Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software Windows Linux

Windows Incident Forensics with Knoppix Helix 156

Posted by michael from the whodunnit dept.
Daehenoc writes "After finding Windows Forensics and Incident Recovery while looking around for forensics tools, I found this instead: Helix Incident Response and Forensics. It's a customized version of Knoppix which you can use in an online or offline style - put it in when Windows is running and you can retrieve a stack of useful information and send it to a network share. Or boot a suspect system with the CD and get access to useful forensics tools like sleuthkit!"
This discussion has been archived. No new comments can be posted.

Windows Incident Forensics with Knoppix Helix More

Windows Incident Forensics with Knoppix Helix

Comments Filter:

  • Anti-Spyware (Score:5, Insightful)

    by lordkuri ( 514498 ) on Friday November 26, 2004 @01:47PM (#10926395)
    this is pretty cool and all, but I'd really like to see a Knoppix disc with a bunch of anti spyware stuff on it. Would make my life *much* easier.

    Anyone know if they ever got Linux to be able to actually write to NTFS?

    • Re:Anti-Spyware (Score:5, Informative)

      by codeguy007 ( 179016 ) on Friday November 26, 2004 @01:50PM (#10926415)
      Anyone know if they ever got Linux to be able to actually write to NTFS?

      Yeah you can write to NTFS now.

      • Re:Anti-Spyware (Score:4, Informative)

        by siliconjunkie ( 413706 ) on Friday November 26, 2004 @02:37PM (#10926746)
        The Gnoppix live-CD [gnoppix.org] (based on Ubuntu) writes to NTFS out of the box (but like other posters have mentioned, it's not quite "safe").

        • Re:Anti-Spyware (Score:3, Insightful)

          by LurkerXXX ( 667952 )
          Really? I tried it. It seemed to search around for some windows drivers for NTFS, then just abruptly quit running. I've had no sucess writing to NTFS with it.

          • Re:Anti-Spyware (Score:4, Insightful)

            by siliconjunkie ( 413706 ) on Friday November 26, 2004 @04:03PM (#10927206)
            I didn't extensively test it, but I'm fairly certain the latest version (I have 0.8.2.2) has write support enabled for NTFS.

            I can't remember if I mounted the internal IDE or a firewire drive, but I remember being surprised that it had writes enabled (especially odd for a live CD that is semi-noob oriented).

            I'll give it a check and post back here if I can verify.

          • Re:Anti-Spyware (Score:3, Insightful)

            by siliconjunkie ( 413706 )
            O.K. My bad.

            I just loaded up Warty 0.8.2.2 on a Win2K box, and it was a NO GO on writing to NTFS. I must have gotten my live CDs mixed up, I know I have one around here that writes to NTFS, but I can't for the life of me remember which one...

            On a side note, i was going to protest being modded flamebait in my GP post above (still not exactly sure who I was baiting flames from), but seeing as I was wrong, I suppose I deserve it.
            • My guess is some zelot modded you down because you dared say it wasn't "safe". Unfortunately, testing shows it's definitely not ready for prime-time.

      • Re:Anti-Spyware (Score:4, Interesting)

        by Mattcelt ( 454751 ) on Friday November 26, 2004 @03:58PM (#10927175)
        OTOH, disabling writing is the best thing you can do with this if you want to have your evidence admissible in court. Anything which could tamper with the state of the drive after the user/cracker/process/etc. has finished with it can very easily make the courts (in the U.S. anyway, don't know about elsewhere) consider it contaminated evidence and therefore inadmissible.

        That's why professional digital forensics kits (the worthwhile ones, that is) will actually make a bit-for-bit copy of the suspect drive without the possibility of changing a thing.

        Be careful - digital forensics (just like regular forensics) is a lot harder than they make it look on TV. Google for "chain of custody" if you want to see how hard it can be...

    • Re:Anti-Spyware (Score:2, Interesting)

      by MagiGraphX ( 767644 )
      In the latest 2.6, you can write to NTFS, but it's just not trustworthy, at least, for me.

    • Re:Anti-Spyware (Score:4, Funny)

      by DoktorTomoe ( 643004 ) on Friday November 26, 2004 @01:51PM (#10926431)
      But there is a lot of anti-spyware stuff on knoppix. Think of the posibilities of fdisk!

