MD5 hash value of the iso is 93a285bfa8ab93d664d508e5b12446d3

Linux (Bootable) Side:

• [UPD] Helix no longer based on Knoppix
• [UPD] Guidance Software Linen v6.11.2.2
• [UPD] afflib v3.3.3 - Open and extensible file format designed to store disk images and associated metadata
• [UPD] aimage v3.1.0 - Advanced disk imager
• [UPD] autopsy v2.08-2 - GUI frontend to sleuthkit tools
• [UPD] sleuthkit v2.52-1 - Open source digital investigation forensic tools
• [UPD] chkrootkit v0.47-1 - Determine whether system is infected with a rootkit
• [UPD] chntpw v0.99.3-1 - Utility to overwrite Windows SAM passwords
• [UPD] clamav v0.92.1 - GPL antivirus scanner
• [UPD] foremost v1.5.4-1 - Data carving based on headers, footers, and internal data structure
• [UPD] lvm2 v2.02.26 - Userspace toolset to provide logical volume management
• [UPD] md5deep v3.1 - Compute MD5, SHA-1, SHA-256, Tiger, Whirlpool message digests
• [UPD] readpst v0.5.2.1 - Convert pst files to mbox format
• [UPD] sg3-utils v1.24-1 - utility for working with generic scsi devices
• [UPD] ssdeep v2.0 -Fuzzy hashing to compare similar but not idetical files
• [UPD] tcpreplay v3.2.3-1 - Replay network traffic stored in pcap files
• [UPD] tcpxtract v1.0.1-1 - Extract files from captured pcap files
• [UPD] vinetto v0.6.0 - Examine Thumbs .db files
• [UPD] Wireshark v1.0.2-1 - Network protocol analyzer
• [UPD] dd_rescue v1.13.3 - Very good dd variant to recover crashed partitions.
• [ADD] winlockpwn v1.0 - Bypasses windows authentication via firewire
• [ADD] bioskbsnarf v1.0 - Python code to parse and print bios-real-mode-keyboard-interrupt-buffer
• [ADD] dc3dd v6.9.91 - Patched version of GNU dd with added forensic features
• [ADD] Volatility v1.3 - Open framework for the extraction of artifacts from RAM dumps
• [ADD] tableau-parm v0.1.0.2 - Command line tool to interact with Tableau forensic write blockers
• [ADD] gtkhash v0.2.0.1 - GTK+ utility for computing message digests
• [ADD] bless v0.6.0 - Hex editor with read/write support for block devices
• [ADD] clamtk v3.08-1 - Graphical front end to clamav
• [ADD] meld v1.1.5.1 - Diff and merge utility
• [ADD] ophcrack v2.4.1 - Windows password cracker based on rainbow tables (not included)
• [ADD] samdump2 v1.1.1 - Dump Windows SAM file for cracking
• [RMV] PyFlag - removed for space and performace reasons

Windows (Live) Side:

• [UPD] Windows Forensic Toolchest(TM) (WFT) v3.0.03
• [UPD] AccessData® FTK® Imager v2.5.3.14
• [UPD] Nirsoft Access Password Recovery v1.1.2.0
• [UPD] Nirsoft Lists USB Devices v1.2.0.0
• [UPD] Nirsoft Remote Desktop Password Recovery v1.0.1.0
• [UPD] Nirsoft Outlook PST Password Recovery v1.1.0.0
• [UPD] Nirsoft Protected Storage PassView v1.6.3.0
• [UPD] Nirsoft Network Password Recovery v1.1.2.0
• [UPD] Nirsoft MozillaCookiesView v1.1.2.0
• [UPD] Nirsoft Instant Messengers Password Recovery v1.2.0.139
• [UPD] Nirsoft Mail Password Recovery v1.4.3.149
• [UPD] Nirsoft LSA Secrets View v1.0.0.0
• [UPD] Nirsoft IE History View v1.3.7.0
• [UPD] Nirsoft IE Cookies View v1.7.1.102
• [UPD] Nirsoft IE Cache View v1.1.2.0
• [UPD] IRCR to fix paths
• [ADD] Nirsoft WirelessKeyView v1.1.6.0
• [ADD] Nirsoft List of all network resources v1.1.1.0
• [ADD] Nirsoft Mozilla History View v1.0.4.0
• [ADD] Nirsoft Mozilla Cache View v1.0.8.0
• [ADD] Nirsoft IPNetInfo v1.1.1.0
• [ADD] Nirsoft list DLLs that are automatically injected on every process v1.0.0.0
• [ADD] Nirsoft Internet Explorer Passwords Viewer v1.0.8.0
• [ADD] Guidance Winen RAM imager v6.11.2.2
• [ADD] Mantech MDD RAM imager v1.3
• [ADD] Mathieu Suiche Win32dd RAM imager v1.1.20080818

