I’ve found HELIX 3 a little buggy and awkward to use, but it comes with a decent incident response system that provides a set of programs for acquiring data, analysing various things and generating a report/log of the actions taken. It runs on any target system running Microsoft Windows.
Perhaps the developers at e-fense intended users to run HELIX IR from the disc, but I’ve discovered it can easily be ported to a USB drive, thereby making it an excellent substitute for the more expensive IR solutions. This can be done by copying over the following:
* AutoPlay (directory)
* ir (directory)
* Language (directory)
The interface is quite basic and easy to understand, with the options clearly laid out. The main options listed are:
* System Information: Basic information about the target machine and all the attached storage devices.
* Acquisition: For acquiring an image of the system memory or any attached storage volumes using the .dd format.
* Incident Response: A collection of small programs for live analysis and acquisition. This includes the Windows Forensic Toolchest, NetCat, and server utilities.
* Manuals: Links to PDFs, if they’ve been copied over from the CD.
* Browse: Browse the filesystems of attached storage volumes.
* Scan for Pictures: This doesn’t appear to reveal deleted images, but there’s a File Recovery program available under the ‘Misc Tools’ option.
* Notes: Any notes and commentary recorded here at the scene can be exported along with the evidence files acquired.
Before exiting the HELIX IR application, a PDF report can be exported to the USB drive. Not only is this useful for investigator notes, it provides the analysts at the lab a better picture of what actions were taken at the scene.