Linux Malware Incident Response
I downloaded Helix 1.4 (2004-07-04), burned it to CD, and it started without incident on a Dell PowerEdge 750. The major issues with forensic-minded live CDs is the degree to which they avoid touching the host computer's hard drive on boot. You don't want a live CD to mount the host hard drives, since you don't need to mount drives to image them. Helix has two modes, including pure Linux bootable live CD and the Windows mode, where it can be used in-vivo on top of a running Windows desktop. Helix is available for download by email registration. We tested version 3 here. Now, let's see what Helix can offer us.
Cameron Malin, ... James Aquilina, in Linux Malware Incident Response, 2013
GUI-Based Memory Dumping Tools
Using Helix3 Pro to Acquire Physical Memory
![2009r1 2009r1](/uploads/1/2/6/4/126470752/909340138.jpg)
Helix3 Pro is a digital forensic tool suite CD that offers both a live response and bootable forensic environment.
The live response utility provides the digital investigator with an intuitive graphical interface and simplistic means of imaging a subject system’s physical memory.
Helix3 Pro acquires physical memory from a subject system by imaging the/dev/mem character device file.
Upon loading the Helix3 Pro CD, navigate to the Linux directory and invoke the helix3pro binary to launch program.
As shown in Fig. 1.6, first select physical memory as the device to acquire (1). Use the “Acquire Device” function (2), depicted as a hard drive and green arrow button.
Select “Image to Attached Device” (3) as the destination for the acquired data and select the desired receiving device (4). Once the device is selected, push the “Start Acquisition” button (5).
As the memory is being imaged from subject system, a progress bar will appear (Fig. 1.7), displaying the status of the imaging process.
Linux Malware Incident Response
Cameron Malin, ... James Aquilina, in Linux Malware Incident Response, 2013
GUI-Based Memory Dumping Tools
Using Helix3 Pro to Acquire Physical Memory
Helix3 Pro is a digital forensic tool suite CD that offers both a live response and bootable forensic environment.
The live response utility provides the digital investigator with an intuitive graphical interface and simplistic means of imaging a subject system’s physical memory.
Helix3 Pro acquires physical memory from a subject system by imaging the/dev/mem character device file.
Upon loading the Helix3 Pro CD, navigate to the Linux directory and invoke the helix3pro binary to launch program.
As shown in Fig. 1.6, first select physical memory as the device to acquire (1). Use the “Acquire Device” function (2), depicted as a hard drive and green arrow button.
![Helix Helix](http://linux-live-cd.org/IMG/png_cdlinux_pl.png)
Select “Image to Attached Device” (3) as the destination for the acquired data and select the desired receiving device (4). Once the device is selected, push the “Start Acquisition” button (5).
As the memory is being imaged from subject system, a progress bar will appear (Fig. 1.7), displaying the status of the imaging process.