Helix Version 3

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

Helix version 3

A cyber autopsy and forensic tool


What is Helix tool
• A collection of variety of forensic tools used to
provide incident response and also do
electronic discoveries within device.
• It has three variants mainly Helix 3 , Helix 3
enterprise and Helix 3 pro the later two being
developed later by e fence.
Need of Helix 3
• Our every action leaves behind digital
footprint encrypted or hidden which we often
ignore but they can be used by a hacker to
exploit us and thus they are our vulnerability.
• Example is deleted files can be recovered as
they aren’t truly deleted but waiting to be
reassigned , also our photos often contain our
GPS location that can be used against our
privacy
Installation
• Go to http://www.e-fense.com/products.php
• Download the original free version of Helix 3
• Incase of an iso file mount it virtually to access
Helix 3 application.
• Else you can directly access it.
List of options
• Preview system information
• Aquire live image using dd
• Incident response tools
• Browse contents of cd rom
• Scan for pictures from live system
• Take investigative notes
Preview system information
• Here you can view two pages
• In first we have owner and network
information along with type of drives we have
and their storage capacities
• In the second we have all the list of running
processes in the background.
Live acquisition
• It has got a stability to capture in image directly
above the physical memory of this system here we
can choose a location we can set up a destination
to actually punch out our d-d our raw image
across the network or locally across the network
to say an external if we have an external hard
drive plugged
• Now save the aquired image as a dd because we
are using ftk imager so dd the raw images are
always best to use
Incident response
• This is an option that provides various options
spread over in three pages
1. Primary operations (page 1)
2. File hashing operations (page 2)
3. Other system operations (page 3)
Primary operations
1. Windows Forensic Tool Chest(WFTC)
It is used to help look for signs of an incident, intrusion, or to confirm computer
misuse or configuration and producing HTML based reports in a forensically sound
manner.
2. First Responder Utility(FRU)
3. Incident Response collection Report(IRCR2)
It is a script based incident response tool
4. Agile Risk Management’s Nigilant32
It is an incident response tool designed to capture as much information as possible
from a running system with the smallest potential impact.
File hashing operations
• Here you can get your file MD5 hashed
• Some other operations like
1. Putty SSH – used to start a Putty SSH client
2. PC on/off time – used to find the On and Off time
3. File recovery – a data recovery tool
4. VNC server - used to start a VNC listener
5. Win audit – used to run win audit utility
6. Rootkit revealer – Finds system discrepancies in rooting
Other system operations
• Here we get the PST password viewer , mail
password viewer , network password viewer ,
messenger and other password viewers and
we can go through it and browse the internet
explorer history , look at the Mozilla Firefox
cookie viewer , registry viewer , it lets us
know what this is usually we can gain an
in-depth profile where you have visited what
passwords you were using what you devices
were in there .
Browse Contents
• This is just your basic file browser it allows us
to go through and see what files are in which
directory in laptop we can look two sub
directories
• At the bottom here you can click on a
checkbox for calculating MD hash on files it
automatically generates hash in each time
Image scanner
• This feature scans all the images which could
be fetched from the loaded location . The
images a re brought from live system and this
process may take some time.
THANKYOU

You might also like