ADDED

Linux (Bootable) Side:

1. LFTP - http://lftp.yar.ru

Windows (Live) Side:

1. Spanish Language - Maximiliano Soler

UPDATED

Linux (Bootable) Side:

1. Fixed the Fuse Module (NTFS-3G now works)
2. Fixed the CDFS Module
3. Fixed the Truecrypt Module

ADDED

Linux (Bootable) Side:

1. vinetto 0.06 - http://sourceforge.net
2. Pythonraw 1.0 - http://www.storm.net.nz
3. sg3-utils 1.24-0.1 - http://packages.debian.org
4. Truecrypt 4.3a - http://www.truecrypt.org
5. lzop 1.0.1 - http://www.lzop.org

Windows (Live) Side:

1. RD PassView 1.00 - http://www.nirsoft.net
2. USBDeview 1.05 - http://www.nirsoft.net
3. InjectedDLL 1.00 - http://www.nirsoft.net
4. LSASecretsView 1.10 - http://www.nirsoft.net
5. WirelessKeyView 1.10 - http://www.nirsoft.net
6. Nigilant32 0.1 - http://www.agilerm.net
7. ZeroView 1.1 - http://www.techpathways.com
8. Pre-Search 0.08 - Paul Bright

UPDATED

Linux (Bootable) Side:

1. Scalpel 1.60 - http://www.digitalforensicssolutions
2. Foremost 1.5 - http://foremost.sourceforge.net
3. dcfldd 1.3.4-1 - http://dcfldd.sourceforge.net
4. libewf-20070512 - http://www.uitwisselplatform.nl
5. mount-ewf-20070512
6. allin1 0.4 - http://www.netmon.ch/forensic
7. Sluethkit 2.09 - http://www.sleuthkit.org
8. RKHunter 1.2.9 - http://rkhunter.sourceforge.net
9. afflib-2.3.0 - http://www.afflib.org
10. NTFS-3g 1.710 - http://www.ntfs-3g.org
11. FUSE 2.7.0 - http://fuse.sourceforge.net
12. CDFS 2.6.19 - http://trappist.elis.ugent.be
13. Kernel 2.6.18 - http://www.kernel.org
14. Linen 6.01 - http://www.guidancesoftware.com

Windows (Live) Side:

1. WFT 3.0.01 - http://www.foolmoon.net
2. IRCR 2.3 - http://tools.phantombyte.com
3. Mail PassView 1.38 - http://www.nirsoft.net
4. MessenPass 1.14 - http://www.nirsoft.net
5. IE PassView 1.05 - http://www.nirsoft.net
6. PstPassword 1.01 - http://www.nirsoft.net
7. NetPass Recovery 1.11 - http://www.nirsoft.net
8. RegScanner 1.51 - http://www.nirsoft.net

REMOVED

Windows (Live) Side:

1. Convair File Recovery
2. Foxit PDF Viewer

Linux (Bootable) Side:

• Fixed Helix Mount code for journaled file systems. Helix will NO longer change the journal mount count when you mount a journaled file system. • Updated md5deep suite to 1.12
• Updated Clamav to 0.88.2
• Updated Sleuthkit to 2.06
• Updated Autopsy to 2.08
• Updated Foremost to 1.3
• Updated Scalpel 1.54 to carve data
• Updated EnCase Linen to 5.05f
• Updated Adepto 2.0 - With AFF support now
• Added endeavour2 file manager
• Added ssdeep 1.0 for fuzy hashing
• Added AFFlib 1.6.31 for image acquisition
• Added NTFS-3G for native NTFS write support
• Added libewf library
• Added ptfinder memory analysis code from Andreas Schuster
• Removed Solaris static binaries from CD
• Replaced evince with xpdf

