Difference between revisions of "CAINE Live CD"

From Forensics Wiki
Jump to: navigation, search
Line 18: Line 18:
 
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
 
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
 
* '''Caine Live CD Version 1.0 uses brand new mounting policies''':
 
* '''Caine Live CD Version 1.0 uses brand new mounting policies''':
1. Mounting policy of CAINE
+
 
 
The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read only mode on a LOOP device.
 
The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read only mode on a LOOP device.
 
- When a user decide to mount a device through the Disk Mounter applet, it will always mounted with the following options: ro,loop,noatime,noexec,nosuid,nodev.
 
- When a user decide to mount a device through the Disk Mounter applet, it will always mounted with the following options: ro,loop,noatime,noexec,nosuid,nodev.

Revision as of 09:20, 11 November 2009

CAINE Live CD
Maintainer: CAINE Project
OS: Linux
Genre: Live CD
License: GPL, others
Website: [1]

CAINE Live CD is a forensic Live CD built on top of Ubuntu.

Bootable Side

Live Side

Forensic Issues

  • CAINE Live CD versions before 1.0 will automount Ext3 file systems during the boot process and recover them if required (bug in initrd scripts);
  • Caine Live CD Version 1.0 uses brand new mounting policies:

The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read only mode on a LOOP device. - When a user decide to mount a device through the Disk Mounter applet, it will always mounted with the following options: ro,loop,noatime,noexec,nosuid,nodev.

- If the user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified. The ext3 driver will be ignored when ext2 and ext3 partitions are mounted in the future and the ext2 driver used instead. This protects any ext3 partitions from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 partition is mounted, there is no danger of modifying the meta-data when increasing the count inside said journal. Applying a special patch (Maxim Suhanov's patch) we fixed the bug, that changed the journal of the ext3/ext4 file system, when the computer was switch off not using the shutdown procedure. Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "esotic names" like /dev/sdad1

- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).

   * $ sudo ntfs-3g /device-path /your-mount-point