Difference between pages "CAINE Live CD" and "SAFE Boot Disk"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = CAINE Live CD |
+
   name = SAFE Boot Disk |
   maintainer = [[CAINE Project]] |
+
   maintainer = [[ForensicSoft]] |
   os = {{Linux}} |
+
   os = {{Windows}} |
 
   genre = {{Live CD}} |
 
   genre = {{Live CD}} |
   license = {{GPL}}, others |
+
   license = {{Commercial}} |
   website = http://www.caine-live.net/ |
+
   website = [http://www.forensicsoft.com/safe.php www.forensicsoft.com/safe.php] |
 
}}
 
}}
  
'''CAINE Live CD''' (Computer Aided Investigative Environment) is a forensic [[Live CD]] built on top of Ubuntu.
+
The '''System Acquisition Forensic Environment (SAFE) Boot Disk''' is the first and only commercially available forensically sound Windows Boot disk by [[ForensicSoft]]. SAFE is a fully licensed version of Windows PE protected that is protected by the proven [[SAFE Block XP]] software write blocking technology.
== CAINE 2.0 ==
+
  
September 2010
+
'''SAFE Boot Disk''' now allows you to boot any x86-based computer without the need to remove the drives or worry about the need for special adapters or controller cards. Because '''SAFE Boot Disk''' is based on Windows PE it includes built in driver support as well as the ability to easily install any drivers that may be missing. This also means the '''Safe Boot Disk''' includes built in support for the NTFS file system without the need for third party tools and has the ability to write to NTFS and NTFS compressed file systems, taking advantage of larger partition sizes, larger file size limits and the advantage of native NTFS compression.
  
CHANGELOG CAINE 2.0 "NewLight"
+
In order to ensure the '''SAFE Boot Disk''' is a forensically sound Live CD it has the proven write blocking technology used by [[SAFE Block XP]] built in to ensure that upon booting every attached disk and flash device are automatically blocked without any required user interaction. Unlike some of the Linux Live CD's this is true write blocking and not just mounting read-only or not auto-mounting.  
  
Kernel 2.6.32-24
+
Finally '''SAFE Boot Disk''' provides access to Host Protected Areas (HPAs) and Device Configuration Overlay (DCOs) on IDE (PATA and SATA) disks, has built in Case Logging and built in tools for exploration, viewing, and simple forensics functions.
  
ADDED:
+
== External Links ==
Air 2.0.0
+
* [http://www.forensicsoft.com/safe.php Download site]
MountManager
+
Disk Utility
+
Storage Device Manager
+
SSdeep
+
ByteInvestigator
+
DMIdecode
+
HDSentinel
+
WVSummary
+
Read_open_Xml
+
Fiwalk
+
Bulk Extractor
+
Log2Timeline
+
Midnight Commander
+
SQLJuicer
+
CDFS 2.6.27
+
Nautilus Scripts
+
Fake Casper patch
+
Manual updated
+
 
+
 
+
'''Live Preview Nautilus Scripts'''
+
CAINE includes scripts activated within the Nautilus web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering with the appropriate tool.
+
The live preview Nautilus scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Nautilus window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
+
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
+
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and critiques.
+
The preview scripts were born of a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can used the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
+
by John Lehr
+
------------------------------------------
+
'''CASPER PATCH (not for NBCaine 2.0)'''
+
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
+
by Suhanov Maxim
+
 
+
 
+
 
+
== CAINE 1.5 ==
+
As of December 2009, the current version of [http://www.caine-live.net/ Caine] is 1.5. According to documentation, it is based on [http://releases.ubuntu.com/8.04/ Ubuntu 8.04]. Unlike the [[Helix]] project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.
+
 
+
== Forensic Issues ==
+
 
+
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
+
* '''CAINE Live CD version 1.0 introduced new mounting policies''':
+
 
+
- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.
+
 
+
- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.
+
 
+
- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 file system is mounted, there is no danger of modifying the journal metadata.
+
 
+
- By applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off by pulling the plug.
+
 
+
- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.
+
 
+
- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).
+
 
+
    # ntfs-3g /device-path /your-mount-point
+

Latest revision as of 09:26, 28 July 2012

SAFE Boot Disk
Maintainer: ForensicSoft
OS: Windows
Genre: Live CD
License: Commercial
Website: www.forensicsoft.com/safe.php

The System Acquisition Forensic Environment (SAFE) Boot Disk is the first and only commercially available forensically sound Windows Boot disk by ForensicSoft. SAFE is a fully licensed version of Windows PE protected that is protected by the proven SAFE Block XP software write blocking technology.

SAFE Boot Disk now allows you to boot any x86-based computer without the need to remove the drives or worry about the need for special adapters or controller cards. Because SAFE Boot Disk is based on Windows PE it includes built in driver support as well as the ability to easily install any drivers that may be missing. This also means the Safe Boot Disk includes built in support for the NTFS file system without the need for third party tools and has the ability to write to NTFS and NTFS compressed file systems, taking advantage of larger partition sizes, larger file size limits and the advantage of native NTFS compression.

In order to ensure the SAFE Boot Disk is a forensically sound Live CD it has the proven write blocking technology used by SAFE Block XP built in to ensure that upon booting every attached disk and flash device are automatically blocked without any required user interaction. Unlike some of the Linux Live CD's this is true write blocking and not just mounting read-only or not auto-mounting.

Finally SAFE Boot Disk provides access to Host Protected Areas (HPAs) and Device Configuration Overlay (DCOs) on IDE (PATA and SATA) disks, has built in Case Logging and built in tools for exploration, viewing, and simple forensics functions.

External Links