Strengths: Open-source offering for easier verification of forensic code
Weaknesses: A strong Linux background is needed to use the utility properly
Verdict: At a price that can't be beaten, Helix offers many features for the advanced professional
SummaryWe are fans of open-source software and Helix 1.9 falls into this category. Helix has two components, each with its own set of utilities. The first component is the Windows element, which can be started on a booted Windows system by simply inserting the CD into the drive.
This will offer many programs in a menu system, but by using Windows Explorer and browsing the CD contents, there are far more programs to be found on the CD. This includes the executable version of the AccessData forensic imager, along with many other useful utilities and documents.
The second component is the bootable Linux component. By inserting and booting to the CD, a Knoppix-derivative forensic environment is loaded. This environment disables disk swapping by default to ensure the probable forensic source will not be written to. There are several utilities for creating the forensic backup from the Helix environment, but the most common is Adepto.
Adepto created the forensic backup in around six minutes, but this backup was from one USB drive to another, while the others were from USB to integrated drive electronics backups. Adepto used to have a bug verifying the forensic image hash, but this appears to have been fixed in release 1.9.
Once the image is created, the next utility that comes into play is Autopsy. This is a browser-based forensic tool and, unfortunately, it is just not feature-rich enough to compete with commercial products on the market.
Autopsy does have some real strengths, for instance it recovered most deleted files better than most products we tested, but there was no mechanism to search for access-controlled or steganographed files. While Autopsy managed to detect the presence of a deleted directory, the contents of the directory could not be recovered.
There are many help files that have been written for using the Helix environment and how to maintain proper forensic procedure using Helix, and most are included on the free CD. Other internet searches should yield even more.
As Helix is free, it obviously scores on value for money.