Exploring Helix

Helix has two claims to fame: a sharp focus on Incident Response and Forensics, and that it is used by the world famous SANS (SysAdmin, Audit, Network, Security) Institute during training in "System Forensics, Investigation, and Response." Because it's used by SANS, Helix is kept up to date; as of this writing, the latest release is March 2005.

Helix has been carefully calibrated so that it does not touch the host computer in any way, leaving the machine and its contents forensically sound. In other words, Helix does not automount the host machine's swap space, and it does not automount devices such as hard drives and USB flash drives.

Another cool feature of Helix is that it contains a lot of neat tools for working with Windows computers in addition to the infinitude available for *nix boxes. Getting Helix is easy: Just head over to http://www.e-fense.com/helix/downloads.php and grab the ISO image using HTTP, FTP, or BitTorrent. Burn the ISO image to a CD, boot your computer with it, and you're ready to use Helix.

Helix uses the Xfce window manager (yes, yet another window manager … remember, no one said that consistency was an overriding goal of these different distros). A taskbar along the top of your screen displays open applications and files, while the bottom contains the Xfce menu, which is a Startlike menu; a clock; various system diagnostic tool; and links to common programs.

If you need more aid with Xfce, select Xfce → Help for an HTML-based manual that covers all of basics and then some.

Helix comes with hundreds of extremely useful security tools (the full list is at http://e-fense.com/helix/contents.php), organized into the following categories:

• Incident response and forensics

• Network utilities

• Servers

• Packet sniffers and assemblers

• Vulnerability assessment

• Wireless tools

Keep in mind that many tools run via the command line, so they won't show up on the Xfce menu. Check out the complete list of software, and then investigate everything that interests you. It's a feast, so dig in, and don't worry about being gluttonous. The next few sections discuss some of the available tools.

Imaging a Hard Drive with GRAB

When you're performing a forensic analysis of a compromised machine, one of the first things you usually need to do is make an image of the hard drive that you can examine. Although the command-line tool dd can be used, GRAB — a program created by e-fense, the developers of Helix — has several nice features, including the following, which are listed in the Helix manual:

• Autodetection of IDE and SCSI drives, CDROMs, and tape drives

• Choice of using either dd, dcfldd, or sdd

• Image verification between source and copy via MD5 or SHA1

• Image compression/decompression via gzip/bzip2

• Image over a TCP/IP network via Netcat/Cryptcat, or SAMBA (NetBIOS)

• Support for SCSI tape drives

• Wiping (zeroing) drives or partitions

• Splitting images into multiple segments

• Detailed logging with date/times and complete command line

To start GRAB, just click the program's icon, located on the Xfce panel at the bottom of your screen. Once it opens (see Figure 8-4), you'll see that GRAB isn't hard to use at all.

Figure 8-4: GRAB gives you a simple way to image a hard drive.

In particular, GRAB makes it easy to copy your disk image over a network to another machine. For more details about this feature, and many of the other nice things that GRAB can do for you, refer to the Helix manual, available at http://e-fense.com/helix/HELIX-Manual.pdf.

Finding All the Images on a Drive with Retriever

Helix comes with Retriever, a tool unique to its distro, which finds certain kinds of files and gathers them together so that you can look them over at your leisure. To start the program, just click the Retriever icon (which looks like a close-up of a dog's nose) on the Xfce panel. When it opens, you're immediately given more details about the program. Just click OK to close that alert. You choose whether to have Retriever place the files it finds when it scans the hard drive on a USB flash drive or /images/retriever, a hard-coded path. If you choose the latter, Retriever does not actually copy the files, but simply creates soft links pointing back to the files it finds. Choosing /images/retriever makes things easy.

Now choose where you want Retriever to look. For this example, a test directory called /mnt/hda2/rsgranne/retriever_test was created and then populated with files of the following types: .jpg, .doc, .xls, .pdf, and .avi. After retriever_test (or whatever your directory is named) is loaded, you can tell the program to look there.

Finally, you select the kinds of files you want to find, as shown in Figure 8-5.

Figure 8-5: What kinds of files do you want Retriever to find today?

Retriever will look for images, movies, office documents, and email. Make your choice, click OK, and Retriever begins to work.

When a file is found, Retriever lists it in a results window, and also displays a thumbnail of any images in the file manager. Once it completes its task, you can view what it has found (see Figure 8-6).

Figure 8-6: Retriever displays its finds.

If you had Retriever copy everything to a USB flash drive, you now possess exact copies of the files that Retriever located, which you can examine at any time. As you can see, Retriever is quite useful now, and it should continue to improve as the Helix developers work on it further.

Working on a Live Windows Machine

Helix offers a feature that is incredibly powerful, useful, and cool: the capability to use the distro on a live Windows system, without rebooting. That's right — just stick the Helix CD in, and in a few seconds Helix is running (see Figure 8-7).

Figure 8-7: Helix enables you to perform several tasks on a running Windows machine.

Gathering Information

There's a lot you can do with Helix on a Windows machine, but the most interesting — and fun! — things are found when you click the third icon from the top, the one that reveals Incident Response Tools. The first screen is shown in Figure 8-8.

