From ForensicsWiki
Revision as of 10:15, 28 July 2012 by Joachim Metz (Talk | contribs)

Jump to: navigation, search
Maintainer: CAINE Project
OS: Linux
Genre: Live CD
License: GPL, others

CAINE Live CD (Computer Aided Investigative Environment) is a forensic Linux Live CD based on Ubuntu.


September 2010


Kernel 2.6.32-24 

Air 2.0.0 
Disk Utility
Storage Device Manager
Bulk Extractor
Midnight Commander 
CDFS 2.6.27
Nautilus Scripts
Fake Casper patch 
Manual updated

Live Preview Nautilus Scripts CAINE includes scripts activated within the Nautilus web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering with the appropriate tool. The live preview Nautilus scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Nautilus window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired. A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address. The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and critiques. The preview scripts were born of a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can used the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination! by John Lehr

CASPER PATCH (not for NBCaine 2.0) The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). --- by Suhanov Maxim


As of December 2009, the current version of Caine is 1.5. According to documentation, it is based on Ubuntu 8.04. Unlike the Helix project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.

Forensic Issues

  • CAINE Live CD versions before 1.0 will automount Ext3 file systems during the boot process and recover them if required (bug in initrd scripts);
  • CAINE Live CD version 1.0 introduced new mounting policies:

- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.

- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.

- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 file system is mounted, there is no danger of modifying the journal metadata.

- By applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off by pulling the plug.

- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.

- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).

   # ntfs-3g /device-path /your-mount-point

External Links