The second component is the bootable Linux component. By inserting and booting to the CD, a Knoppix-derivative forensic environment is loaded. This environment disables disk swapping by default to ensure the probable forensic source will not be written to. There are several utilities for creating the forensic backup from the Helix environment, but the most common is Adepto.
Adepto created the forensic backup in around six minutes, but this backup was from one USB drive to another, while the others were from USB to integrated drive electronics backups. Adepto used to have a bug verifying the forensic image hash, but this appears to have been fixed in release 1.9.
Once the image is created, the next utility that comes into play is Autopsy. This is a browser-based forensic tool and, unfortunately, it is just not feature-rich enough to compete with commercial products on the market.
Autopsy does have some real strengths, for instance it recovered most deleted files better than most products we tested, but there was no mechanism to search for access-controlled or steganographed files. While Autopsy managed to detect the presence of a deleted directory, the contents of the directory could not be recovered.
There are many help files that have been written for using the Helix environment and how to maintain proper forensic procedure using Helix, and most are included on the free CD. Other internet searches should yield even more.
As Helix is free, it obviously scores on value for money.
For: Open-source offering for easier verification of forensic code
Against: A strong Linux background is needed to use the utility properly
Verdict: At a price that can't be beaten, Helix offers many features for the advanced professional