Difference between pages "Argus" and "CAINE Live CD"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Overview)
 
m (Forensic Issues)
 
Line 1: Line 1:
== Overview ==
+
{{Infobox_Software |
 +
  name = CAINE Live CD |
 +
  maintainer = [[CAINE Project]] |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://www.caine-live.net/] |
 +
}}
  
'''argus''' is a network flow monitor that is used to establish network activity audits. The audits are the basis of Network Forensics for many universities and corporations, providing data mining for historical network activity. Many sites use contemporary IDS technology like snort and/or Bro to generate events and alarms, and then use the Argus network audit data to provide context for those alarms to decide if the alarms are real problems. In many DIY efforts, snort, Bro and argus run on the same high performance device. The audit data that Argus generates is great for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting very slow scans, and supporting Zero day events. The network transaction audit data that Argus generates has also been used for a wide range of other tasks including Network Billing and Accounting, Operations Management and Performance Analysis.
+
'''CAINE Live CD''' (Computer Aided Investigative Environment) is a forensic [[Live CD]] built on top of Ubuntu.
 +
== CAINE 1.5 ==
 +
As of December 2009, the current version of [http://www.caine-live.net/ Caine] is 1.5. According to documentation, it is based on [http://releases.ubuntu.com/8.04/ Ubuntu 8.04]. Unlike the [[Helix]] project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.
  
Argus uses libpcap and it has been ported to virtually every [[Unix]] platform, OpenWRT and on [[Windows | Win32]] using Cygwin.
+
== Forensic Issues ==
  
== External Links  ==
+
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
 +
* '''CAINE Live CD version 1.0 introduced new mounting policies''':
  
* [http://qosient.com/argus Argus website]
+
- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.
  
== See Also ==
+
- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.
  
* [[tcpdump]]
+
- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 file system is mounted, there is no danger of modifying the journal metadata.
  
[[Category:Network Forensics]]
+
- By applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off by pulling the plug.
 +
 
 +
- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.
 +
 
 +
- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).
 +
 
 +
    # ntfs-3g /device-path /your-mount-point

Revision as of 03:43, 15 December 2009

CAINE Live CD
Maintainer: CAINE Project
OS: Linux
Genre: Live CD
License: GPL, others
Website: [1]

CAINE Live CD (Computer Aided Investigative Environment) is a forensic Live CD built on top of Ubuntu.

CAINE 1.5

As of December 2009, the current version of Caine is 1.5. According to documentation, it is based on Ubuntu 8.04. Unlike the Helix project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.

Forensic Issues

  • CAINE Live CD versions before 1.0 will automount Ext3 file systems during the boot process and recover them if required (bug in initrd scripts);
  • CAINE Live CD version 1.0 introduced new mounting policies:

- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.

- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.

- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 file system is mounted, there is no danger of modifying the journal metadata.

- By applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off by pulling the plug.

- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.

- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).

   # ntfs-3g /device-path /your-mount-point