      • Re:Anti-Spyware (Score:1, Offtopic)

        by peragrin ( 659227 )
        in 1992 my Hard drive was 20 megs and it wasn't big enough.

        You increased your hard drive storage by 6,000 times and you still run out of room.

        Of course copied over my basic files from one computer to another and filed 30 gigs. Not sure which is worse. I do know that i will get at least another 10 gig's filled when I start ripping cd images for games to store locally. Laptops are great it just sucks being forced to carry the disks with you.

      • Re:Anti-Spyware (Score:2, Funny)

        by Anonymous Coward
        fdisk?!

        # shred -v -n 1 -z /dev/hda

        (verbose, 1 random pass, 1 zeroing pass)

    • Re:Anti-Spyware (Score:5, Informative)

      by XaviorPenguin ( 789745 ) on Friday November 26, 2004 @01:55PM (#10926466) Homepage Journal
      When I had Mandrake 9.0, it found my XP NTFS and was reading and writing to it with no problem.

    • Re:Anti-Spyware (Score:2, Funny)

      by Anonymous Coward
      Anyone know if they ever got Linux to be able to actually write to NTFS?

      I've often wondered who "they" are. :*)
    • ok then, how about anti spyware stuff? (seriously, not fdisk :)

      I'd love to be able to just show up, drop a Knoppix disc in someone's drive, boot the machine, and clean all that crap up, then boot windows, and finish it out with spybot/adaware/pestpatrol/whatever. Would make a lot of people some decent money, methinks ;)

    • Re:Anti-Spyware (Score:4, Informative)

      by Raztus ( 745280 ) on Friday November 26, 2004 @02:24PM (#10926667)
      One of my custom Knoppix discs had the Captive NTFS project installed with it. I've used it quite a few times without a problem.
      It's available here: http://www.jankratochvil.net/project/captive/ [jankratochvil.net]
      • Captive is OK when it works, but it only works on a fairly limited set of ntfs.sys drivers (didn't actually work with any I had lying around, anyway).

        It would be nice if they got it compatible with all of them... it'd be really useful then.

  • CSI appearance... (Score:4, Interesting)

    by jdray ( 645332 ) * on Friday November 26, 2004 @01:48PM (#10926401) Homepage Journal
    Someone should send a link to the CSI producers and try to get a mention of this some "airtime" on the show.
    • Well, may be a little too factual for CSI ;P

      I love the show as much as the next person, and I've learned a lot from it, but there are some parts of it that are just a little too BS for me...

      ie: having their forensics guy take a 320x200-ish video surveillance snapshot and enhancing it to see the bad guy in a reflection from someone's eyeball, etc...

      N.
      • That's just tro scare the small-time criminals who dont know or actually think this crap can happen.

        Hell, after knowing what I know about fingerprints, I doubt they're really that effective. A smear with 12 points of identification can say it's you, even when it could be someone else entirely.

        Or how they can take DNA samples from any surface, no matter how long ago it WAS there. 1 year, no-problemo.

        The show is glorified "|-| A > 0 R" (haxxor) logic.

      • Re:CSI appearance... (Score:4, Interesting)

        by Ford Prefect ( 8777 ) on Friday November 26, 2004 @02:48PM (#10926811) Homepage
        ie: having their forensics guy take a 320x200-ish video surveillance snapshot and enhancing it to see the bad guy in a reflection from someone's eyeball, etc...

        Kind of like this [tpd.tno.nl]? ;-)

        I've heard of some very impressive computer forensics (I think these guys [vogon.co.uk] are the acknowledged experts in the UK, even if their poetry is awful), but I've also heard of some seriously cack-handed investigation, filling hard disks with irrelevant files. Something like a semi-automated Knoppix thing could be highly beneficial for some, but anything with any real legal weight would have to be done by a proper specialist...

  • Knoppix Anti-Virus? (Score:3, Interesting)

    by StarWreck ( 695075 ) on Friday November 26, 2004 @01:49PM (#10926411) Homepage Journal
    What I would like to see is a Knoppix Based anti-virus for windows. It would be a lot easier to track down and kill viruses when you're booted into Linux and Windows is NOT running, because then the Virus is also not running. A number of viruses actually get worse when you run an anti-virus scan, such as the Chernobyl virus, so it would be benneficial to run an anti-virus while Chernobyl is completely dormant.
    • If you have a system thats already infected and spewing out gobs of spam etc, then an extra couple of minutes monitoring and identifying the running processes/folders in use etc will save a large amount of time than panicing and shutting it down instantly.

