There is a new Helix (Incident Response & Computer Forensics Live CD based on Knoppix) version released. Version 1.8 has a now Andreas Schuster’s PTFinder included an will no longer change JFS information. You can donwload Helix here.
All new features at a glance:
Linux Side:
– Fixed Helix Mount code for journaled file systems. Helix will NO longer change the journal mount count when you mount a journaled file system.
– Updated md5deep suite to 1.12
– Updated Clamav to 0.88.2
– Updated Sleuthkit to 2.06
– Updated Autopsy to 2.08
– Updated Foremost to 1.3
– Updated Scalpel 1.54 to carve data
– Updated EnCase Linen to 5.05f
– Updated Adepto 2.0 – With AFF support now
– Added endeavour2 file manager
– Added ssdeep 1.0 for fuzy hashing
– Added AFFlib 1.6.31 for image acquisition
– Added NTFS-3G for native NTFS write support
– Added libewf library
– Added ptfinder memory analysis code from Andreas Schuster
– Removed Solaris static binaries from CD
– Replaced evince with xpdf
Windows Side:
– Updated the Helix executable code
– Update code for command shell paths
– Update all Cygwin tools to latest
– Updated all unxutil tools
– Updated Static Binaries (linux)
– Updated MessenPass to v1.08
– Updated Mail PassView to v1.36
– Updated Protected Storage PassView to v1.63
– Updated Network Password Recovery to v1.03
– Updated IECookiesView to v1.70
– Updated IEHistoryView to v1.32
– Updated RegScanner to v1.30
– Updated FTK Imager to 1.5.1
– Updated Forensic Server Project to 1.0
– Updated PsTools Version to 2.34 (Psexec, psinfo, pslist, etc)
– Updated Process Explorer to 10.2
– Added PstPassword v1.00
– Added Access PassView 1.12
– Added PC On/Off Time
– Added Winaudit v2.15
– Added Drive Manager v3.23
– Added ReSysInfo v2.1
– Added Icon to start a NC listener
– Added code to Windows GUI for investigative notes
We just discovered that the pcat binary is gone from the non-bootable side od Helix 1.8. I’ll check that with the e-fense guys.