Difference between pages "Acquiring a MacOS System with Target Disk Mode" and "CAINE Live CD"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Imported with permission by John Muller)
 
 
Line 1: Line 1:
First, [[Disabling_Macintosh_Disk_Arbitration_Daemon|Disable the disk arbitration daemon]] on the machine where you will do the acquisition.
+
{{Infobox_Software |
 +
  name = CAINE LiveCD |
 +
  maintainer = [[Nanni Bassetti]] |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://www.caine-live.net Caine Live] |
 +
}}
 +
'' ''' Caine' (an acronym for Computer Aided Investigative Environment'''') is a [[distribution Linux | distribution]] [[Live CD | live]] oriented to Computer Forensics ([[computer forensics]]) historically conceived by Giancarlo Giustini, within a project of Digital Forensics '' Interdepartmental Research Center for Security'' (CRIS) of the University of Modena and Reggio Emilia  see [http://www.caine-live.net/page4/history.html Official Site].
 +
Currently the project is maintained by Nanni Bassetti.
  
Prepare a clean firewire drive in HFS+ using Mac Disk Utility; name the volume “Target”. This process relies on being able to identify which drive is the suspect's drive by knowing its size. Many new Macs are shipping with 250GB drives. Having a unique firewire target drive size will help you identify it later, as you will see below.
+
== Features ==
 +
The latest version of Caine is based on the [[Ubuntu Linux]] 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the [[NIST]] View [Http://www.cftt.nist.gov/Methodology_Overview.htm the methodologies of Nist].
  
Note the sizes of all drives on your forensic Mac, if you don't already know. (Go to the Apple menu>About This Mac>More info>ATA.)
+
Caine includes:
==Connecting==
+
* Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
<table>
+
* Updated and optimized environment to conduct a forensic analysis;
<table>
+
* Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
      <td class="Section1"><span class="style1">Connecting</span></td>
+
* Adherence to the investigative procedure defined recently by Italian Law 48/2008, [Http://www.parlamento.it/parlam/leggi/08048l.htm Law 48/2008,].
    </tr>
+
 
  </table>
+
In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.
  <table width="705" border="0" cellspacing="1" cellpadding="15">
+
 
    <tr class="Section1">
+
The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:
      <td width="4">&nbsp;</td>
+
* Root file system spoofing: patch that prevents tampering with the source device;
      <td width="638" align="left" valign="top"><ol start=1 type=1>
+
* No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the [[Journal]];
        <li class="Section1">Without turning anything on, chain the forensic Mac to the firewire drive to the suspect’s computer using  firewire cables.</li>
+
* Mounter and RBFstab: mounting devices in a simple and via graphical interface.
      </ol>
+
 
        <ol start=2 type=1>
+
[[RBFstab]] is set to treat [[EXT3]] as a [[EXT4]]'' noload with the option'' to avoid automatic recovery of any corrupt Journal of '[[EXT3]];
          <li>Hold down the “Option” key on the suspect’s computer and turn it on.</li>
+
* Swap file off: patch that avoids modifying the file [[swap]] in systems with limited memory [[RAM]], avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.
        </ol>
+
 
        <ol start=3 type=1>
+
Caine and Open Source == ==
          <li>If the suspect’s computer <b>does not </b><span style='font-weight:normal'>ask for a password, then</span><b> turn it off</b><span style='font-weight:    normal'>. If the computer </span><b>does</b><span style='font-weight:    normal'> ask for a password, then</span><b> turn it off</b><span
+
Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts,
    style='font-weight:normal'>. You cannot do a simple TDM acquisition if a password is required. You will have to either: 1) remove the drive and do a direct acquisition; or, 2) modify the memory by adding or removing chips and zapping the PRAM.</span></li>
+
etc..) from all over the world. <br />
        </ol>
+
 
      </td>
+
CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could
    </tr>
+
take the legacy of the previous developer or project manager. <br />
  </table>
+
 
  <table width="700" border="0" cellspacing="1" cellpadding="0">
+
The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.
    <tr class="Section1">
+
 
      <td width="17">&nbsp;</td>
+
== Caine Interface ==
      <td width="680"><table width="500" border="1" align="center" cellpadding="15" cellspacing="1" bordercolor="#000000">
+
Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools. <Br/>
        <tr>
+
 
