SANS Digital Forensics and Incident Response Blog

Helix 3 Pro: First Impressions

I have used several versions of Helix over the recent years. I enjoy the tool set and recommend it to forensics colleagues, sysadmins, and even family members.

Quite a substantial ruckus was raised this year when e-fense announced that Helix 3 would no longer be free to download. Instead, would-be users must pay to register as a forum user to get access to Helix 3 Pro updates for a year.

I took the plunge and purchased my forum membership. Here are the first things I noticed:

  • Some of the highlights...
    • The forum allows access to the Helix 3 software the member applies a registration token.
    • After adding the token, I was able to download not only Helix 3 Pro, but also Helix 3, and contributed tools.
    • Helix 3 Pro is really nothing like the 1.8 and 1.9 versions that came before it. Although it still provides a bootable live CD as well as executables that can be run in Windows in Linux, the interfaces for all the modes of use have been made more consistent and seamless. Also, a Mac OS X set of tools have been added.
    • The Helix 3 Pro CD also provides a set of cell phone forensics tools (that I will cover in a follow-on posting).
    • One of e-fense's goals with the Helix 3 release was to provide a forensics tool that did not touch the host computer in any way. I have not tried to verify this yet, although I intend to do so soon.
  • And the lowlights...
    • On my Dell D630 laptop (and few other systems), the boot process generated a number of errors and — in some cases — would not detect a graphical interface mode correctly, leaving me with an unusable Helix environment.
    • The majority of the tools that made previous versions of Helix useful are just completely gone. This is apparently done so that the Helix Pro 3 image can be trusted. I spoke to a sales representative at e-fense who told me that several customers were using Helix 3 Pro in environments where open source software of questionable origins is, well, frowned upon.
    • Static binaries formerly found on the Helix 1.x CDs are now separate downloads. They are still available through the Helix forums.

This is the first in a series of blog postings I plan to publish on Helix 3 Pro. Please post comments if there are specific tools or features of the LiveCD you would like me to cover.

John Jarocki, GCFA Silver #2161, is an Information Security Analyst specializing in intrusion detection, forensics, and malware analysis. He also holds GCIA, GCIH, GCFW and GSEC certifications and is the Treasurer of NM InfraGard. John recently co-authored a controversial paper on using LiveCDs to mitigate online banking risks.

4 Comments

Posted November 20, 2009 at 2:46 PM | Permalink | Reply

Bugbear

I also had some issues with my D630 when trying to use the bootable CD ROM. Enabling Safe Mode Video (F4) and acpi=off "advanced Configuration and Power Interface" (F6) on the boot menu seemed to help.
Although I noted issues with closing Helix and attempting to restart it once booted too.
Hope this helps

Posted November 20, 2009 at 3:58 PM | Permalink | Reply

FUF

> "One of e-fense's goals with the Helix 3 release was to provide a forensics tool that did not touch the host computer in any way. I have not tried to verify this yet, although I intend to do so soon."
Like many other Ubuntu-based forensic Live CDs it recovers Ext3/4 file systems during the boot (thanks to Casper scripts). And historically all Helix3 versions use not forensically sound mount policy that may alter the data on original media in some cases.
These "features" were already discussed on e-fense forums.

Posted November 23, 2009 at 3:22 PM | Permalink | Reply

Karl

I also took the plung, figured it was worth the money for a year to see how it goes. I do like the new format but miss some of the older tools so what I have done is now I carry copies of both the older free version as well as the new Pro version. Depending on the situation I will have to make the call of which version to use but it would be nice to be able to have both on one CD. A little worried now that Drew has left, seems that they is no clear direction and the updated keep being pushed back. Will have to keep on eye on the situation to see what happens.

Posted December 1, 2009 at 12:19 AM | Permalink | Reply

Linda

Very nice article. I thought to let you know that you website wasn'tt getting displayed properly on opera imni browser on my pda.
Have a nice time''sorry for typos