Difference between pages "Residual Data on Used Equipment" and "CAINE Live CD"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Used Hard Drives)
 
 
Line 1: Line 1:
Used hard drives are frequently a good source of images for testing forensic tools. That's because many individuals, companies and organizations neglect to properly sanitize their hard drives before they are sold on the secondary market.
+
{{Infobox_Software |
 +
  name = CAINE LiveCD |
 +
  maintainer = [[Nanni Bassetti]] |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://www.caine-live.net Caine Live] |
 +
}}
 +
'' ''' Caine' (an acronym for Computer Aided Investigative Environment'''') is a [[distribution Linux | distribution]] [[Live CD | live]] oriented to Computer Forensics ([[computer forensics]]) historically conceived by Giancarlo Giustini, within a project of Digital Forensics '' Interdepartmental Research Center for Security'' (CRIS) of the University of Modena and Reggio Emilia  see [http://www.caine-live.net/page4/history.html Official Site].
 +
Currently the project is maintained by Nanni Bassetti.
  
You can find used hard drives on eBay, at swap meets, yard sales, and even on the street.  
+
== Features ==
 +
The latest version of Caine is based on the [[Ubuntu Linux]] 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the [[NIST]] View [Http://www.cftt.nist.gov/Methodology_Overview.htm the methodologies of Nist].
  
 +
Caine includes:
 +
* Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
 +
* Updated and optimized environment to conduct a forensic analysis;
 +
* Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
 +
* Adherence to the investigative procedure defined recently by Italian Law 48/2008, [Http://www.parlamento.it/parlam/leggi/08048l.htm Law 48/2008,].
  
=Media Accounts=
+
In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.
==Used Hard Drives==
+
  
There have been several incidents in which individual have purchased a large number of hard drives and written about what they have found. This web page is an attempt to catalog all of those stories in chronological order.
+
The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:
 +
* Root file system spoofing: patch that prevents tampering with the source device;
 +
* No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the [[Journal]];
 +
* Mounter and RBFstab: mounting devices in a simple and via graphical interface.
  
* '''2003-01''': [[Simson Garfinkel]] and Abhi Shelat at MIT publish a study in ''IEEE Security and Privacy Magazine''  which documents large amount of personal and business-sensitive information found on 150 drives purchased on the secondary market.
+
[[RBFstab]] is set to treat [[EXT3]] as a [[EXT4]]'' noload with the option'' to avoid automatic recovery of any corrupt Journal of '[[EXT3]];
 +
* Swap file off: patch that avoids modifying the file [[swap]] in systems with limited memory [[RAM]], avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.
  
* '''2006-06''': A man buys a family's hard drive at a fleamarket in Chicago after the family's hard drive is upgraded by Best Buy. Apparently somebody at Best Buy violated company policy and instead of destroying the hard drive, they sold it. [http://www.youtube.com/watch?v=pcyemfJ5H3o&NR Target 5 Investigation]
+
Caine and Open Source == ==
 +
Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts,
 +
etc..) from all over the world. <br />
  
* '''2006-08-10''': The University of Glamorgan in Wales purchased 317 used hard drives from the UK, Australia, Germany, and the US. 25% of the 200 drives purchased from the UK market had been completely wiped. 40% of the purchased drives didn't work.  40% came from businesses, of which 23% contained enough information to identify the company. 5% had business sensitive information. 25% came from individuals, of which many had pornography, and 2 had to be referred to the police for suspected child pornography.
+
CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could
 +
take the legacy of the previous developer or project manager. <br />
  
* '''2006-08-14''': [http://news.bbc.co.uk/2/hi/business/4790293.stm BBC News] reports on bank account information recovered from used PC hard drives and being sold in Nigeria for £20 each. The PCs had apparently come from recycling points run by UK town councils that are then "recycled" by being sent to Africa.
+
The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.
  