          <td align="center" valign="middle" class="Section1"> To zap the PRAM, start up the computer and as soon as you hear the startup 'bong', hold down these four keys: Command-Option-P-R. It will bong again. And again. Continue to hold down these four keys until it has 'bonged' a total of three times (the initial startup bong and two more after you hold down those four keys). </td>
+
Environment updated and optimized for digital investigations. <br />
        </tr>
+
 
      </table></td>
+
Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator.
    </tr>
+
Maximum adherence to the Italian investigative procedure. <br />
  </table>
+
 
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis. <br />
    <tr class="Section1">
+
 
      <td>&nbsp;</td>
+
The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.
      <td><ol start=4 type=1>
+
 
          <li>Assuming that no password was needed, hold down the “T” key and turn the suspect’s computer back on. The computer will eventually display the firewire logo on the screen and is then ready for TDM.</li>
+
Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.
      </ol> </td>
+
 
    </tr>
+
Inside contains the following software.
  </table>
+
 
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
, Acquisition
    <tr>
+
* Grissom Analyzer (mmls, img_stat, fsstat)
      <td class="Section1"><strong>Acquisition</strong></td>
+
* LRRP
    </tr>
+
* AIR
  </table>
+
* Guymager
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
* Terminal with saving the output
    <tr class="Section1">
+
* DC3DD
      <td width="4">&nbsp;</td>
+
 
      <td width="633" align="left" valign="top">
+
; Analysis
        <ol start=1 type=1>
+
* Autopsy
          <li>Turn on the forensic Mac.</li>
+
* [[The SleuthKit]]
        </ol>
+
* [[Selective file dumper | Sfdumper 2.2]]
        <ol start=2 type=1>
+
* Fundl 2.0
          <li>Start the Terminal.</li>
+
* Scalpel
        </ol>
+
* Foremost
        <ol start=3 type=1>
+
* Stegdetect
          <li style='text-align:justify;'>At the command prompt, type <span style='color:maroon'><b>cd /dev</b></span>.<b> </b><span style='font-weight:normal'>A list will appear, but you can ignore it. Type<br>
+
* Ophcrack
          </span><span style='color:maroon'><b>ls disk?</b></span><b> </b><span style='font-weight:normal'>This will list all drives that are seen by the system. A list containing at least three drives will appear; </span><b>disk0</b><span style='font-weight:normal'>, </span><span
+
* Nautilus scripts
    style='color:red'><b>disk1 </b></span>and<span style='color:red'><b> </b></span><span
+
* And many others
    style='color:blue'><b>disk2</b></span>. One of these drives is the suspect’s. The other two are either the forensic Mac’s OS or the <span
+
 
    style='color:blue'><b>Target</b></span> drive. You won’t necessarily know which is which, so you need to query them to see their size, which will give you a hint. </li>
+
Reporting semiautomatic == ==
        </ol>
+
 
        <ol start=4 type=1>
+
Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator. <br />
          <li>Type <span
+
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report. <br />
    style='color:maroon'><b>sudo pdisk /dev/</b></span><span style='color:    red'><b>disk1</b></span><b> <span style='color:maroon'>–dump</span></b><span
+
 
    style='color:maroon;font-weight:normal'>.</span><span style='color:maroon'><b> </b></span>Your return will look something like this:</li>
+
All set within the Perl program.
      </ol> </td>
+
 
    </tr>
+
The Project Caine == ==
  </table>
+
 
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) <ref> Research Centre Interpardimentale Security - University of Modena [http://cris.unimore.it/cris/node/54 site] </ ref>, in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital  see [http://www.di.unisa.it/~ads/ads/Sicurezza_files/tesina%20pisano%20marzaioli.pdf Security University of Salerno] see [http://www.forwardedge2.com/pdf/bestpractices.pdf U.S. Secret Service document] see [http://ncfs.org/craiger.forensics.methods.procedures.final.pdf CraigeR's Draft].
    <tr class="Section1">
+
 
      <td width="77">&nbsp;</td>
+
The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - [http://conferenze.dei.polimi.it/ossconf/schedule.php OSSCoNF].
      <td width="560" align="left" valign="top"><p>/dev/disk0 map block size=512<br>
+
 
        #: type name length base ( size )<br>
+
In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.
          1: Apple_partition_map Apple 63 @ 1 <br>
+
 
