Caine Forensic

[Florence Rocle]

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, everyone could take on the legacy of the previous developer or project manager. The distro is open source, the Windows side is freeware and, the last but not least, the distro is installable, thus giving the opportunity to rebuild it in a new brand version, so giving a long life to this project ....

Nanni Bassetti

CAINE 13.0 can boot on Uefi/Uefi/Legacy Bios/Bios.


If secureboot failed, try to disable it from UEFI.
***If Secure Boot needs to be disabled, it's important to have the BitLocker recovery key in order to recover after turning off secure boot and trying to boot into the OS of the device. Without the recovery key, you will not be able to boot back into the laptop.

If you want to create an hybrid image, try this:
isohybrid -u caine11.0.iso


The important news is CAINE 13.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named Unblock present on CAINE's Desktop.
This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode.
If you need to write a disk, you can unlock it with UnBlock or using "Mounter" changing the policy in writable mode.


CAINE is always more fast during the boot.
CAINE 13.0 can boot to RAM (toram).

Instructions:

Left-click the disk icon to mount a device.
Right-click the disk icon to change the system mount policy.
Middle-click will close the mounter application. Relaunch from the menu.

The mounted devices will not be affected by mount policy changes. Only subsequent mounting operations will be affected.


by John Lehr


Live Preview Caja Scripts


CAINE includes scripts activated within the Caja web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering it with the appropriate tool.
The live preview Caja scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Caja window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and criticisms.
The preview scripts were born from a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can use the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
John Lehr
------------------------------------------
Root file system spoofing PATCH
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
Suhanov Maxim



This site is licensed under a Creative Commons License. Theme "Bravo" from Rapidweaver Privacy & cookies

CAINE Linux (Computer Aided INvestigative Environment) is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti.[1] The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.[2]

CAINE is a professional open source forensic platform that integrates software tools as modules along with powerful scripts in a graphical interface environment.[1] Its operational environment was designed with the intent to provide the forensic professional all the tools required to perform the digital forensic investigate process (preservation, collection, examination and analysis).[3][4] CAINE is a live Linux distribution so it can be booted from removable media (flash drive) or from an optical disk and run in memory.[5] It can also be installed onto a physical or virtual system. In Live mode, CAINE can operate on data storage objects without having to boot up a supporting operating system. The latest version 11.0 can boot on UEFI/UEFI+Secure and Legacy BIOS allowing CAINE to be used on information systems that boot older operating systems (e.g. Windows NT) and newer platforms (Linux, Windows 10).

CAINE is based on Ubuntu 18.04 64-bit, using Linux kernel 5.0.0-32.[6] CAINE system requirements to run as a live disc are similar to Ubuntu 18.04. It can run on a physical system or in a virtual machine environment such as VMware Workstation.

The CAINE Linux distribution has numerous software applications, scripts and libraries that can be used in a graphical or command line environment to perform forensic tasks. CAINE can perform data analysis of data objects created on Microsoft Windows, Linux and some Unix systems. One of the key forensic features since version 9.0 is that it sets all block devices by default to read-only mode. Write-blocking is a critical methodology to ensure that disks are not subject to writing operations by the operating system or forensic tools.[7] This ensures that attached data objects are not modified, which would negatively impact digital forensic preservation.

CAINE provides software tools that support database, memory, forensic and network analysis.[8] File system image analysis of NTFS, FAT/ExFAT, Ext2, Ext3, HFS and ISO 9660 is possible via command line and through the graphic desktop.[9] Examination of Linux, Microsoft Windows and some Unix platforms is built-in. CAINE can import disk images in raw (dd) and expert witness/advanced file format. These may be obtained from using tools that are included in CAINE or from another platform such as EnCase or the Forensic Tool Kit.[10]

CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.

When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool\u2019s shortcut in the \u2018Forensic Tools\u2019 folder on the applications menu bar.

\tComes with a user-friendly interface that brings together many open-source forensics tools.
\n \tAdheres to the investigation procedure laid down by Italian laws.
\n \tIts environment is optimized for in-depth forensic analysis
\n \tGenerates reports that are easily editable and exportable.

The theory is you use the bootable usb with caine to mount the "infected machine" as read-only and then write in the second usb but someone pointed out that in order to boot the caine usb I have to turn off the "infected machine" which would cause some evidence to get lost.

My understanding of Caine (dated, and so possibly wrong) is that you either boot it on a work computer, or just run those tools included live on the system you're investigating. Not both at the same time, which seems what you're asking about.

I was following this course -response-and-handling/ and it says you have to have a usb with write blocker and another usb where you run all your tools, they made it sounds simple using ftk but the only option I found for the write blocker part was using caine but the problem is that I still need to reboot the machine .

During different power states, depends if on you want to preserve those power states. That, in turn, requires detailed knowledge on what OS you're running, and if you can retrieve that information after forced power-offs.

In general, though, you use the already established environment to do the image. In reduced-privilege environments (i.e. logged in as a unprivileged user), all you can do is to access the data that current user can access. In special circumstances, you can raise your privilege, and so get additional access, but that usually requires cooperation with the user or third party (becoming local admin/root).