* '''2006-08-15''': Simson Garfinkel presents results of a study of 1000 hard drives (750 working) at the 2006 Workshop on Digital Forensics. Results of the study show that information can be correlated across hard drives using Garfinkel's [[Cross Drive Analysis]] approach.
+
== Caine Interface ==
 +
Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools. <Br/>
  
* '''2007-02-06''': [http://www.fulcruminquiry.com Fulcrum Inquiry], a Los Angeles litigation support firm, purchased 70 used hard drives from 14 firms and discovered confidential information on 2/3rds of the drives.
+
Environment updated and optimized for digital investigations. <br />
  
* '''2007-08-30''': Bill Ries-Kinght, an IT consultant, purchases a 120GB Seagate hard drive on eBay for $69. Although the drive was advertised as being new, it apparently was previously used by the campaign of Mike Beebe, who won the Arkansas state governorship in November 2006. "Among the files were documents listing the private cell phone numbers of political allies, including US Senators Blanch Lincoln and Mark Pryor and US Representatives Marion Berry, Mike Ross and Vic Snyder. It also included talking points to guide the candidate as he called influential people whose support he sought," states an article published in [http://www.theregister.co.uk/2007/08/30/governors_data_sold_on_ebay/ The Register].
+
Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator.
 +
Maximum adherence to the Italian investigative procedure. <br />
  
* '''2008-01-28''': Gregory Evans, a security consultant in Marina Del Ray, Calif., bought a $500 computer at a swap meet from a former mortgage company. It contained credit reports on 300 people in a deleted file, according to an article published in [http://www.nydailynews.com/money/2008/01/28/2008-01-28_sensitive_info_lives_on_in_old_computers.html The New York Daily NEws]. The security consultant was also able to recover the usernames and passwords of the mortgage company's former employees.
+
The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis. <br />
  
*'''2009-02-10''': Michael Kessler, CEO of Kessler International, a New York City forensics firm, bought 100 "relatively modern drives, the vast majority of them Serial ATA" from eBay over the course of 6 months. The drives ranged in size from 400GB to 300GB. 40% of the drives were found to contain sensitive data. [http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9127717&taxonomyId=19&intsrc=kc_top]
+
The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.
  
*'''2009-05-07''': University of Glamorgan bought disks in its annual survey of used hard drives and found "Details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system. [http://news.bbc.co.uk/2/hi/uk_news/wales/8036324.stm Missile data found on hard drives, BBC News, May 7, 2009]
+
Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.
  
*'''2009-07-30''': Reporters working for the PBS show Frontline on an article about electronic waste find hard drives in Ghana that contain "hundreds and hundreds of documents about government contracts" from a hard drive that had been previously used by a TSA subcontractor. The documents were marked "competitive sensitive" and covered contracts with the Defense Intelligence Agency. The hard drive was not encrypted.  [http://itworld.com/security/69758/reporters-find-northrop-grumman-data-ghana-market Robert McMillan, IT World, June 24, 2009]
+
Inside contains the following software.
  
==Cell Phones==
+
, Acquisition
* [http://www.wired.com/techbiz/media/news/2003/08/60052 BlackBerry Reveals Bank's Secrets], Wired, August 8, 2005.
+
* Grissom Analyzer (mmls, img_stat, fsstat)
* [http://www.taipeitimes.com/News/feat/archives/2008/09/28/2003424400 Who has your old phone's data], Pete Warren, The Guardian, London, Sept. 28, 2008, page 13.
+
* LRRP
* [http://www.myfoxdc.com/myfox/pages/News/Detail?contentId=8055902&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1 McCain Campaign Sells Info-Loaded Blackberry to FOX 5 Reporter], by Tisha Thompson and Rick Yarborough, FOX 5 Investigative Unit, 11 December 2008.  (See also [http://www.theregister.co.uk/2008/12/12/mccain_blackberry/])
+
* AIR
 +
* Guymager
 +
* Terminal with saving the output
 +
* DC3DD
  
==Cameras==
+
; Analysis
* [http://www.telegraph.co.uk/news/uknews/3107003/Camera-sold-on-eBay-contained-MI6-files.html Camera sold on eBay contained MI6 files], Jessica Salter, Telegraph, September 30, 2008.
+
* Autopsy
 +
* [[The SleuthKit]]
 +
* [[Selective file dumper | Sfdumper 2.2]]
 +
* Fundl 2.0
 +
* Scalpel
 +
* Foremost
 +
* Stegdetect
 +
* Ophcrack
 +
* Nautilus scripts
 +
* And many others
  
==Network Equipment==
+
Reporting semiautomatic == ==
* [http://www.pcpro.co.uk/news/227190/council-sells-security-hole-on-ebay.html Council sells security hole on Ebay], Matthew Sparkes, PC Pro, September 29, 2008 - Kirkless Council (UK) sells a Cisco [[VPN]] 3002 Concentrator on Ebay for 99 pence. The device is purchased by Andrew Mason, a security consultant, who discovers that the Cisco [[VPN]] device still has the full configuration for the Kirkless Council and the device hasn't been deactivated.
+
  