          2: Apple_Driver43*Macintosh 56 @ 64 <br>
+
Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.
          3: Apple_Driver43*Macintosh 56 @ 120 <br>
+
 
          4: Apple_Driver_ATA*Macintosh 56 @ 176 <br>
+
Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.
          5: Apple_Driver_ATA*Macintosh 56 @ 232 <br>
+
 
          6: Apple_FWDriver Macintosh 512 @ 288 <br>
+
24/11/2012 The Caine 3.0 was presented at '[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012] at the University of Udine.
          7: Apple_Driver_IOKit Macintosh 512 @ 800 <br>
+
 
          8: Apple_Patches Patch Partition 512 @ 1312 <strong><br>
+
== Notes ==
        </strong><b>9: Apple_HFS OS X 72600384 @ 1824 ( 34.6G)<br>
+
<references />
        10: Apple_HFS OS 8.6 5537944 @ 72602208 ( 2.6G)</b><br>
+
 
        11: Apple_Free 0+@ 78140152</p>
+
== Bibliography ==
      </td>
+
* Andrea Ghirardini, Gabriele Faggioli, ''Computer Forensics'', Apogeo, 2009, ISBN 9788850328161
    </tr>
+
* E. Huebner, S. Zanero, ''Open Source Software for Digital Forensics'', Springer, 2010, ISBN 978-1-4419-5802-0
  </table>
+
* Diane Barrett, Greg Kipper, ''Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment'', Syngress, 2010, ISBN 978-1-59749-557-8
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
* Sean Philip Oriyano and Michael Gregg, ''Hacker Techniques, Tools, And Incident Handling'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
    <tr class="Section1">
+
* Michael Jang, ''Security Strategies in Linux Platforms and Applications'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6
      <td width="4">&nbsp;</td>
+
 
      <td width="633" align="left" valign="top"><ol start=5 type=1>
+
== Collegamenti esterni ==
          <li>Partitions on an HFS are called  “slices.” You can see in bold that this drive has a 34.6G slice listed under the number 9<span
+
*[http://www.careeracademy.com/browseproducts/CHFI-Training-CBT-Boot-Camp--EC-Council-Computer-Hacking-Forensic-Investigator.HTML Presente nel training CHFI Ec-Council] International certificatione
    style='color:lime'> </span>and a 2.6G under line 10. Add them up and your looking at a “40G” drive. If the result is the wrong size, then you are looking at the wrong drive. Repeat step 4 using <b>disk0</b><span
+
*[http://link.springer.com/chapter/10.1007/978-1-4419-5803-7_5 Open Source Live Distributions for Computer Forensics- by Springer]<br />
    style='font-weight:normal'> and </span><b>disk2</b><span style='font-weight:    normal'> to identify all the disks. </span></li>
+
*[http://conferenze.dei.polimi.it/ossconf/schedule.php OSSConf 2008]<br />
        </ol>
+
*[http://books.google.it/books?id=jQVgWaF3pJwC&pg=PT304&lpg=PT304&dq=Andrea+Ghirardini;+Gabriele+Faggioli,+Computer+Forensics+caine&source=bl&ots=mf8-Def6uF&sig=88ydFgTv05M2Q45B4FSvwqhBXKk&hl=it&sa=X&ei=W2voUOD3Lcrk4QSVlIDoDQ&ved=0CEMQ6AEwAQ Google books]<br />
        <ol start=6 type=1>
+
*[http://www.amazon.com/Virtualization-Forensics-Forensic-Investigators-Environments/dp/1597495573Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment]<br />
          <li>Lets assume that your Target volume is <b>disk2</b> and is a 120GB<span style='font-weight:normal'>. If it is formatted as HFS, then the query in step 4 should return something like this.</span></li>
+
*[http://www.linux-magazin.de/Ausgaben/2010/12/Italienische-Aufklaerung Linux-Mazin.de]<br />
      </ol></td>
+
*[http://www.linux-magazine.com/Issues/2011/122/Caine Linux-Magazine.com]<br />
    </tr>
+
*[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012]<br />
  </table>
+
*[http://searchsecurity.techtarget.it/articoli/0,1254,18_ART_103282,00.html TechTarget.it]<br />
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
*[http://programmazione.it/index.php?entity=eitem&idItem=41687 Programmazione.it]<br />
    <tr class="Section1">
+
*[http://www.linuxtoday.com/upload/caine-3.0-review-121009195504.html Linuxtoday.com]<br />
      <td width="76">&nbsp;</td>
+
*[http://www.linuxtoday.com/infrastructure/2010122801535SCSW Linuxtoday.com 2]<br />
      <td width="561" align="left" valign="top"><p>/dev/disk2 map block size=512<br>
+
*[http://news.softpedia.com/news/CAINE-3-0-a-Tool-for-Digital-Forensics-297461.shtml Softpedia]<br />
        #: type name length base ( size )<br>
+
*[http://hackingzones.in/?p=2726 hackingzone.in]<br />
          1: Apple_partition_map Apple 63 @ 1 <br>
+
*[http://www.gustavopimentel.com.ar/ gustavopimental.com.ar]<br />
          2: Apple_Free 0+@ 64 <br>
+
*[http://www.concise-courses.com/security/top-ten-distros/# concise-courses.com]<br />
          <span style='color:lime'><b>3</b></span><b>: Apple_HFS Apple_HFS_Untitled_2 239859504 @ 262208 (114.4G)<br>
+
*[http://www.e-linux.it/news_detail/caine-15 e-linux.it]<br />
        </b>4: Apple_Free 0+@ 240121712</p>
+
*[http://www.ilsoftware.it/articoli.asp?tag=CAINE-progetto-italiano-per-la-computer-forensics_5656 ilsoftware.it]<br />
      </td>
+
*[http://www.dragonjar.org/distribucion-live-cd-analisis-forense.xhtml dragonjar.org]<br />
    </tr>
+
*[http://www.nannibassetti.com/dblog/articolo.asp?articolo=156 Attestato Marenostrum V.F.F.]<br />
  </table>
+
*[http://www.linuxformat.com/archives?issue=151 LinuxFormat] <br />
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
*[http://www.techrepublic.com/blog/10things/10-obscure-linux-distributions-and-why-you-should-know-about-them/2334 TechRepublic]<br />
    <tr>
+
*[http://www.forensicswiki.org/wiki/CAINE_Live_CD ForensicsWiki]<br />
      <td class="Section1"><p>Notice that slice <span
+
* [http://www.caine-live.net Sito ufficiale]
style='color:lime'><b>3</b></span> is 114.4 GB in size. Slice 3 is the “working area” on this 120G drive and is the slice that you will make available for receiving your evidence, using the mount command shown in green in line 8 below. </p>
+
* [http://cris.unimore.it/cris/node/54 Sito del CRIS] dedicato a Caine
   
