Strengths: Open source for easier verification of forensic code.
Weaknesses: A strong Linux background is needed to properly use the utility.
Verdict: At a price that can’t be beat, Helix offers many features for the advanced professional.
SummaryWe are fans of open source software and that is exactly what Helix 1.9 is. Helix has two components, each with its own set of utilities. The first is the Windows component, which can be started on a booted Windows system simply by inserting the CD into the drive. This will offer many programs in a menu system, but by using Windows Explorer and browsing the CD contents, there are far more programs housed on the CD. The CD includes the executable version of the AccessData forensic imager, along with many other handy utilities and documents. The second piece is the bootable Linux component. By inserting and booting to the CD, a Knoppix derivative forensic environment is loaded. This environment disables disk swapping by default to ensure the probable forensic source will not be written to. There are several utilities for creating the forensic backup from the Helix environment, but the most common is Adepto.
Adepto created the forensic backup in around six minutes, but this backup was from a USB drive to another USB drive, while the others were from USB to IDE backups. Adepto used to have a bug verifying the forensic image hash, but in release 1.9, this appears to be fixed. Once the image is created, the next utility to use is Autopsy. Autopsy is a browser-based forensic and, unfortunately, this utility is just not feature-rich enough to compete with other pay products on the market. There are, however, some real strengths to Autopsy. For instance, it recovered the most deleted files among utilities tested, but there was no mechanism for searching for access-controlled files or steganographed files. While Autopsy could detect the presence of a deleted directory, we were unable to recover the contents of the directory.
There are many help files for using the Helix environment included on the CD. Instructions on how to maintain proper forensic procedure using Helix are also included. Internet searches should yield more.
The Helix bootable CD is free.