Figure 8-8: Eight invaluable tools for recovering computers running Windows

Create a security report about your Windows machine by selecting SecReport from the list. Choose where the report's files should go. A: is the default, but you really don't want to do that unless you enjoy waiting for floppies to slooooowly write their data. Better to choose a USB flash drive, or a folder on the machine's hard drive, such as C:\secreport.

Click OK. Do you want to update information on hotfixes? If you think that's important, choose Yes; otherwise, leave the default, No, and click OK. You're asked one final time if you want to run the report, so click OK here too. A command prompt window opens, SecReport does its work, and you then press any key to close the command prompt.

In C:\secreport (or wherever you saved the report's files), you'll find two files: security report.xsl and VIRGIL_20050426.xml (the second filename is a concatenation of your machine's name and the date). Open the XML file (VIRGIL_20050426.xml in this example) in a modern Web browser such as Mozilla Firefox, Netscape 6.2+, or Internet Explorer 5.5+, and a report like the one shown in Figure 8-9 will be displayed.

Figure 8-9: Helix generates a very useful security report about your Windows machine.

Beyond the data visible in the figure, SecReport provides you with the following information about a machine:

• Network configuration

• Audit policy

• Event log configuration

• Services (including start type and status)

• Applications (name and version numbers)

• Hotfixes (but nothing is listed unless you chose Yes when running SecReport)

• Ports open (including protocol, PID, program, and program's path)

• Pagefile settings

• Hardware (including brand and model, BIOS, RAM, processors, and drive letters)

This is a great report to print out and file away in case you ever need to review changes made on a computer. It's also a good way to take a quick gander at a machine to determine whether anything pops out at you as suspicious. In particular, take a look at running services, applications, and open ports. If something causes you to raise an eyebrow, examine it further.

Viewing IE History

Here's another cool thing you can do with Helix on a Windows box: Look at the history of all the URLs and paths that Internet Explorer has accessed. To get to the tool that enables that function, you need to click the little arrow to the right of the Incident Response Tools icon. The other tools Helix provides in this area are displayed, as shown in Figure 8-10.

Figure 8-10: Four more invaluable tools

Select the IE History Viewer icon. IE History Viewer opens, displaying all the URLs visited with Internet Explorer … and all the paths accessed in Windows Explorer. Why? Well, remember how Microsoft linked the Web browser and the file manager together in Windows 98? Now that bad decision pays off for you. If you just want to see local filesystem paths, filter the data IE History Viewer shows you by choosing Edit → Select By URL, and then enter file: as your filter. The results will be similar to what's shown in Figure 8-11.

Figure 8-11: Directories and files that have been accessed on a Windows machine

Want to see even more stuff? Select View → Display Typed URLs. How about a nice report, suitable for viewing in your Web browser? Try View → HTML Report, and pick either Horizontal or Vertical. Want to see another user's history? Select File → Select User Profile.

Betcha never knew that snooping could be this easy, did you?

Viewing Passwords

One final item for Windows data recovery is actually several different tools — the other three on the second Incident Response Tools screen in addition to the IE History Viewer you just examined:

• Messenger Password

• Mail Password Viewer

• Asterisk Logger

Together, these three tools enable you to find out many of the key passwords used on a Windows system, which can be helpful when someone has forgotten his password, or when you suspect that an unauthorized user has created a new account for herself and you want to track her down.

Messenger Password (MessenPass) reveals the usernames and passwords used with any Instant Messaging programs in Windows.

I've used GAIM, which enables you to communicate with other IM users no matter what IM protocol they have, and MessenPass had absolutely no trouble revealing the usernames and passwords. The same holds true for the AIM, MSN, and Yahoo! IM clients.

Mail Password Viewer (Mail PassView) does the same thing as Messenger Password, but for email programs. Figure 8-12 shows an example result.

Figure 8-12: Think your email username and password are secret? Guess again.

Outlook Express on Windows is an underpowered program that's not very secure; MailPassView doesn't have the slightest problem showing that program's username and password. When you use Windows, you could use Mozilla Thunderbird, because it's far more secure than either Outlook Express or Outlook. Interestingly, it appears that MailPassView is unable to show Thunderbird's password, even though it's a supported program. This is a bug that will be fixed shortly; don't assume that Thunderbird is invulnerable to MailPassView.

Finally, Asterisk Logger enables you to view the passwords hidden behind the asterisks or dots that Windows normally uses to hide things. For example, Figure 8-13 shows a mail account from Outlook Express before Asterisk Logger is opened.

Figure 8-13: What's the password?

Figure 8-14 shows the same window, after Asterisk Logger is up and running.

Figure 8-14: Not a very secure password

Meanwhile, the Asterisk Logger window remains open, logging all of the programs whose passwords have been revealed. When you've gathered all the passwords you need, select them all in Asterisk Logger and go to File → Save Selected Items, and you can create a text file containing the passwords. Very handy!

These are just a few of the Windows tools you can find in Helix. Take your time and try them all out. You'll find many that will prove useful.

The Helix manual is 48 pages of valuable information; you can download the PDF from http://e-fense.com/helix/HELIX-Manual.pdf. If you want to look online, Helix has a short FAQ available at http://e-fense.com/helix/faq.php that can help you with a few installation issues, but the real meat and potatoes can be found on the Helix forum, at http://www.e-fense.com/helix/forum/index.php. It's not the busiest online forum in the world, but folks have posted around 700 items and that number keeps growing, so it's an excellent resource for Helix users.