+
 
      </td>
+
{{Linux}}
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr class="Section1">
+
      <td width="4">&nbsp;</td>
+
      <td width="633" align="left" valign="top"><ol start=7 type=1>
+
          <li>Once you confirm which drive is which, you are ready to go. Lets assume that your forensic drive is <b>disk0</b><span style='font-weight:normal'>, the suspect’s drive is </span><span style='color:red'><b>disk1</b></span>, and the Target drive is <span style='color:blue'><b>disk2</b></span>.</li>
+
        </ol>
+
        <ol start=8 type=1>
+
          <li>Because we turned off disk arbitration, however, the target drive isn't available to receive the image. We therefore need to mount the <span style='color:blue'><b>Target</b></span> drive; specifically slice <span style='color:lime'><b>3</b></span> of <span
+
    style='color:blue'><b>disk2</b></span>. </li>
+
      </ol></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td width="4">&nbsp;</td>
+
      <td width="633" align="left" valign="top"><span class="Section1">Type<b> <span
+
style='color:maroon'>sudo mount –t hfs /dev/</span><span style='color:blue'>disk2</span><span
+
style='color:maroon'>s</span><span style='color:lime'>3 </span></b><span
+
style='color:maroon;font-weight:normal'>/Volumes</span></span><span class="Section1" style='color:maroon'><b>/</b></span><span class="Section1"
+
style='color:blue'><b>Target</b></span><span class="Section1">.</span></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="0">
+
    <tr class="Section12">
+
      <td width="17">&nbsp;</td>
+
      <td width="680"><div align="left">
+
        <table width="500" border="1" align="center" cellpadding="15" cellspacing="1" bordercolor="#000000">
+
            <tr>
+
              <td align="center" valign="middle" class="Section12"><p align="left">If you are still unsure about which drive is which, you can verify things because <span class="style24">Target</span>  now has a BSD name. To clear the Terminal screen, hold down the <span class="style35">command</span> key and type</p>
+
                <p align="center" class="style29"> k</p>
+
                <p align="left">Then, type </p>
+
                <p align="center" class="Section1 style29">ioreg -l</p>
+
              <p align="left">Buried in the resulting display is information about the connected drives. Go to the Terminal Menu&gt;Edit&gt;Find. Search for <span class="style30">disk1</span>. Scroll through the hits and you should see the make and model number for <span class="style34">disk1</span>. If a search for <span class="style24">disk2</span> comes up empty, then you know it is the unmounted drive. </p> </td>
+
            </tr>
+
          </table>
+
      </div></td>
+
    </tr>
+
  </table>
+
 
