Search My Blog

Friday, March 25, 2011

CAINE Live CD - NewLight computer forensics digital forensics

NEW! CAINE 2.0 - NewLight is out!

LINUX MAGAZINE awesome article on CAINE 2.0!

I downloaded the ISO Image and booted it up in Virtual Box. I didn't realize until then that Caine is based on Ubuntu. It took about 3 minutes to finish Booting with 512mb of ram and 32mb video in my VM. All the while using 50% of my System Resources. My Real Machine is a Core 2 Duo 1.8ghz, with 2 and a half Gig of Ram and a 515mb Video. Not a Hot Rod PC, but usually does fine wit other Distros. Debian 6 Boots and runs great in it and Fedora 14 does fine too. I wonder why they used Ubuntu, such a Resource Hog instead of the Real Deal... Debian? But, after the initial long Boot time. Caine ran very well and is a good Distro, even without the Forensics Apps. I saw some Apps in there that are new to me. I'm pretty much a novice when it comes to real Forensics. But I have used Test Disk for over 4 years and it has saved me allot of head aches with Restoring Lost Data and Partitions. So, I was glad to see Test Disk and Photo Reck, familiar Apps. I tried out Autopsy, but got stuck when trying to import a Disk Image. Of course I didn't have any Disk Images in my VM. So I tried getting one from my FTP Server, but I guess this doesn't work in Autopsy. I kept getting an error on the import page. Still it looks really interesting and easy and intuitive to use. I looked around the live system and I like it allot. I will definitely Burn a CD for Live use, since that is how they recommend using Forensics Software to keep from changing or corrupting the data on the Target System...

Make sure you read this page before Booting up your new ISO or CD that you make, or you will be stuck right off the bat and wont be able to do anything as root. * if you see this kind of error "gvfsd-metadata closed unexpectedly", don't worry it's not important READ HERE. * The SUDO password is: caine Go here to Read more...

Try Caine out, if you are interested in Forensics or even if you just need to Restore Some Lost Files or a Lost Partition....


CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics
Currently the project manager is Nanni Bassetti.
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:

  • an interoperable environment that supports the digital investigator during the four phases of the digital investigation
  • a user friendly graphical interface
  • a semi-automated compilation of the final report
We recommend you to read the page on the CAINE policies carefully.

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, everyone could take the legacy of the previous developer or project manager. The distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the distro is installable, so giving the opportunity to rebuild it in a new brand version, so giving a long life to this project ....

Nanni Bassetti


Kernel 2.6.32-24

Air 2.0.0
Disk Utility
Storage Device Manager
Bulk Extractor
Midnight Commander
CDFS 2.6.27
Nautilus Scripts
Fake Casper patch
Manual updated
Widows Side:
Wintaylor updated & upgraded

Live Preview Nautilus Scripts

CAINE includes scripts activated within the Nautilus web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering with the appropriate tool.
The live preview Nautilus scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Nautilus window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and critiques.
The preview scripts were born of a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can used the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
John Lehr
CASPER PATCH (not for NBCaine 2.0)
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
Suhanov Maxim

Creative Commons License
This site is licensed under a Creative Commons License. Theme "Bravo" from Rapidweaver

No comments: