Difference between pages "CAINE Live CD" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = CAINE LiveCD/DVD |
+
  maintainer = [[Nanni Bassetti]] |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = {{GPL}}, others |
+
  website = [http://www.caine-live.net Caine Live] |
+
}}
+
'' ''' Caine (an acronym for Computer Aided Investigative Environment'''') is a [[distribution Linux | distribution]] [[Live CD | live]] oriented to Computer Forensics ([[computer forensics]]) historically conceived by Giancarlo Giustini, within a project of Digital Forensics '' Interdepartmental Research Center for Security'' (CRIS) of the University of Modena and Reggio Emilia  see [http://www.caine-live.net/page4/history.html Official Site].
+
Since the end of the '''2009''' and currently the project is maintained by Nanni Bassetti.
+
  
== Features ==
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
The latest version of Caine is based on the [[Ubuntu Linux]] 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the [[NIST]] View [Http://www.cftt.nist.gov/Methodology_Overview.htm the methodologies of Nist].
+
  
Caine includes:
+
There are multiple families of executable files:
* Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
+
* Scripts; e.g. shell scripts, batch scripts (.bat)
* Updated and optimized environment to conduct a forensic analysis;
+
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
* Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
+
* ELF
* Adherence to the investigative procedure defined recently by Italian Law 48/2008, [Http://www.parlamento.it/parlam/leggi/08048l.htm Law 48/2008,].
+
* Mach-O
  
In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
  
The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:
+
=== ELF ===
* Root file system spoofing: patch that prevents tampering with the source device;
+
* [http://robinhoksbergen.com/papers/howto_elf.html Manually Creating an ELF Executable], by Robin Hoksbergen
* No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the [[Journal]];
+
* Mounter and RBFstab: mounting devices in a simple and via graphical interface.
+
  
[[RBFstab]] is set to treat [[EXT3]] as a [[EXT4]]'' noload with the option'' to avoid automatic recovery of any corrupt Journal of '[[EXT3]];
+
=== MZ, PE/COFF ===
* Swap file off: patch that avoids modifying the file [[swap]] in systems with limited memory [[RAM]], avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.
+
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
 +
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
 +
* [http://msdn.microsoft.com/en-us/magazine/ms809762.aspx Peering Inside the PE: A Tour of the Win32 Portable Executable File Format], by Matt Pietrek, March 1994
 +
* [http://www.microsoft.com/msj/0797/hood0797.aspx Under the Hood], by Matt Pietrek, July 1997
 +
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002
 +
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
 +
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
  
Caine and Open Source == ==
+
=== DBG, PDB ===
Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts,
+
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
etc..) from all over the world. <br />
+
* [http://www.debuginfo.com/articles/debuginfomatch.html Matching Debug Information], by debuginfo.com
 +
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
 +
* [http://web.archive.org/web/20070915060650/http://www.x86.org/ftp/manuals/tools/sym.pdf Internet Archive: Microsoft Symbol and Type Information], by [[Microsoft]]
 +
* [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information]
 +
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h]
 +
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]]
 +
* [http://moyix.blogspot.com/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
 +
* [http://moyix.blogspot.com/2008/05/parsing-windows-minidumps.html Parsing Windows Minidumps], by [[Brendan Dolan-Gavitt]], May 7, 2008
 +
* [http://web.archive.org/web/20110814041817/http://www.stackhash.com/blog/post/Format-of-a-minidump-(mdmp)-file.aspx Format of a minidump (mdmp) file], Internet Archive: StackHash blog, May 16, 2011
  
CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could
+
=== Mach-O ===
take the legacy of the previous developer or project manager. <br />
+
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
  
The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.
+
=== Packers ===
 +
* [http://www.woodmann.com/crackz/Packers.htm Packers & Unpackers]
  
== Caine Interface ==
+
== Tools ==
Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools. <Br/>
+
  
Environment updated and optimized for digital investigations. <br />
+
=== MZ, PE/COFF ===
 +
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
  
Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator.
+
=== PDB ===
Maximum adherence to the Italian investigative procedure. <br />
+
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
  
The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis. <br />
+
=== Minidump ===
 
+
* [http://amnesia.gtisc.gatech.edu/~moyix/minidump.py minidump.py], by [[Brendan Dolan-Gavitt]]
The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.
+
 
+
Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.
+
 
+
Inside contains the following software.
+
 
+
, Acquisition
+
* Grissom Analyzer (mmls, img_stat, fsstat)
+
* LRRP
+
* AIR
+
* Guymager
+
* Terminal with saving the output
+
* DC3DD
+
 
+
; Analysis
+
* Autopsy
+
* [[The SleuthKit]]
+
* [[Selective file dumper | Sfdumper 2.2]]
+
* Fundl 2.0
+
* Scalpel
+
* Foremost
+
* Stegdetect
+
* Ophcrack
+
* Nautilus scripts
+
* And many others
+
 
