Difference between pages "First Responder's Evidence Disk" and "Helix3 Pro"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = FRED |
+
   name = Helix3 Pro |
   maintainer = Jesse Kornblum |
+
   maintainer = [[e-fense]]|
   os = {{Linux}} |
+
   os = {{Linux}}, {{Windows}}, {{Mac OS X}} |
   genre = {{Incident response}} |
+
   genre = {{Live CD}}, {{Incident Response}} |
   license = {{commercial}} |
+
   license = {{GPL}}, others |
   website = [http://darkparticlelabs.com/projects darkparticlelabs.com/projects] |
+
   website = [http://www.e-fense.com/helix3pro.php e-fense.com]  
 
}}
 
}}
  
The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.
+
'''Helix3 Pro''' is a [[Live CD]] built on top of [[Ubuntu]]. It focuses on [[Incident Response|incident response]] and [[computer forensics]].
  
== Usage ==
+
== Tools Included ==
  
The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
+
* Live side for [[Mac OS X]], [[Windows]] and [[Linux]]
 +
* A bootable forensically sound environment based on [[Ubuntu]]
  
== History ==
+
Open source forensic tools include:
  
FRED was developed by [[Jesse Kornblum]] for the [[Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[Digital Forensic Research Workshop|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.
+
* [[dc3dd]]
 +
* [[aimage]]
 +
* [[The Sleuth Kit]] (3.0.1, with "light" version of [[Autopsy]], with [[libewf]] support)
 +
* [[foremost]]
 +
* [[Volatility]]
 +
* Several tools for mobile phone forensics
  
A version of the FRED script was later incorporated into the [[Helix]] disk.
+
Other tools include:
 +
* [[LinEn]]
  
There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.
+
== Forensic Issues ==
  
Since 2004 FRED has been maintained by the [[Air Force Computer Emergency Response Team]]. The current version of FRED (version 4) has been redesigned as a single executable, with remote collection capabilities, and uses Native API functions. The audit file uses PKI for encryption to protect the contents from tampering and disclosure. The publicly available version has the remote functionality as well as the PKI encryption capabilities turned off.
+
* Helix3 Pro can automount some storage devices like firewire devices and MMC in read/write mode;
 
+
* Helix3 Pro relies on file system drivers to provide write protection, mounting some file system types (e.g. [[XFS]]) will result in several data writes to the original media.  
== Trivia ==
+
 
+
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].
+
  
 
== See Also ==
 
== See Also ==
* [[IRCR]]
 
* [[COFEE]]
 
  
== External Links ==
+
Free version: [[Helix3]]
* [http://darkparticlelabs.com/projects Project site]
+

Revision as of 04:39, 18 January 2014

Helix3 Pro
Maintainer: e-fense
OS: Linux,Windows,Mac OS X
Genre: Live CD, Template:Incident Response
License: GPL, others
Website: e-fense.com

Helix3 Pro is a Live CD built on top of Ubuntu. It focuses on incident response and computer forensics.

Tools Included

Open source forensic tools include:

Other tools include:

Forensic Issues

  • Helix3 Pro can automount some storage devices like firewire devices and MMC in read/write mode;
  • Helix3 Pro relies on file system drivers to provide write protection, mounting some file system types (e.g. XFS) will result in several data writes to the original media.

See Also

Free version: Helix3