Using Helix Live CD For Security Forensics

1
Using Helix Live CD For Security Forensics

• Huba Leidenfrost
• Information Technology Services

2
OUTLINE

• Introduction
• Tour of Helix
• Practical demos
• Answer questions
• More info

3
DISCLAIMER

• Forensics is an area where legal issues and
  technology overlap
• Always seek competent legal counsel
• Nothing presented here is intended to be
  construed as legal advice

4
GOALS

• Take a copy of HELIX home
• Know how to apply HELIX to a real world problem
• How to acquire a forensic image
• Spark interest in HELIX

5
COMPUTER FORENSICS

• Latin forensis / forum. Belonging to, used in or
  suitable to courts of judicature or to public
  discussion and debate
• -Webster
• Using accepted methods and procedures to properly
  seize, safeguard and analyze data.
• -Kroll Ontrack

6
TOUR OF HELIX

• What exactly is HELIX?
• Customized Knoppix Live Linux CD by the folks at
  http//www.e-fense.com/helix
• Why HELIX and not some other tool?
• Built to not touch system you are investigating
• Both Windows Linux tools
• Highly recommended price is affordable

7
Windows Tour

• Boot the HELIX windows side
• Issues you may face
• AV products detecting hacker tools on CD
• Wont auto-run
• Not running as administrator
• Navigating the menus

8
UNIX Tour

• Boot the HELIX UNIX side
• Issues you may face
• Where do you write data you find?
• Never used UNIX before?
• Setting the date/time
• Mounting or unmounting file systems

9
PRACTICAL DEMOS

• Capture a logical drive image
• Remotely gather forensic data
• Perform a check for rootkits
• Run a full AV scan
• Execute a saved passwords audit
• Look for all images on a hard drive

10
Questions?
11
More information

• HELIX Manual Helix 1.7 for Beginners
• (337 Pages!)
• HELIX Homepage
• http//www.e-fense.com/helix/
• HELIX Users forum
• http//www.e-fense.com/helix/forum/index.php
• SANS System Forensics, Investigation Response
  Class
• SANS Security 508

12
Forensic books

• Carrier, B. (2005). File system forensic
  analysis. Boston, Mass. London Addison-Wesley.
  
• Carvey, H. A. (2005). Windows forensics and
  incident recovery. Boston Addison-Wesley.
• Casey, E. (2004). Digital evidence and computer
  crime forensic science, computers, and the
  Internet (2nd ed.). Amsterdam Boston Academic
  Press.
• Farmer, D., Venema, W. (2005). Forensic
  discovery. Upper Saddle River, NJ
  Addison-Wesley.
• Jones, K. J. (2005). Real digital forensics
  computer security and incident response.
  Indianapolis, IN Addison Wesley Professional.
• Prosise, C., Mandia, K. (2003). Incident
  response and computer forensics (2nd ed.). New
  York, New York McGraw-Hill/Osborne.
• Schweitzer, D. (2003). Incident response
  computer forensics toolkit. Indianapolis, IN
  Wiley.
• Solomon, M., Barrett, D., Broom, N. (2005).
  Computer forensics jumpstart. San Francisco
  Sybex.
• Vacca, J. R. (2005). Computer forensics
  computer crime scene investigation (2nd ed.).
  Hingham, Mass. Charles River Media.
• List from p. 11 of the Helix Guide for Beginners
  1.7.

13
Setting up your own home lab

• Get a copy of Hack-Counter Hack by Ed-Skoudis
• Get 2 computers, running Windows 2000 or XP with
  a network connection between them, either with a
  cheap linksys/d-link/netgear switch or just a
  crossover cable. Label one computer Suspect,
  and label the other Forensic.
• Get VMware and build guest OSs for use with Eds
  course and forensic work.
• Experiment with disk imaging (use floppies or
  create small partitions) so have small hard
  drives easily found from friends or surplus sales
  (2-4Gb or smaller).
• One the forensic system partition it so you have
  an OS partition and another partition for
  collected evidence.
• Play. Hack yourself. Image. Analyze. Rinse,
  repeat.

14
Hubas 2006 forensic challenge

• Analyze the next zip file or executable
  attachment you receive that is not detected by
  your AV product. Example invoice.zip.
• Your forensics environment should be a laptop
  running Linux in VMware so you dont infect your
  main system. (Your can run HELIX in VMware).
• Best one page analysis submitted by 12/30/06 wins
  a long sleeve CSAD shirt fame.
• Email submissions to security_at_uidaho.edu with a
  subject of Forensic Challenge.
• or one executable from a hacked PC

15
My contact information

• Huba Leidenfrost
• huba _at_ uidaho.edu
• 208.885.2126