Difference between pages "CAINE Live CD" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(DBG, PDB)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = CAINE Live CD |
+
  maintainer = [[CAINE Project]] |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = {{GPL}}, others |
+
  website = [http://www.caine-live.net/] |
+
}}
+
  
'''CAINE Live CD''' (Computer Aided Investigative Environment) is a forensic [[Live CD]] built on top of Ubuntu.
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
== CAINE 1.5 ==
+
As of December 2009, the current version of [http://www.caine-live.net/ Caine] is 1.5. According to documentation, it is based on [http://releases.ubuntu.com/8.04/ Ubuntu 8.04]. Unlike the [[Helix]] project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.
+
  
== Forensic Issues ==
+
There are multiple families of executable files:
 +
* Scripts; e.g. shell scripts, batch scripts (.bat)
 +
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 +
* ELF
 +
* Mach-O
  
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
+
== External Links ==
* '''Caine Live CD Version 1.0 introduced new mounting policies''':
+
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
  
- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.
+
=== MZ, PE/COFF ===
 +
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
 +
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
 +
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
  
- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.
+
=== DBG, PDB ===
 +
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
 +
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
 +
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 +
* [http://moyix.blogspot.ch/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h]
  
- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 partition is mounted, there is no danger of modifying the journal metadata.
+
=== Mach-O ===
 +
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
  
- Applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off without by pulling the plug.
+
== Tools ==
  
- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.
+
=== MZ, PE/COFF ===
 +
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
  
- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).
+
=== PDB ===
 
+
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
    # ntfs-3g /device-path /your-mount-point
+

Revision as of 05:18, 2 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
  • ELF
  • Mach-O

External Links

MZ, PE/COFF

DBG, PDB

Mach-O

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)