the host computer in any way. I have not tried to verify this yet, although I intend to do so soon.
- And the lowlights...
- On my Dell D630 laptop (and few other systems), the boot process generated a number of errors and — in some cases — would not detect a graphical interface mode correctly, leaving me with an unusable Helix environment.
- The majority of the tools that made previous versions of Helix useful are just completely gone. This is apparently done so that the Helix Pro 3 image can be trusted. I spoke to a sales representative at e-fense who told me that several customers were using Helix 3 Pro in environments where open source software of questionable origins is, well, frowned upon.
- Static binaries formerly found on the Helix 1.x CDs are now separate downloads. They are still available through the Helix forums.
This is the first in a series of blog postings I plan to publish on Helix 3 Pro. Please post comments if there are specific tools or features of the LiveCD you would like me to cover.
John Jarocki, GCFA Silver #2161, is an Information Security Analyst specializing in intrusion detection, forensics, and malware analysis. He also holds GCIA, GCIH, GCFW and GSEC certifications and is the Treasurer of NM InfraGard. John recently co-authored a controversial paper on using LiveCDs to mitigate online banking risks.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