==MP3 Players==
+
Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator. <br />
* [http://news.yahoo.com/s/ap/20090127/ap_on_re_as/as_new_zealand_us_military_files NZ man's MP3 player holds US military files], Associated Press, Jan 27, 2009. A man from New Zealand bought an MP3 player at a thrift shop in Oklahoma that had 60 US military files, "including names and telephone numbers for American soldiers."
+
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report. <br />
  
=See Also=
+
All set within the Perl program.
[[Residual Data]]
+
 
 +
The Project Caine == ==
 +
 
 +
The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) <ref> Research Centre Interpardimentale Security - University of Modena [http://cris.unimore.it/cris/node/54 site] </ ref>, in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital  see [http://www.di.unisa.it/~ads/ads/Sicurezza_files/tesina%20pisano%20marzaioli.pdf Security University of Salerno] see [http://www.forwardedge2.com/pdf/bestpractices.pdf U.S. Secret Service document] see [http://ncfs.org/craiger.forensics.methods.procedures.final.pdf CraigeR's Draft].
 +
 
 +
The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - [http://conferenze.dei.polimi.it/ossconf/schedule.php OSSCoNF].
 +
 
 +
In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.
 +
 
 +
Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.
 +
 
 +
Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.
 +
 
 +
24/11/2012 The Caine 3.0 was presented at '[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012] at the University of Udine.
 +
 
 +
== Notes ==
 +
<references />
 +
 
 +
== Bibliography ==
 +
* Andrea Ghirardini, Gabriele Faggioli, ''Computer Forensics'', Apogeo, 2009, ISBN 9788850328161
 +
* E. Huebner, S. Zanero, ''Open Source Software for Digital Forensics'', Springer, 2010, ISBN 978-1-4419-5802-0
 +
* Diane Barrett, Greg Kipper, ''Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment'', Syngress, 2010, ISBN 978-1-59749-557-8
 +
* Sean Philip Oriyano and Michael Gregg, ''Hacker Techniques, Tools, And Incident Handling'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
 +
* Michael Jang, ''Security Strategies in Linux Platforms and Applications'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6
 +
 
 +
== Collegamenti esterni ==
 +
*[http://www.careeracademy.com/browseproducts/CHFI-Training-CBT-Boot-Camp--EC-Council-Computer-Hacking-Forensic-Investigator.HTML Presente nel training CHFI Ec-Council] International certificatione
 +
*[http://link.springer.com/chapter/10.1007/978-1-4419-5803-7_5 Open Source Live Distributions for Computer Forensics- by Springer]<br />
 +
*[http://conferenze.dei.polimi.it/ossconf/schedule.php OSSConf 2008]<br />
 +
*[http://books.google.it/books?id=jQVgWaF3pJwC&pg=PT304&lpg=PT304&dq=Andrea+Ghirardini;+Gabriele+Faggioli,+Computer+Forensics+caine&source=bl&ots=mf8-Def6uF&sig=88ydFgTv05M2Q45B4FSvwqhBXKk&hl=it&sa=X&ei=W2voUOD3Lcrk4QSVlIDoDQ&ved=0CEMQ6AEwAQ Google books]<br />
 +
*[http://www.amazon.com/Virtualization-Forensics-Forensic-Investigators-Environments/dp/1597495573Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment]<br />
 +
*[http://www.linux-magazin.de/Ausgaben/2010/12/Italienische-Aufklaerung Linux-Mazin.de]<br />
 +
*[http://www.linux-magazine.com/Issues/2011/122/Caine Linux-Magazine.com]<br />
 +
*[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012]<br />
 +
*[http://searchsecurity.techtarget.it/articoli/0,1254,18_ART_103282,00.html TechTarget.it]<br />
 +
*[http://programmazione.it/index.php?entity=eitem&idItem=41687 Programmazione.it]<br />
 +
*[http://www.linuxtoday.com/upload/caine-3.0-review-121009195504.html Linuxtoday.com]<br />
 +
*[http://www.linuxtoday.com/infrastructure/2010122801535SCSW Linuxtoday.com 2]<br />
 +
*[http://news.softpedia.com/news/CAINE-3-0-a-Tool-for-Digital-Forensics-297461.shtml Softpedia]<br />
 +
*[http://hackingzones.in/?p=2726 hackingzone.in]<br />
 +
*[http://www.gustavopimentel.com.ar/ gustavopimental.com.ar]<br />
 +
*[http://www.concise-courses.com/security/top-ten-distros/# concise-courses.com]<br />
 +
*[http://www.e-linux.it/news_detail/caine-15 e-linux.it]<br />
 +
*[http://www.ilsoftware.it/articoli.asp?tag=CAINE-progetto-italiano-per-la-computer-forensics_5656 ilsoftware.it]<br />
 +
*[http://www.dragonjar.org/distribucion-live-cd-analisis-forense.xhtml dragonjar.org]<br />
 +
*[http://www.nannibassetti.com/dblog/articolo.asp?articolo=156 Attestato Marenostrum V.F.F.]<br />
 +
*[http://www.linuxformat.com/archives?issue=151 LinuxFormat] <br />
 +
*[http://www.techrepublic.com/blog/10things/10-obscure-linux-distributions-and-why-you-should-know-about-them/2334 TechRepublic]<br />
 +
*[http://www.forensicswiki.org/wiki/CAINE_Live_CD ForensicsWiki]<br />
 +
* [http://www.caine-live.net Sito ufficiale]
 +
* [http://cris.unimore.it/cris/node/54 Sito del CRIS] dedicato a Caine
 +
 