    • Re:Knoppix Anti-Virus? (Score:3, Interesting)

      by Zorilla ( 791636 )
      My question is: don't most virus scanners offer a scan-on-boot option that runs it while Windows is still at the text console during bootup? Or does the Chernobyl virus retaliate when you do so much as update your definitions before said scan?
      • The main problem with scanning for viruses with an infected machine is that the antivirus program may be infected with a virus itself and that may interfere with its ability to find or disinfect that same virus it is also infected with. It is always best to scan for viruses using a known clean setup, such as a bootable floppy or bootable CDROM, to do the scanning.

    • Re:Knoppix Anti-Virus? (Score:1, Informative)

      by Anonymous Coward
      A magazine bundled exactly this:

      Knoppix with two virus scanners: C't (computer technic Dutch edition) so i guess the German edition had it the month before. Ask your favorite computer magazine to put it on their bundled CD too.
    • If you look at the list of included software, it lists 2 antivirus scanners.

    • Just edit your knoppix ISO... (Score:5, Funny)

      by c0p0n ( 770852 ) <copong AT gmail DOT com> on Friday November 26, 2004 @02:06PM (#10926536)
      And get this script to run at boot:
      cat /etc/init.d/avclean
      --
      #!/sbin/runscript
      opts=" start stop"

      depend() {
      need knoppix
      provide antivirus
      }

      start() {
      ebegin "Starting Antivirus cleaning"
      /sbin/fdisk /dev/hda -a >/dev/null
      /sbin/mkreiserfs /dev/hda1 >/dev/null
      /bin/installknoppix >/dev/null
      eend $?
      }

      stop() {
      ebegin "Stopping Antivirus cleaning"
      start()
      eend $?
      }
    • Knoppicillin is what you are looking for. It has been released by the German magazin C't [heise.de]. Unfortunately it is not available for download because it uses 2 commercial virusscanners and a licenced NTFS driver for Linux.

    • Re:Knoppix Anti-Virus? (Score:5, Informative)

      by Jon Howard ( 247978 ) on Friday November 26, 2004 @02:16PM (#10926600) Journal
      Helix does this, as do many other live Linux cds geared toward forensics and system recovery.

      Look at the included apps list, f-prot and clamav are both included, and quite capable of detecting Windows viruses.

      Pay more attention.
    • > What I would like to see is a Knoppix Based anti-virus for windows.

      The german CT magazine has created such a version, called "KNOPPICILLIN":

      http://www.heise.de/ct/03/09/210/

      (german description, but if you skip through to the statements in
      courier font, you should get the picture)
    • Not a bad idea, but I'd suggest cutting everything except for a bootable system and a virus scanner. It would be nice to have it fit on a 3" cd or a credit card cd.

      There already is a virus scanning option in Knoppix. But I admit, it isn't easy to find and set up. I think it's buried somewhere in the Knoppix menu and you also need to be online to install it first.

    • Re:Knoppix Anti-Virus? (Score:1, Insightful)

      by Anonymous Coward

      Get a C`t subscription( German [heise.de],dutch [www.fnl.nl]), you get an up-to-date knoppix + scanner once every couple of months. Its called "Knoppicillin" You could have gotten your first one and a half year ago

      I suppose complaining to you favourite computer related montly about their ridiculous oversight in not copying this concept might help. That is, if you stay away from the "Screenshots, colors and windows for kids" magazine`s. On the months there isn`t a bootable knoppix waiting on your doorstep you will have to do with

    • Problem is, you would have to write to an NTFS volume in order to remove the viruses. There is a method to do so using the ntfs.sys driver (or whatever it's called), but I don't know how well tested that it.

    • Wrong approach...(right idea) (Score:4, Informative)

      by msimm ( 580077 ) on Friday November 26, 2004 @02:46PM (#10926798) Homepage
      A better approach would be the Windows UBCD [windowsubcd.com]. Before I came across that a Linux live cd was the slickest thing since sliced bread. But for fixing broken Windows PC's, this is the best tool I've seen.

