Linux forensics - Part 1: Helix
In this article, we will introduce and review Helix, a vastly powerful Linux forensics distribution. Helix is a live Linux CD carefully tailored for incident response, system investigation and analysis, data recovery, and security auditing. It is geared toward experienced users and system administrators working in small-to-medium, mixed environments where threats of data loss and security breaches are high.
The most recent version is based on Ubuntu, promising stability and ease of use. Helix has two modes, including pure Linux bootable live CD and the Windows mode, where it can be used in-vivo on top of a running Windows desktop.
Helix is available for download by email registration. We tested version 3 here.
Now, let's see what Helix can offer us.
As said, Helix comes as a live CD, allowing you to use it on a "suspect" machine with its native operating system dormant. It also makes Helix quite useful for network neighborhood auditing, by being able to run from just about any machine on the segment.