CAINE Linux

From HandWiki
Graphic Desktop Environment of CAINE Linux.

CAINE Linux (Computer Aided INvestigative Environment) is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti.[1] The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.[2]

Purpose

CAINE is a professional open source forensic platform that integrates software tools as modules along with powerful scripts in a graphical interface environment.[1] Its operational environment was designed with the intent to provide the forensic professional all the tools required to perform the digital forensic investigate process (preservation, collection, examination and analysis).[3][4] CAINE is a live Linux distribution so it can be booted from removable media (flash drive) or from an optical disk and run in memory.[5] It can also be installed onto a physical or virtual system. In Live mode, CAINE can operate on data storage objects without having to boot up a supporting operating system. The latest version 11.0 can boot on UEFI/UEFI+Secure and Legacy BIOS allowing CAINE to be used on information systems that boot older operating systems (e.g. Windows NT) and newer platforms (Linux, Windows 10).

Requirements

CAINE is based on Ubuntu 18.04 64-bit, using Linux kernel 5.0.0-32.[6] CAINE system requirements to run as a live disc are similar to Ubuntu 18.04. It can run on a physical system or in a virtual machine environment such as VMware Workstation.

Supported platforms

The CAINE Linux distribution has numerous software applications, scripts and libraries that can be used in a graphical or command line environment to perform forensic tasks. CAINE can perform data analysis of data objects created on Microsoft Windows, Linux and some Unix systems. One of the key forensic features since version 9.0 is that it sets all block devices by default to read-only mode. Write-blocking is a critical methodology to ensure that disks are not subject to writing operations by the operating system or forensic tools.[7] This ensures that attached data objects are not modified, which would negatively impact digital forensic preservation.

Tools

CAINE provides software tools that support database, memory, forensic and network analysis.[8] File system image analysis of NTFS, FAT/ExFAT, Ext2, Ext3, HFS and ISO 9660 is possible via command line and through the graphic desktop.[9] Examination of Linux, Microsoft Windows and some Unix platforms is built-in. CAINE can import disk images in raw (dd) and expert witness/advanced file format. These may be obtained from using tools that are included in CAINE or from another platform such as EnCase or the Forensic Tool Kit.[10]

Some of the tools included with the CAINE Linux distribution include:

  • The Sleuth Kit – open source command line tools that support forensic inspection of disk volume and file system analysis.
  • Autopsy – open source digital forensics platform that supports forensic analysis of files, hash filtering, keyword search, email and web artifacts. Autopsy is the graphical interface to The Sleuth Kit.
  • RegRipper – open source tool, written in Perl, extracts/parses information (keys, values, data) from the Registry database for data analysis.
  • Tinfoleak – open source tool for collecting detailed Twitter intelligence analysis.
  • Wireshark – supports interactive collection of network traffic and non real-time analysis of data packet captures (*.pcap).
  • PhotoRec – supports recovery of lost files from hard disk, digital camera and optical media.
  • Fsstat – displays file system statistical information about an image or storage object.

References

  1. 1.0 1.1 "CAINE Live USB/DVD - computer forensics digital forensics". https://www.caine-live.net/. 
  2. "History of the Project". https://www.caine-live.net/page4/history.html. 
  3. James, Joshua I.; Gladyshev, Pavel (2013-09-01). "A survey of digital forensic investigator decision processes and measurement of decisions based on enhanced preview" (in en). Digital Investigation 10 (2): 148–157. doi:10.1016/j.diin.2013.04.005. ISSN 1742-2876. 
  4. Sean-Philip., Oriyano (2011). Hacker techniques, tools, and incident handling. Gregg, Michael.. Sudbury, Mass.: Jones & Bartlett Learning. ISBN 978-0763791834. OCLC 702369433. 
  5. "CAINE 8.0" (in EN-GB). TechRadar. https://www.techradar.com/reviews/caine-80. 
  6. "CAINE Live USB/DVD". https://www.caine-live.net/. 
  7. Decusatis, Casimer; Carranza, Aparicio; Ngaide, Alassane; Zafar, Sundas; Landaez, Nestor (October 2015). Methodology for an Open Digital Forensics Model Based on CAINE. IEEE. doi:10.1109/cit/iucc/dasc/picom.2015.61. ISBN 9781509001545. 
  8. "CAINE Provides Sturdy Support for Forensic Specialists" (in en). https://www.linuxinsider.com/story/81353.html. 
  9. Kerner, Sean Michael (7 November 2017). "CAINE 9.0 Linux Expands Computer Forensic Investigation Capabilities". http://www.eweek.com/security/caine-9.0-linux-helps-investigators-with-computer-security-forensics. 
  10. "Tactical Objectives and Challenges in Investigative Computer Forensics", Investigative Computer Forensics, John Wiley & Sons, Inc., 2013-04-11, pp. 157–166, doi:10.1002/9781118572115.ch6, ISBN 9781118572115 

External links