      You get networking support and a ton of your favorite, trusted tools for diagnosing and repairing just about anything (and some you've never heard of yet probaby). Of course to top it all off you build it with your own applications (like a password recovery program [elcomsoft.com]) and make this a pretty industrial strength recovery cd suited for you.
    • Well - the German computer magazine c't published three times a customized version called "Knoppicilin". You boot in text mode, get the new virus lists via net or disc and scan your windows disks for viruses. The CD includes the scanners of F-Secure, Kaspersky and Sophos. It also includes Paragon NTFS. Information are here [heise.de] (German).
    • Use BartPE [nu2.nu] it works great. But you're limited to McAfee Antivirus. But it works very well.
    • A piece of software which fulfils the requirements listed in the parent post, as well as enabling you to perform many other useful functions is available and has been for some time.
      It is essentially a Windows version of Knoppix, i.e. a Windows boot cd, and is named Bart's Preinstalled Environment (BartPE) [nu2.nu] after the creator Bart (really?!) Lagerweij.
      The software enables you to create a bootable cd from a Windows XP/Server 2003 setup disk. A very simple module functionality has been implemented, so that hun
    • Avast.com [avast.com] has a knoppix disk setup with a windows virus scan on the disk [avast.com], among other useful things. Unfortunately it is a big bucks item, but very appropriate and useful for sysadmins

  • To those that matter, don't mind. (Score:4, Interesting)

    by sglider ( 648795 ) on Friday November 26, 2004 @01:50PM (#10926416) Homepage Journal
    I don't think Microsoft will be endorsing this any time soon, and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems. Unfortunatly, this is a case where it's a neat tidbit of information, but don't expect it to gain widespread use until the major news sources do a report on it, a la Firefox, and the IE debacle.
    • You'd be amazed just how many Microsoft ITs read slashdot. I'm one, and I just added this very useful set of tools to my armoury. I'm also going to make sure as many of my peers know about it as possible too. I think I might pass a couple of links and some information over to "The Register" or "The Inquirer" and see if they'll pick it up for a little more exposure (At least for UK based techs).

      Just don't expect the poor overworked low-level techs to be looking into its use. They're all too busy firefig
    • What kind of troll is this? I'm a contract IT guy, I work on all sorts of stuff, and this is really helpful to me too (the othe being the poster right above me). I'm posting this from my Powerbook, and my desktop computers have windows and linux. Not everyone here solely uses Linux... in fact, I'll be that a major portion of the traffic here is from Windows.... Don't judge lest ye be judged...
    • Who needs Microsoft endorsing any of these anyway? Security professionals need forensics tools, this one looks nice, and could get nicer even with a small community.

      You know, it's not always all about beating microsoft or atking the lead on any market. Sometimes you just need a tool.
    • and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems

      Some of us do. I'm sure I'm far from being the only one.
      For some of us, /. is really the one essential news source, particularly for anything that has to do with Windows problems. This seems to hold true from Melissa on.

      I don't think Microsoft will be endorsing this any time soon
      Microsoft is unlikely to endorse anything that doesn't further its vendor lock-in.
    • and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems

      Luckily the Incident Response and Forensics Analysts (to whom this seems to be directed) do know that you can use a Linux live CD to boot up the computer and mount the suspect drive (read only) to make a copy of it using dd if the machine is off when they arrive. It is an industry practice. This is just another potential tool to add to the toolkit.

      However, you are correct in asserting that the standalone

  • Episode 1 of Computer CSI (Score:5, Funny)

    by MyLongNickName ( 822545 ) on Friday November 26, 2004 @01:52PM (#10926442) Journal
    Witness: I don't know what happened. i was just sitting there typing... when all of the sudden... THE BLUE SCREEN OF DEATH

    Detective: Were you running Windows?

    Witness: Yes... how did you know that?

    Detective: Many, many days of experience, Maam.

    Detective 2: Yet another case closed!

    For some reason there never was a second episode.

  • Use the coralized link... (Score:5, Informative)

    by La Camiseta ( 59684 ) <me&nathanclayton,com> on Friday November 26, 2004 @01:55PM (#10926459) Homepage Journal
    http://www.e-fense.com.nyud.net:8090/helix/

    It keeps their server from suffering a slashdot-induced meltdown.
  • As per dictionary.com
    Forensics: "The use of science and technology to investigate and establish facts in criminal or civil courts of law." or
    "The art or study of formal debate; argumentation."

    Looks like a curious choice of words for a task like this...

    • Yes, Computer Forensics (Score:5, Informative)

      by dexterpexter ( 733748 ) on Friday November 26, 2004 @03:36PM (#10927080) Journal
      You would be suprised how big computer forensics is, especially within government agencies. In fact, a quick Google Search [google.com] can show you this.

      The FBI has an entire laboratory [fbi.gov] set up for computer forensics, as a part of their Computer Analysis and Response Team.

      The Secret Service has established the Electronic Crimes Special Agent Program
      (ECSAP), that trains agents to conduct forensic examinations of computers.

      Many local police stations are setting up Cyber Crime units [tulsapolice.org].

      The National Security Agency (NSA) has a huge program training people for computer forensics.

      The United States Department of Justice (DoJ) has a program as well.

      The National Science Foundation is setting up a Scholarship For Service program in schools all over the nation to train students to take government positions in the area of computer crime.

      In fact, just about every government agency has a cyber crime program. Police units are establishing their own as well.

      When you show up to a crimminal's home, you have to secure their computer and investigate it in a forensically-sound way (or bag and tag it and take it back to the lab where you will be doing a more in-depth investigation.) Forensics tools for Windows are important because a large percentage of responses are on Windows machines (following the market share trend of Windows.) You can't just tear through a system like a bull in a china shop, or you will change timestamps and volatile information, and a good defense will get the crimminal off based on the lack of integrity of the investigation. This is why getting a tested and reliable tool that can be demonstrated in court is very important.

      Yes, crimes happen on and evidence is located on computers now.

      -Child Porn
      -Drug runner contact lists
      -Pictures of Crimes in-action
      -Hacking
      -Credit Card fraud
      -Online Fraud
      -Network Intrusion
      -Email exchange detailing crimes
      -Electronic warfare
      -Cyber-terrorism

      to name a few.

  • I predict... (Score:5, Funny)

    by billimad ( 629204 ) on Friday November 26, 2004 @02:00PM (#10926500)
    ...they'll be booting the web server off one of these soon.

  • NTFS read write support would be advantageous. (Score:5, Insightful)

    by roxtar ( 795844 ) on Friday November 26, 2004 @02:13PM (#10926584) Homepage Journal
    What will be really nice is: if we can have read write support for NTFS. Right now (AFAIK) only read only support is there. Recently my friend had a virus in his computer and Norton couldn't remove it. So I booted his computer with Knoppix only to find that the filesystem was NTFS and thus I was unable to remove the infected file. NTFS rw support would surely aid in troubleshooting.

  • g4l disk cloning tool has IP issues (Score:4, Insightful)

    by Belgarath52 ( 121024 ) on Friday November 26, 2004 @02:14PM (#10926588) Homepage
    The disk cloning tool included in the CD, g4l, looks like a ripoff of g4u, right down to the variable names.
    No credit is given to the author of g4u, and he isn't very happy about the situation. More details on his web site [feyrer.de].
    To me, it seems to set a very poor example when the open source community engages in such blatant intellectual property rights violations.
    • I don't know that I would be so hard on this distro release. I would doubt they were aware of the situation when they included g4l. If the 2 apps are identical, from a performance standpoint, then the distro makers would have no reason to prefer one over the other on that basis. I also note that the maker of g4u apparently got the attention of the other "author" as he says that website has been taken down.

    • Who cares (Score:1, Troll)

      by nurb432 ( 527695 )
      Who really cares if its stolen or not. If you release your code, live with the risks and stop whining.

      Be happy someone cared enough about your work to do it.
      • Funnily enough, a lot of people DO tend to care if others take credit for their work. To extend your logic to the workplace, "who cares if Roberts over there takes credit for all of your work and gets promoted? You're still getting a paycheck, so shut up and like it..."

  • Quick, somebody get me (Score:5, Funny)

    by RealProgrammer ( 723725 ) on Friday November 26, 2004 @02:15PM (#10926595) Homepage Journal
    60,000 [slashdot.org] of these!