 +
{{Linux}}

Revision as of 06:05, 3 May 2013

CAINE LiveCD
Maintainer: Nanni Bassetti
OS: Linux
Genre: Live CD
License: GPL, others
Website: Caine Live

Caine' (an acronym for Computer Aided Investigative Environment') is a distribution live oriented to Computer Forensics (computer forensics) historically conceived by Giancarlo Giustini, within a project of Digital Forensics Interdepartmental Research Center for Security (CRIS) of the University of Modena and Reggio Emilia see Official Site. Currently the project is maintained by Nanni Bassetti.

Features

The latest version of Caine is based on the Ubuntu Linux 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the NIST View the methodologies of Nist.

Caine includes:

  • Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
  • Updated and optimized environment to conduct a forensic analysis;
  • Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
  • Adherence to the investigative procedure defined recently by Italian Law 48/2008, Law 48/2008,.

In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.

The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:

  • Root file system spoofing: patch that prevents tampering with the source device;
  • No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the Journal;
  • Mounter and RBFstab: mounting devices in a simple and via graphical interface.

RBFstab is set to treat EXT3 as a EXT4 noload with the option to avoid automatic recovery of any corrupt Journal of 'EXT3;

  • Swap file off: patch that avoids modifying the file swap in systems with limited memory RAM, avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.

Caine and Open Source == == Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts, etc..) from all over the world.

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could take the legacy of the previous developer or project manager.

The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.

Caine Interface

Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools.

Environment updated and optimized for digital investigations.

Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator. Maximum adherence to the Italian investigative procedure.

The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis.

The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.

Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.

Inside contains the following software.

, Acquisition

  • Grissom Analyzer (mmls, img_stat, fsstat)
  • LRRP
  • AIR
  • Guymager
  • Terminal with saving the output
  • DC3DD
Analysis

Reporting semiautomatic == ==

Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator.
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report.

All set within the Perl program.

The Project Caine == ==

The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) <ref> Research Centre Interpardimentale Security - University of Modena site </ ref>, in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital see Security University of Salerno see U.S. Secret Service document see CraigeR's Draft.

The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - OSSCoNF.

In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.

Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.

Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.

24/11/2012 The Caine 3.0 was presented at 'Opens Source Day 2012 at the University of Udine.

Notes

<references />

Bibliography

  • Andrea Ghirardini, Gabriele Faggioli, Computer Forensics, Apogeo, 2009, ISBN 9788850328161
  • E. Huebner, S. Zanero, Open Source Software for Digital Forensics, Springer, 2010, ISBN 978-1-4419-5802-0
  • Diane Barrett, Greg Kipper, Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment, Syngress, 2010, ISBN 978-1-59749-557-8
  • Sean Philip Oriyano and Michael Gregg, Hacker Techniques, Tools, And Incident Handling, Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
  • Michael Jang, Security Strategies in Linux Platforms and Applications, Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6

Collegamenti esterni