Windows (Live) Side:

• Updated the Helix executable code
• Update code for command shell paths
• Update all Cygwin tools to latest
• Updated all unxutil tools
• Updated Static Binaries (linux)
• Updated MessenPass to v1.08
• Updated Mail PassView to v1.36
• Updated Protected Storage PassView to v1.63
• Updated Network Password Recovery to v1.03
• Updated IECookiesView to v1.70
• Updated IEHistoryView to v1.32
• Updated RegScanner to v1.30
• Updated FTK Imager to 1.5.1
• Updated Forensic Server Project to 1.0
• Updated PsTools Version to 2.34 (Psexec, psinfo, pslist, etc)
• Updated Process Explorer to 10.2
• Added PstPassword v1.00
• Added Access PassView 1.12
• Added PC On/Off Time
• Added Winaudit v2.15
• Added Drive Manager v3.23
• Added ReSysInfo v2.1
• Added Icon to start a NC listener
• Added code to Windows GUI for investigative notes

Linux (Bootable) Side:

• Updated 2.6.14 Kernel
• Updated Firefox to 1.5.0.1
• Updated dcfldd to 1.3.4
• Updated md5deep suite to 1.10
• Updated Clamav to 0.88.1-1
• Updated PyFlag to 0.80-1
• Updated EnCase Linen to 5.04
• Updated/Fixed Boot time help code and Grub options
• Added xhfs 3.2.6 to browse HFS volumes
• Added Totem 1.2.1-3 to play videos
• Added Air 1.2.8 to replace deprecated Grab
• Added Scalpel 1.53 to carve data
• Added Graveman 0.3.12-4-2.1 graphical CD burner
• Added Gcombust 0.1.55-2 graphical CD burner
• Added Sleuthkit binaries to path
• Replaced devfs with udev 0.079-1
• Restored missing replay utility
• Removed Grab (deprecated)
• Removed /usr/share/docs to make room on CD

Windows (Live) Side:

• Updated the Helix executable code
• Cleaned up GUI interface
• Added a new menu bar for quick launch
• Added new options to acquisition screen
• Helix translated to Italian
• Helix translated to Russian
• Update all Cygwin tools to latest
• Updated all unxutil tools
• Updated Static Binaries (linux, solaris)

Linux (Bootable) Side:

• New 2.6.14 Kernel
• New RAID & SATA Drivers
• Switched from Cloop to Squashfs (should be faster)
• Updated Autopsy to 2.06
• Updated Sleuthkith to 2.03
• Updated Firefox to 1.5
• Updated dcfldd 1.2.4
• Updated Clamav to 0.87.1-1
• Added new desktop icons for mounting devices
• Added EnCase Linen Utility
• Added All-in-1-step-GUI 0.3 for the Sleuthkith
• Added 855resolution for Intel Widescreen Laptops
• Added e2undel 0.8-7
• Added evince PDF viewer 0.4.0-1
• Added foomatic for installing printers
• Added hfsplus to access HFS+ formatted volumes
• Added tcpxtract 1.0.1-1 from Nick Harbour
• Removed Kismet
• Removed aircrack
• Removed nessus
• Removed dsniff

Windows (Live) Side:

• Updated the Helix executable code
• Cleaned up GUI interface
• Added a new menu bar for navigation
• Helix log is now saved in PDF
• Helix translated to French
• Helix translated to Russian(Pending)
• Revamped IR directory to clean and streamline it
• Update WFT to version 2.0
• Update all Cygwin tools to latest
• Updated all unxutil tools
• Updated FRED Script
• Added new IRCR v2
• Added Forensic Server Project
• Added PuTTY SSH client
• Added FTK Imager 2.3
• Re-Added Static Binaries (gnu, linux, solaris)