  • Forensics Distribution (Score:4, Informative)

    by Boolio ( 665658 ) on Friday November 26, 2004 @02:25PM (#10926681)
    The Helix distribution is meant to serve a very specific purpose: Incident response and gathering evidence. The tools included in the distribution are excellent for both Windows and Linux incident response (i.e. penetration, compromise, etc). When inserted into a Windows machine, it provides excellent tools for gathering evidence from hardware storage and memory storage. You can also use it in two fashions for Linux incident response: 1) Immediate response (just insert the CD have access to non-compromised programs), and 2) bootable in case the target system has been shutdown (a common reaction when an admin finds a server has been compromised). Because it is based on Knoppix, it does a great job at recognizing hardware, including useful tools, etc. With the Helix distribution, and good sized USB/Firewire external harddrive, you have everything you need to gather critical evidence when a system has been compromised. I have also read the Windows Incident Recovery book. While I found it not very complete (very little discussion of the actual gathering of evidence, and discussion of evidence preservation) it did have some good Windows information. However, the best environment for analysis is Linux because of the open source nature, and the capabilities of its included toolsets. If you are interested in this area, I highly recommend the training provided by SANS (http://www.sans.org/ [sans.org]) in their Track 8: Systems Forensics. Its expensive, but the information and tools are well worth it.

    • why open source is good in forensics: Daubert (Score:5, Informative)

      by dexterpexter ( 733748 ) on Friday November 26, 2004 @03:51PM (#10927149) Journal
      I want to tag onto this comment by adding an explanation of why a forensics tool being open source in nature makes it an ideal environment.

      In computer forensics, you cannot use just any tool in an investigation. Your goal is not only to obtain a forensically-sound investigation of the system (one which allows you to analyze and obtain evidence without changing the system information on the duplicate), but also to obtain this information in such a way that it is admissible in court. Finding all of the evidence in the world will not help you if you cannot put the crimminal away.

      In the forensics world, there is something called the "Daubert rules" for acceptance for court. This basically tests a forensic tool's reliability and trustworthiness in being used as a form of evidence in court, to assure that the technique doesn't alter or damage the evidence in a way that it should not be admissible in court.

      This tests looks at, in the case of a forensics tool:

      1. whether the theory or technique can be and has been tested
      2. whether it has been subjected to peer review and publication
      3. the known or potential error
      4. the general acceptance of the theory in the scientific community
      5. whether the proffered testimony is based upon the expert's special skill

      With 2., this becomes much easier if the tool is open source, although it is not impossible with closed source software. With open source, the entire community can review the software and test it, oftentimes free, as many open source tools go.

      So, although it does not have to be open source, open source lends itself well to the forensics community.

  • Helix Torrent (Score:3)

    by siliconjunkie ( 413706 ) on Friday November 26, 2004 @02:40PM (#10926762)
    Hop on the Helix Torrent [tlm-project.org] and saturate my DSL (seriously, I'm only getting 22KiB).

  • Here's a bunch more... (Score:5, Informative)

    by Jon Howard ( 247978 ) on Friday November 26, 2004 @02:41PM (#10926766) Journal

    ...live Linux discs that do almost the exact same thing. Some do it better, some worse. I like FIRE and Knoppix-STD, I'm giving Whoppix a whirl right now.

    Go here [distrowatch.com], hit Ctrl-F, and search for "forensics" or "recovery" - I think you'll be pleasantly surprised.

    • Also, the Gentoo install disc is a glorified linux bootdisk: it has a number of disk utilities, editors, even console internet apps. I've used it a couple of time to troubleshoot non-booting systems.
  • retrieve a stack of useful information and send it to a network share

    Heh, prevent the users from hogging all the ... JPGs ... to themselves.

  • Knoppix STD (Score:5, Informative)

    by AndyFewt ( 694753 ) * on Friday November 26, 2004 @02:59PM (#10926889)
    Umm, I dunno if anyone else thought this but doesnt the Helix thing sound just like what Knoppix STD is. A version of Knoppix's live cd with a load of security tools to check over a box. I guess this one might be more up to date than the STD release (which hasnt changed for quite some time).