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td class="Section1">At this point, you have the choice of imaging the suspect’s entire drive (recommended), or of just imaging the slice that you want. If you want to image the entire drive, type:&nbsp;&nbsp; </td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr class="Section1">
+
      <td width="4"><span class="style11"></span></td>
+
      <td width="633" align="left" valign="top" class="style11"><span class="style12" style='color:maroon; page:Section1; font-family: Arial, Helvetica, sans-serif;'><b>sudo dd if=/dev/</b></span><span class="style12" style='color:red; page:Section1; font-family: Arial, Helvetica, sans-serif;'><b>disk1</b></span><span class="style10"><b> <span
+
style='color:maroon'>bs=1024 conv=notrunc,noerror,sync of=/Volumes/</span><span
+
style='color:blue'>Target/Evidence.dmg</span></b><span style='font-weight:normal'>.</span></span></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td><p class="Section1">This will write a raw DD image to the root of <span style='color:blue'><b>Target</b></span> and will name the image <span style='color:blue'><b>Evidence.dmg</b>.</span></p>        <p class="Section1">If you only want to image particular slices, then add the slice to the command, i.e.</p></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td width="4">&nbsp;</td>
+
      <td width="633" align="left" valign="top"><span class="style13" style='color:maroon'><span class="style22">sudo dd if=/dev/</span></span><span class="style15">disk1</span><span class="style17">s</span><span class="style19">9</span> <span class="style21"><b><span style='color:maroon'>bs=1024 conv=notrunc,noerror,sync of=/Volumes/</span><span
+
style='color:blue'>Target/Evidence.dmg</span></b><span style='font-weight:normal'>.</span></span></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td><p class="Section1">A separate acquisition can be done for each slice that you want to examine by changing the slice number and giving each new image a different file name, i.e. <span style='color:blue'><b>EvidOS8.dmg</b></span>.</p>       
+
        <p class="Section1">The advantage of imaging the whole disk is that you can later bring it into Encase as a single evidence file. </p></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr class="Section1">
+
      <td width="4">&nbsp;</td>
+
      <td width="633" align="left" valign="top"><ol start=9 type=1>
+
          <li><span class="Section1">Your done. Unmount the <span class="style24">Target</span> drive by typing
+
            </span>
+
            <p class="style25">cd /Volumes</p>
+
            <p><span class="Section1" style='color:maroon'><b>sudo umount /</b></span><span class="Section1" style='color:blue'><b>Target</b></span></p>
+
          </li>
+
      </ol></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td><p class="Section1">Shut down your forensic Mac and then shut down the suspect’s Mac. Disconnect the firewire connection to the suspect’s Mac.</p>      
+
      <p class="style26">Examination</p></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr class="Section1">
+
      <td width="4">&nbsp;</td>
+
      <td width="633" align="left" valign="top"><ol start=1 type=1>
+
          <li><span class="Section1">Reboot your forensic Mac and restore the <b>diskarbitrationd.plist</b><span
+
    style='font-weight:normal'> file back to the </span><b>/etc/mach-init.d</b><span
+
    style='font-weight:normal'> directory. Type </span></span>
+
            <p class="style23">cd / </p>
+
            <p><span class="Section1"
+
style='color:maroon'><b>sudo cp diskarbitrationd.plist /etc/mach_init.d</b></span><span class="Section1">. </span></p>
+
          </li>
+
      </ol></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td class="Section1">Turn the  forensic Mac off and back on to initiate diskarbitration. Power up the <span style='color:blue'><b>Target</b></span> drive. The <span style='color:blue'><b>Target</b></span> drive should  mount and appear on your desktop. Open it.</td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td width="4">&nbsp;</td>
+
      <td width="633" align="left" valign="top"><ol start=2 type=1>
+
          <li class="Section1">The <span
+
    style='color:blue'><b>Evidence.dmg</b></span> file should appear. Click on it once. Lock the file via the “GET INFO” menu to ensure it is write protected.</li>
+
      </ol></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td><p class="Section1">You can now double-click to mount the Evidence.dmg file <b>and explore it within the native Mac OS environment.</b></p>       
+
      <p class="Section1">If the image won’t mount, go into the Terminal and type the following:</p></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td width="4">&nbsp;</td>
+
      <td width="633" align="left" valign="top"><span class="Section1"
+
style='color:maroon;layout-grid-mode:line'><b>sudo hdiutil attach</b></span> <span class="Section1" style='color:maroon'><b>/Volumes/</b></span><span class="Section1"
+
style='color:blue'><b>Target/Evidence.dmg</b></span><span class="Section1" style='layout-grid-mode:line'> <span style='color:maroon'><b>-shadow</b></span></span></td>
+
    </tr>
+
  </table>
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
+
    <tr>
+
      <td class="Section1"><p>If you want to move the evidence file over into Encase, change the .dmg extension to .001 and add it as a raw image.</p>
+
      <p>Jon Muller<br>
+
        San Jose PD<br>
+
        (With guidance from Derrick Donnally)<br>
+
        July-05
+
      </p>
+
      </td>
+
    </tr>
+

