Open Source Forensic Tools: Bootable Helix Versus Bootable Penguin Sleuth

A comparison of the features and usability of two open source forensic tools available for computers with the iAPx86 processor family of central processing unit is presented.

METHODOLOGY

To evaluate the open source forensic tools a standardized series of tasks will be carried out and the results will be compared in terms of suitability for the specific task.

Browse the file system for general files. Try looking for the system.dat file, registry files, or other files you know exist on the system. This will simulate looking for known evidentiary files on the target system. Browse the file system for known image files such as those with extension like .jpg and .gif. See if you can pick a few images to export to a diskette or usb key (which is supported in Linux). This will simulate an image case like one involving child pornography. Try to open image or movie files in Linux, using the native browser utilities installed with this distribution of Linux. Assess what the strengths and limitations are. Browse the CD for methods to search for data on the drive you are analyzing.

These four tasks plus a review of the documentation for each product comprise the content of the evaluation.

TESTING ENVIRONMENT

The environment in which Helix was run for this assignment consisted of Microsoft Windows XP (Home Edition) running within a Sun xVM VirtualBox virtual machine session with 256 MB RAM, 8 MB for video memory, and a 15 GB virtual disk allocated to the session. The virtual machine ran as an application in the Novell openSuse v10.2 operating system on a Pentium 4 (1.80 GHz) computer with 2 GB RAM, a 250 GB HDD and CD/DVD drive.

BOOTABLE HELIX

The first forensic tool to be evaluated is the bootable version of Helix.

Helix provides the capability to (1) preview system information, (2) acquire a “live” image (memory or disk) of a Microsoft Windows system, (3) incident response tools for s Microsoft Windows system, (4) documentation pertaining to incident response, computer forensics, computer security and computer crime, (5) browse the Helix CD-ROM and host operating system, (6) graphic file scanning on a “live” system, and (7) the ability to record investigative notes.

The system information feature displays the operating system version, the computer users name and organization, the administrative status of the user and whether the user has administrative privileges, host name, currently logged in user name, IP address, NIC identifier, domain name, and attached drives along with file system type and disk or partition size.

The acquisition feature provides the ability to capture either physical memory or drive, choice of storage location (local disk, network share, or remote computer) and image file name, block size and whether to split the image file.

The incident response utilities include Windows Forensic Toolchest, First Responder Utility, Incident Response Collection Report, Agile Risk Management Nigilant, Netcat Listener Server, MD5 hash value generator for selected file, command shell, VNC Server, PuTTY SSH Client, WinAudit, file recovery, rootkit detection, screen capture, and power-up/power-down and in-use time-line for previous three (3) weeks.

The documentation provided on the Helix CD-ROM includes PDF versions of Chain of Custody Form, Preservation of Digital Evidence, Linux Forensic Guide for Beginners, and Forensic Examination of Digital Evidence.

The file browser allows the examiner to browse the file system of any attached storage device, including those on a “live” system, as well as the option to compute MD5 hash values for the files.

The graphic file scanning on a “live” system provides a means to browse a collection of graphics-format files.

The investigative notes feature provides a means for the forensic examiner to record details about the forensic examination.

BOOTABLE PENGUIN SLEUTH

The second forensic tool to be evaluated is the bootable version of Penguin Sleuth Kit.

Penguin Sleuth Kit provides the capability to perform forensic examinations of computer systems primarily through the command-line interface. However, there are a few utilities that run in graphical interface.

foremost – command-line data carving tool that requires external storage media
glimpse
– command-line data indexing and searching tool (requires external storage)
mediawipe
– command-line utility to securely wipe hard drives and files
dcfldd
– enhanced DD imager with built in hashing
etherape
– visual network monitor
fenris
– multipurpose tracer
honeyd
– command-line honeypot server
snort
– command-line network intrusion tool
dsniff
– command-line network auditing and penetration testing tool
John The Ripper
– command-line password cracking tool
Nikto
– web server scanner
nbtscan
– command-line tool that scans for open NETBIOS name servers
xprobe
– command-line remote operating system fingerprinting tool
ngrep
– command-line network version of grep
nemesis
– command-line network packet injector
fragroute
– command-line network intrusion testing tool
fping
– command-line multiple host ping utility
tcptraceroute
– command-line traceroute TCP packages
tcpreplay
– command-line utility that replays a tcp dump
nessu
s – graphical security scanner
ethereal
– graphical network analyzer
netcat
– command-line tool to read and write over network
tcpdump
– command-line tool that dumps network traffic
hping2
– command line packet assembler / analyzer
ettercap
– command-line sniffer /  interceptor / logger for ethernet networks
openssh
– command-line secure remote connection utility
kismet
– graphical wireless network sniffer
airsnort
– graphical wireless network intrusion tool
GPG
– comnand-line encryption utility
OpenSSL
– command-line secure remote connection utility
lsof
– command-line utility that lists all open files
hunt
– command-line TCP/IP exploit scanner
stunnel
– command-line SSL connection package
arpwatch
– command-line ethernet monitor
dig
– command-line tool for querying domain name servers
chkrootkit
– command-line tool that searches for signs of root kit

The documentation provided on the Penguin Sleuth Kit CD-ROM includes PDF versions of Forensic Guidelines for First Responders. The utilities require the user to be familiar with man pages to learn about the features.

Penguin Sleuth Kit is primary a command-line mode suite of utilities that can be utilized during a forensic examination. A few graphical interface tools are provided though the examiner is expected to be comfortable working at the command prompt.

FORENSIC EXAMINATION SIMULATION

Browsing for selected files that are known to exist on the system was easiest with Helix. However, if the examiner is comfortable working at the command prompt  either product might be faster than the GUI interface provided by Helix.

Locating graphic-format files would be much faster using the command-line interface provided by both Helix and Penguin Sleuth Kit. Once identified though it would be more intuitive to use the GUI tool within Helix to browse the collection. The web browser in Penguin Sleuth Kit could be used to view the graphic-format files.

Both Helix and Penguin Sleuth Kit offer command-line tools to quickly search a drive for files matching particular patterns or containing certain words or phrases.

CONCLUSION

Helix is the better product in terms of provided documentation and easy of use for many forensic examiners. For those familiar with and comfortable working at the command-line Penguin Sleuth Kit narrowly beats Helix. Overall, I prefer Helix despite years of experience working in Unix environments primarily at command prompt.

Advertisements

About this entry