/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsComputer forensics is the investigation of computer media
for discovering and analyzing available, deleted, or 'hidden' information.
It seeks to find out exactly what happened on a digital system and who was
responsible for it. This is very critical in legal matters given the fact a
hacker, rather a cracker in this case, always leaves some tracks behind. Once
digital evidence has been found it can be used by law in depositions and
litigations to determine the extent and nature of the crime. There are
essentially three phases for recovering evidence from a computer system or
storage medium. In this article we peek into the role software plays in this
field by using Helix, a Live CD based distro that focuses on Incident Response
and Forensic tools. It's a modified version of Knoppix, with terrific tools
for forensics.
|
The best part about the Helix Live CD is its additional
functionality for Windows, where it runs as a standard application and collects
information from a 'live' (still turned on and logged in) Windows session.
When a system is 'live,' its state is constantly
changing but collecting information from such systems is handy when they
cannot be turned off. Because on shutting down a hacked or compromised machine,
all the evidence available in the volatile memory, cache and sometimes in the
disks, are lost. While working with Helix, the system is not affected, which is
important because if it would install itself to the system, the original state
of the system would be altered. Therefore, some tracks of the criminal might be
lost.
From acquiring images to analyzing, Helix creates an md5
checksum file of every file created or imported to ensure the
integrity of the files, ie, the files are not modified by anyone. This is
crucial, as even if one bit of a file is tampered with, its md5 checksum will
change.
/pcq/media/post_attachments/20881a599c2c66cb358040232aac1586f504cc4c4d51dde61f63714d2d8e5bb6.jpg) |
| Helix can acquire images from live Windows as well as Linux systems, but to analyze this image, you need to boot into Helix |
The Helix toolset for Windows doesn't install itself on
the system; instead, it runs directly from the CD. The distro has
applications such as FTK Imager (a physical disk image acquiring tool), Windows
Forensic Toolchest (an automated Incident Response tool) and Incident Response
Collection Report (a system report generation tool). Helix can be used as a
portable forensic environment since it provides access to many Windows-based
utilities such as Putty, File Recovery tools, VNC Server, Registry Viewer and
Asterisk Logger.
Using Helix
Using Helix in Linux is easy. When Helix boots, it runs entirely off CD and
mounts the hard drives in read only mode to prevent modification. This is very
useful for an in-depth analysis of 'dead' (power off) systems. Helix has
some very good forensic tools in Linux mode. It has Adepto, AIR and Linen, which
are GUI tools to
acquire image of a system.
For Incident Response it has tools such as Ethereal and
anti-viruses like ClamAV and F-Prot.
It also comes with popular tools such as Autopsy and PyFlag
for analysis of acquired images, drives. To start Helix in Windows, you need to
first download the Helix ISO image from the its URL and burn it as a regular
bootable CD.
Analyzing acquired image
To start forensic analysis of a Windows based system, we first need to
acquire its image. To do so, select the Live Acquisition button. The Live
Acquisition application will appear in a new window, which is a Windows
graphical front end of 'dd'. Now, choose the source drive, ie the drive or
physical memory to be analyzed forensically.
/pcq/media/post_attachments/a563afc73a7d7eaf7c0bc724ac981e2cca12e1e3a6f16c3bce8a0b15d41b9fd1.jpg) |
| Once the acquired image is imported into Autopsy, copies of the file can be moved to the locker folder with MD5 checksums |
Next, you need to give the destination for the image file
you are about to acquire. If you want this image to be stored locally, check
Attached/Share option and in the destination field
define the path for saving the image. If you want to save the
image over the network, check the Netcat option and define destination IP as
well as the port number. Next, click on Acquire button to acquire the image.
After the image has been acquired, you need something like Autopsy or PyFlag for
analyzing. Unfortunately, for Windows, Helix doesn't have any application to
analyze the image. To do so, you need to boot a system with Helix (i.e. Linux
mode).
Once the system is booted with Helix, launch Autopsy from
Helix's forensic menu in the main menu and create a New Case. Then, you will
be asked to add hosts. Click on Add Host button and a new page will appear. It
will ask you to add an image to investigate. Here, give the location of
the image you just acquired.
Below the image-location field, you will find three radio
boxes to select between copy, move or create a link to the actual image file to
your locker directory.
This directory contains the files that Autopsy reads and
writes. It contains all the investigation details including a file called 'Autopsy.log.'
The best option is to copy the entire image file to the
locker directory. Finally, click on the Add Image button. Now, its time to run
tests on the case you just created. From the Case Gallery, first select the
case, host and the image on which you want to run the tests. For example, if you
want to know all the deleted files in the image, click on the File Analysis
button and then hit 'All Deleted Files' button. This will show you the names
and dates of all the deleted files. Autopsy by default generates md5 values for
all the files imported or created, which ensures integrity of the files.
Bottom line
That was a small window on Helix's functionality. Its muliplatform
functionality makes it a handy tool for security professionals to carry along.
Swapnil Arora