Open Source Forensic Tools: Bootable Helix Versus Bootable Penguin Sleuth

A comparison of the features and usability of two open source forensic tools available for computers with the iAPx86 processor family of central processing unit is presented.


To evaluate the open source forensic tools a standardized series of tasks will be carried out and the results will be compared in terms of suitability for the specific task.

Browse the file system for general files. Try looking for the system.dat file, registry files, or other files you know exist on the system. This will simulate looking for known evidentiary files on the target system. Browse the file system for known image files such as those with extension like .jpg and .gif. See if you can pick a few images to export to a diskette or usb key (which is supported in Linux). This will simulate an image case like one involving child pornography. Try to open image or movie files in Linux, using the native browser utilities installed with this distribution of Linux. Assess what the strengths and limitations are. Browse the CD for methods to search for data on the drive you are analyzing.

These four tasks plus a review of the documentation for each product comprise the content of the evaluation.


The environment in which Helix was run for this assignment consisted of Microsoft Windows XP (Home Edition) running within a Sun xVM VirtualBox virtual machine session with 256 MB RAM, 8 MB for video memory, and a 15 GB virtual disk allocated to the session. The virtual machine ran as an application in the Novell openSuse v10.2 operating system on a Pentium 4 (1.80 GHz) computer with 2 GB RAM, a 250 GB HDD and CD/DVD drive.


The first forensic tool to be evaluated is the bootable version of Helix.

Helix provides the capability to (1) preview system information, (2) acquire a “live” image (memory or disk) of a Microsoft Windows system, (3) incident response tools for s Microsoft Windows system, (4) documentation pertaining to incident response, computer forensics, computer security and computer crime, (5) browse the Helix CD-ROM and host operating system, (6) graphic file scanning on a “live” system, and (7) the ability to record investigative notes.

The system information feature displays the operating system version, the computer users name and organization, the administrative status of the user and whether the user has administrative privileges, host name, currently logged in user name, IP address, NIC identifier, domain name, and attached drives along with file system type and disk or partition size.

The acquisition feature provides the ability to capture either physical memory or drive, choice of storage location (local disk, network share, or remote computer) and image file name, block size and whether to split the image file.

The incident response utilities include Windows Forensic Toolchest, First Responder Utility, Incident Response Collection Report, Agile Risk Management Nigilant, Netcat Listener Server, MD5 hash value generator for selected file, command shell, VNC Server, PuTTY SSH Client, WinAudit, file recovery, rootkit detection, screen capture, and power-up/power-down and in-use time-line for previous three (3) weeks.

The documentation provided on the Helix CD-ROM includes PDF versions of Chain of Custody Form, Preservation of Digital Evidence, Linux Forensic Guide for Beginners, and Forensic Examination of Digital Evidence.

The file browser allows the examiner to browse the file system of any attached storage device, including those on a “live” system, as well as the option to compute MD5 hash values for the files.

The graphic file scanning on a “live” system provides a means to browse a collection of graphics-format files.

The investigative notes feature provides a means for the forensic examiner to record details about the forensic examination.


The second forensic tool to be evaluated is the bootable version of Penguin Sleuth Kit.

Penguin Sleuth Kit provides the capability to perform forensic examinations of computer systems primarily through the command-line interface. However, there are a few utilities that run in graphical interface.

foremost – command-line data carving tool that requires external storage media
– command-line data indexing and searching tool (requires external storage)
– command-line utility to securely wipe hard drives and files
– enhanced DD imager with built in hashing
– visual network monitor
– multipurpose tracer
– command-line honeypot server
– command-line network intrusion tool
– command-line network auditing and penetration testing tool
John The Ripper
– command-line password cracking tool
– web server scanner
– command-line tool that scans for open NETBIOS name servers
– command-line remote operating system fingerprinting tool
– command-line network version of grep
– command-line network packet injector
– command-line network intrusion testing tool
– command-line multiple host ping utility
– command-line traceroute TCP packages
– command-line utility that replays a tcp dump
s – graphical security scanner
– graphical network analyzer
– command-line tool to read and write over network
– command-line tool that dumps network traffic
– command line packet assembler / analyzer
– command-line sniffer /  interceptor / logger for ethernet networks
– command-line secure remote connection utility
– graphical wireless network sniffer
– graphical wireless network intrusion tool
– comnand-line encryption utility
– command-line secure remote connection utility
– command-line utility that lists all open files
– command-line TCP/IP exploit scanner
– command-line SSL connection package
– command-line ethernet monitor
– command-line tool for querying domain name servers
– command-line tool that searches for signs of root kit

The documentation provided on the Penguin Sleuth Kit CD-ROM includes PDF versions of Forensic Guidelines for First Responders. The utilities require the user to be familiar with man pages to learn about the features.

Penguin Sleuth Kit is primary a command-line mode suite of utilities that can be utilized during a forensic examination. A few graphical interface tools are provided though the examiner is expected to be comfortable working at the command prompt.


Browsing for selected files that are known to exist on the system was easiest with Helix. However, if the examiner is comfortable working at the command prompt  either product might be faster than the GUI interface provided by Helix.

Locating graphic-format files would be much faster using the command-line interface provided by both Helix and Penguin Sleuth Kit. Once identified though it would be more intuitive to use the GUI tool within Helix to browse the collection. The web browser in Penguin Sleuth Kit could be used to view the graphic-format files.

Both Helix and Penguin Sleuth Kit offer command-line tools to quickly search a drive for files matching particular patterns or containing certain words or phrases.


Helix is the better product in terms of provided documentation and easy of use for many forensic examiners. For those familiar with and comfortable working at the command-line Penguin Sleuth Kit narrowly beats Helix. Overall, I prefer Helix despite years of experience working in Unix environments primarily at command prompt.

About this entry