Linux (Bootable) Side:

• Updated Grub to 0.96-1 which fixed error 21
• Updated Autopsy/Sluehtkit to 2.05 and 2.02
• Updated dcfldd to 1.2.4
• Updated pyflag to 0.76
• Updated Retriever to 2.0
• Rewrote grab now Adepto 1.0
• Added OpenOffice
• Update clamav to 0.85-1
• Update firefox to 1.06

Windows (Live) Side:

• Updated the Helix executable code
• Fixed FRED script
• Fixed missing split.exe
• Added 3 new tools from Nirsoft

Linux (Bootable) Side:

• Removed SMART per request. For SMART please go to ASR DATA
• Fixed missing helix.htm file
• Fixed Grub error 21 by releasing 2nd ISO that does not use Grub

Windows (Live) Side:

• Updated the Helix executable code
• Fixed error in scan for Images/Pictures
• Added new section for System Info
• Added 4 new tools from Nirsoft
• Updated GUI

Linux (Bootable) Side:

• Removed many many packages (including kde/fluxbox)
• Uses XFce 4.02 Window Manager exclusively
• Wrote a new tool "Retriever" for finding Picture/Movies/Documents/Mail
• Updated PyFLAG to 0.74 and fixed DB errors
• Replaced GKrellm with Torsmo
• Boot now uses GRUB
• Added stego tools
• Outguess 0.2-5
• Stegdetect 0.5-6
• Added Intel IPW2200 drivers
• Tremendously updated Hardware detection scripts
• hwdate package
• pci.ids file
• pcitable file
• Updated the antivirus signatures and engines for ClamAV and F-Prot
• Added a GUI interface to ClamAV (clamscan) and F-Prot
• Adjusted the automount.sh script
• Added a filesystem overlay (Unionfs) so you can seemingly make writes to the CD.
• Added a custom 2.6.10 non preemptive kernel
• Added Regviewer
• Added chntpw
• Added grepmail 5.3030
• Updated rkhunter to 1.2.0
• Updated chkrootkit to 0.44-2
• Added logfinder 0.1 from EFF
• Added LVM / LVM2 support
• Rewrote the Helix users manual

Windows (Live) Side:

• Updated the Helix executable code
• Change the acquisition page to be easier
• Added Windows ME/98 shells
• Added new section to scan for Images/Pictures
• Added new tool RootKitRevealer from Sysinternals
• Updated Cygwin binaries

Linux (Bootable) Side:

• Removed Mozilla and all Mozilla components
• Replaced ROX file manager with Xfe 0.72
• Updated FireFox to 1.0 and added many extensions
• Updated PyFLAG to 0.72 and fixed DB errors
• Updated Sleuthkit to 1.73
• Updated Grab to 1.2.2
• Copied memdump to Linux Static Tools
• Added TSClient 0.132
• Added Tcltls 1.5.0-2 (Used for Sguil)
• Added Argus 2.0.6
• Added Chkrootkit 0.44
• Adjusted themes
• Fixed German menus in KDE (will display english now)

Windows (Live) Side:

• Updated the Helix executable code
• Updated the IR.sh scripts to account for variable paths
• Added HoverSnap (screenshot utility) from Hoverdesk
• Added PC Smart media recovery from Convar
• Added PC File recovery from Convar

Linux (Bootable) Side:

• Fixed GRAB code (had a dumb programming error) v 1.2.1
• Added glimpse 4.18.0

Windows (Live) Side:

• Updated Windows code for German users

Linux (Bootable) Side:

• Turned off java and javascript in firefox as it caused crashes on certain web pages
• Set up shells to automatically use logging
• Updated Autopsy/Sleuthkit to 2.03/1.72
• Fixed the Bash Shell to show a color difference between root and helix user
• Fixed the missing images in the Helix index.html page
• Fixed the fstab rebuild script
• Added the directory AddOn to /cdrom/ for user remaster files
• Added 2hash v 0.2 by Thomas Akin
• Added F-Prot Virus Scanner
• Added Sguil-0.5.2 Client