Revision as of 06:05, 3 May 2013

CAINE LiveCD
Maintainer: Nanni Bassetti
OS: Linux
Genre: Live CD
License: GPL, others
Website: Caine Live

Caine' (an acronym for Computer Aided Investigative Environment') is a distribution live oriented to Computer Forensics (computer forensics) historically conceived by Giancarlo Giustini, within a project of Digital Forensics Interdepartmental Research Center for Security (CRIS) of the University of Modena and Reggio Emilia see Official Site. Currently the project is maintained by Nanni Bassetti.

Features

The latest version of Caine is based on the Ubuntu Linux 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the NIST View the methodologies of Nist.

Caine includes:

  • Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
  • Updated and optimized environment to conduct a forensic analysis;
  • Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
  • Adherence to the investigative procedure defined recently by Italian Law 48/2008, Law 48/2008,.

In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.

The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:

  • Root file system spoofing: patch that prevents tampering with the source device;
  • No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the Journal;
  • Mounter and RBFstab: mounting devices in a simple and via graphical interface.

RBFstab is set to treat EXT3 as a EXT4 noload with the option to avoid automatic recovery of any corrupt Journal of 'EXT3;

  • Swap file off: patch that avoids modifying the file swap in systems with limited memory RAM, avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.

Caine and Open Source == == Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts, etc..) from all over the world.

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could take the legacy of the previous developer or project manager.

The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.

Caine Interface

Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools.

Environment updated and optimized for digital investigations.

Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator. Maximum adherence to the Italian investigative procedure.

The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis.

The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.

Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.

Inside contains the following software.

, Acquisition

  • Grissom Analyzer (mmls, img_stat, fsstat)
  • LRRP
  • AIR
  • Guymager
  • Terminal with saving the output
  • DC3DD
Analysis

Reporting semiautomatic == ==

Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator.
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report.

All set within the Perl program.

The Project Caine == ==

The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) <ref> Research Centre Interpardimentale Security - University of Modena site </ ref>, in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital see Security University of Salerno see U.S. Secret Service document see CraigeR's Draft.

The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - OSSCoNF.

In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.

Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.

Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.

24/11/2012 The Caine 3.0 was presented at 'Opens Source Day 2012 at the University of Udine.

Notes

<references />

Bibliography

  • Andrea Ghirardini, Gabriele Faggioli, Computer Forensics, Apogeo, 2009, ISBN 9788850328161
  • E. Huebner, S. Zanero, Open Source Software for Digital Forensics, Springer, 2010, ISBN 978-1-4419-5802-0
  • Diane Barrett, Greg Kipper, Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment, Syngress, 2010, ISBN 978-1-59749-557-8
  • Sean Philip Oriyano and Michael Gregg, Hacker Techniques, Tools, And Incident Handling, Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
  • Michael Jang, Security Strategies in Linux Platforms and Applications, Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6

Collegamenti esterni