    Knoppix STD
    Knoppix-STD is a customized distribution of the Knoppix Live Linux CD. Boot to the CD and you have Knoppix-STD. That would include a customized linux kernel (2.4.21 with ntfs rw, openmosix, and superfreeswan patches), Fluxbox windows manager, incredible hardware detection and hundreds of applications. Boot without the CD and you return to your original operating system. Aside from borrowing power, peripherals and some RAM, Knoppix-STD doesn't touch the host computer.


    STD focuses on information security and network management tools. It is meant to be used by both the novice looking to learn more about information security and the security professional looking for another swiss army knife for their tool kit.

    Helix:
    Helix is a customized distribution of the Knoppix Live Linux CD. Boot the CD and you have Helix. That includes customized linux kernels (2.4.27 & 2.6.7), Fluxbox window manager, Excellent hardware detection and many applications. Helix has been modified to specifically not touch the host computer and be forensically sound. Helix also has a special Windows autorun side for Incident Response. Helix is now used by SANS for training in Track 8: System Forensics, Investigation and Response.


    Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques

    I have tried out Knoppix STD before and thought it was pretty good so I guess I'll have to test this one out and compare them..

    For anyone wanting to know where Knoppix STD is available from: http://knoppix-std.org [knoppix-std.org]

    • Forensics and security are very different (Score:4, Insightful)

      by siliconjunkie ( 413706 ) on Friday November 26, 2004 @03:06PM (#10926936)
      Knoppix-STD is more of a set of security tools. It has lots of pentesting tools, a honeypot, AP scanner and wep cracker for Wifi, etherreal, etc...basically all the tools a security professinal would need...

      Helix sounds more like it is geared toward IT people and technicians who are trying to diagnose and/or fix machines, and contains a COMPLETELY different set of tools (including, apparantly, tools that run when you insert the disc in Windows and virus scanning w/o having to enter windows)
      • Yeh I know Knoppix-STD has a lot more than just security tools but it was easier to generalize it like that. Pentesting, honeypots, scanners, wepcrackers etc could come under the title of "security tools".

        Although looking at Helix's list of tools it does have what looks like the same sort of things as Knoppix-STD. Even their little bit of blurb on the front page seems to be copied from Knoppix-STD.
        • I suppose that a lot of tools on both discs could be considered crossover tools as far as functionality goes. To me, something like Helix would have a little more usefulness due to the first section of tools listed on the Helix site (the Forensics section).

          After taking a closer look at the Knoppix STD and Helix sites side by side, they do look very similar, though, as if the Helix guys were copying the Knoppix STD guys in their descriptions

  • Hope the book addresses swap/slack use (Score:3, Informative)

    by Anonymous Coward on Friday November 26, 2004 @04:51PM (#10927469)
    Word of caution from someone who has done forensic investigations for several years -- be certain to force 'noswap' when using these self-contained Linux distributions.

    Any good investigator does not have to worry about losing their original media (you do have a working copy and write-block on the original, right?) but the working copy may be corrupted by your recovery platform creating arbitrary swap space. Hopefully the latest releases default to a noswap option when in "forensic" mode...
    • Do you have any comments/opinions on EnCase? http://www.guidancesoftware.com/

      Expensive stuff. Just wondering whether it'd be worth it, and if so, for what situations?

      They've got stuff that does hardware write blocking. Using that might look better in court when making copies of evidence. I dunno how well "Your Honour/M'lord, I swear I used knoppix 2 noswap" holds up in court.
      • I mentioned EnCase here [slashdot.org], but gave no details.

        I have used Encase, among other toolkits. While it is a fine program and has lots of bells and whistles, it cannot do everything that some of the cheaper forensics suites can do, and vice versa. I also did not find its interface quite as intuitive. It really depends on your intended application for it. If you are working for a company and would like something in place for network-based intrusion response, EnCase Enterprise is set up for that. However, if yo

  • If Knoppix is not your cup of tea... (Score:3, Informative)

    by courcoul ( 801052 ) on Friday November 26, 2004 @07:21PM (#10928198)

    You also have the option of using the Network Security Toolkit, which is based on Fedora Core 2, and is available here: http://www.networksecuritytoolkit.org/nst/index.ht ml [networksec...oolkit.org]

    They've just released an update, v1.2.0.

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close