Windows (Live) Side:

• Updated dd Acuquistion page to be Interactive
• Helix now logs all activity by default
• Added 2hash v 0.2 by Thomas Akin

Linux (Bootable) Side:

• Update Base Helix Structure - updated all programs to latest version as of Sept 1, 2004
• Many major upgrades to hardware detection (default USB2 support, etc)
• Fixed IPW2100 Intel Centrino Drivers updated to ver 0.54
• Updated Kernels to 2.4.27 and 2.6.7
• Updated Captive-NTFS
• Added ClamAV Antivirus
• Added Aircrack 1.41
• Added Ghost for Linux
• Added lshw (Hardware Lister) under Forensic Tools
• Re-added German Language module and keyboard layouts for many other languages
• Updated firefox to 0.9.3
• Updated Autopsy/Sleuthkit to 2.02/1.71 with indexing patch. Also added to PATH
• Updated PyFLAG to 0.64
• Fixed execute bit on Static binaries

Windows (Live) Side:

• Major Update Improvement to User Interface
• Interface is now interactive meaning tools are no longer static. So a user can assign input for the tools such as WFT, etc.
• Multi-language support now built in. German and English are the only two active currently
• Updated all of the Windows utilities to latest versions as of 1 Sept 2004
• Updated FRED Scripts
• Updated Secreport from Alexander Kotkov http://kotkov.tripod.com/getinfo.zip
• Updated Documents
• Updated FAU from George M. Garner Jr to build Build 1034
• Update script files such as ir.bat, ir2.bat, cmdenv.bat, etc
• Added reg queries for Run keys for the Local User
• Added %~d0 to each item in the path so that the drive letter the script is run from is prepended to the item. This allows more flexible navigation within the CMD env.
• Updated the PATH to include all directories on the CD
• Added the following files FoundStone tools to \IR\Foundstone
• galleta.exe -- examines IE cookie files
• pasco.exe -- examines IE URL History
• rifiuti.exe -- examines the contents of the INFO2 recycle bin file
• NetSchedScan -- Remote Task Scheduler scanner

• Windows Side Autorun updated with new features
• Kismet Log Viewer 0.9.7
• Airtraf 1.1
• rkhunter 1.1.1
• idesk 0.5.6-2
• TcpTrack
• ipgrab 0.9.8-2
• logsh - console logging script
• Tweaked the mounting code to insure forensic integrity
• Updated captive-ntfs
• Added helix2hd install script
• Updated Fluxbox to use idesk instead of rox (rox is still the file Manager)
• Uses FireFox 0.9 instead of Mozilla

• Windows Side Autorun updated with new features
• Many fixes to source code
• Many updates in Incident Response & Forensic tools
• Updated IR scripts

• Kernel 2.4.26 (default) and Kernel 2.6.5 with ACPI enabled (use helix acpi=off in case of problems, helix26 to try Kernel 2.6)
• New wireless drivers for: ipw2100 ("Centrino"(TM)), madwifi
• New captive-ntfs installer
• Fluxbox 0.9.9
• /dev/modem setup tool supporting serial, USB, bluetooth and irda devices
• gprs connection tool
• Many improvements in hardware detection and new boot options, see helix-cheatcodes.txt
• Many updates in Incident Response & Forensic tools
• Updated to Autopsy 2.0 and Sleuthkit 1.69
• Updated IR scripts
• Updated FLAG to pyflag 0.62.
• Updated GRAB to ver 1.2

• Fixed some buggy issues and cleaned up code. (Thanks Rob Lee, Mike Poor)

• Switched from syslinux to isolinux (no emulation) boot method
• Eliminated all windows managers except KDE & fluxbox. Fluxbox is default
• Update nessus plugins
• If you have 640MB of RAM or more you run boot: helix toram and free up the CD drive
• patched orinoco driver is the default
• Kismet updated to 3.0.1 and is pre-configured for orinoco on eth0
• all init scripts now check the helix home dir before copying from the CD.This means that if you're using a persistant home dir the init scripts act as restore scripts
• Added many new tools and updated all existing tools

Initial Public Beta Release.