Updated: February 24, 2009
Helix is a live Linux CD carefully tailored for incident response, system investigation and analysis, data recovery, and security auditing. It is geared toward experienced users and system administrators working in small-to-medium, mixed environments where threats of data loss and security breaches are high.
The most recent version is based on Ubuntu, promising stability and ease of use. Helix has two modes, including pure Linux bootable live CD and the Windows mode, where it can be used in-vivo on top of a running Windows desktop. Helix is available for download by email registration. We tested version 3 here. Now, let's see what Helix can offer us.
As said, Helix comes as a live CD, allowing you to use it on a "suspect" machine with its native operating system dormant. It also makes Helix quite useful for auditing your network neighborhood, by being able to run from just about any machine on the segment.
The latest version of Helix is based on Ubuntu (used to be Knoppix, in the past), so the minimalistic yet fully functional Gnome desktop comes as no surprise.
By default, Helix will display monitors for mounted disks and CPU, memory and network activity. It comes with a range of useful tools. Bear in mind that the Linux live CD part is only a fragment of the entire arsenal. We will talk about dedicated Windows utilities later.
The basic kit includes the omnipotent Wireshark network analyzer / packet sniffer, several anti-virus tools, retrieve passwords, backup and restore partitions, browse MAC partitions, examine binary files, and more.
The users can choose between XFPROT and ClamTk anti-virus scanners to examine files and folders on suspect machines, including local and remote disks.
You can also scan Windows registries.
Adepto allows you to create sector-by-sector images of local devices and take them offline for further analysis. It also allows you to restore disks / partitions, which makes it handy for recovery, too.
You can also try to retrieve Windows passwords.
In this mode, Helix is used just as any other CD inside Windows. Double-click to launch the application. You'll be warned about your actions.
The Windows mode differs from the Linux side in being a floating application rather than a complete operating system. Therefore, the navigation is a little different.
First, you have the Quick Launch.
Then, there is the Page menu, which allows you to browse different categories of tools.
The Windows side contains a broad range of highly useful utilities.
The Incident Response page is particularly rich, with lots of excellent programs. Did I say you should be knowledgeable and extremely careful when running these tools, as you can very easily obliterate your system and even cause significant damage to the LAN? There, I said it.
An entire section is dedicated to viewing (and retrieving) passwords, cookies and logs.
You also have tools for auditing of the system, remote connection (including VNC, SSH), file recovery, and rootkit scanning.
Like in Linux, it is possible to acquire entire disk drives (and even the physical memory).
You can also browse contents of files and folders, calculate hashes, check time stamps, and more. This allows you to look for suspicious, clandestine activities in your data archives.
As mentioned earlier, you can run full audits of your system.
Helix is a highly useful toolbox. The dual mode is especially valuable, since quite a few system administrators are not that proficient in Linux. Furthermore, it allows Helix users to approach Windows-related problems with several methods, first trying to cope with problems while still logged in Windows and then escalating to the Linux live CD mode.
Helix is a stable, complete package, with a broad range of great utilities that will significantly increase your ability to respond to problems, threats and incidents in your environment. That's it. For more details about forensics in general, please see the Introduction.