+
Reporting semiautomatic == ==
+
 
+
Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator. <br />
+
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report. <br />
+
 
+
All set within the Perl program.
+
 
+
The Project Caine == ==
+
 
+
The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) Research Centre Interpardimentale Security - University of Modena [http://cris.unimore.it/cris/node/54 site], in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital  see [http://www.dia.unisa.it/~ads/ads/Sicurezza_files/Tesina%20Live%20Forensics.pdf Security University of Salerno] see [http://www.forwardedge2.com/pdf/bestpractices.pdf U.S. Secret Service document] see [http://ncfs.org/craiger.forensics.methods.procedures.final.pdf CraigeR's Draft].
+
 
+
The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - [http://conferenze.dei.polimi.it/ossconf/schedule.php OSSCoNF].
+
 
+
In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.
+
 
+
Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.
+
 
+
Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.
+
 
+
24/11/2012 The Caine 3.0 was presented at '[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012]' at the University of Udine.
+
 
+
== Notes ==
+
<references />
+
 
+
== Bibliography ==
+
* Andrea Ghirardini, Gabriele Faggioli, ''Computer Forensics'', Apogeo, 2009, ISBN 9788850328161
+
* E. Huebner, S. Zanero, ''Open Source Software for Digital Forensics'', Springer, 2010, ISBN 978-1-4419-5802-0
+
* Diane Barrett, Greg Kipper, ''Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment'', Syngress, 2010, ISBN 978-1-59749-557-8
+
* Sean Philip Oriyano and Michael Gregg, ''Hacker Techniques, Tools, And Incident Handling'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
+
* Michael Jang, ''Security Strategies in Linux Platforms and Applications'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6
+
 
+
== External links ==
+
*[http://www.careeracademy.com/browseproducts/CHFI-Training-CBT-Boot-Camp--EC-Council-Computer-Hacking-Forensic-Investigator.HTML Presente nel training CHFI Ec-Council] International certificatione
+
*[http://link.springer.com/chapter/10.1007/978-1-4419-5803-7_5 Open Source Live Distributions for Computer Forensics- by Springer]<br />
+
*[http://conferenze.dei.polimi.it/ossconf/schedule.php OSSConf 2008]<br />
+
*[http://books.google.it/books?id=jQVgWaF3pJwC&pg=PT304&lpg=PT304&dq=Andrea+Ghirardini;+Gabriele+Faggioli,+Computer+Forensics+caine&source=bl&ots=mf8-Def6uF&sig=88ydFgTv05M2Q45B4FSvwqhBXKk&hl=it&sa=X&ei=W2voUOD3Lcrk4QSVlIDoDQ&ved=0CEMQ6AEwAQ Google books]<br />
+
*[http://www.amazon.com/Virtualization-Forensics-Forensic-Investigators-Environments/dp/1597495573Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment]<br />
+
*[http://www.linux-magazin.de/Ausgaben/2010/12/Italienische-Aufklaerung Linux-Mazin.de]<br />
+
*[http://www.linux-magazine.com/Issues/2011/122/Caine Linux-Magazine.com]<br />
+
*[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012]<br />
+
*[http://searchsecurity.techtarget.it/articoli/0,1254,18_ART_103282,00.html TechTarget.it]<br />
+
*[http://programmazione.it/index.php?entity=eitem&idItem=41687 Programmazione.it]<br />
+
*[http://www.linuxtoday.com/upload/caine-3.0-review-121009195504.html Linuxtoday.com]<br />
+
*[http://www.linuxtoday.com/infrastructure/2010122801535SCSW Linuxtoday.com 2]<br />
+
*[http://news.softpedia.com/news/CAINE-3-0-a-Tool-for-Digital-Forensics-297461.shtml Softpedia]<br />
+
*[http://hackingzones.in/?p=2726 hackingzone.in]<br />
+
*[http://www.gustavopimentel.com.ar/ gustavopimental.com.ar]<br />
+
*[http://www.concise-courses.com/security/top-ten-distros/# concise-courses.com]<br />
+
*[http://www.e-linux.it/news_detail/caine-15 e-linux.it]<br />
+
*[http://www.ilsoftware.it/articoli.asp?tag=CAINE-progetto-italiano-per-la-computer-forensics_5656 ilsoftware.it]<br />
+
*[http://www.dragonjar.org/distribucion-live-cd-analisis-forense.xhtml dragonjar.org]<br />
+
*[http://www.nannibassetti.com/dblog/articolo.asp?articolo=156 Attestato Marenostrum V.F.F.]<br />
+
*[http://www.linuxformat.com/archives?issue=151 LinuxFormat] <br />
+
*[http://www.techrepublic.com/blog/10things/10-obscure-linux-distributions-and-why-you-should-know-about-them/2334 TechRepublic]<br />
+
*[http://www.forensicswiki.org/wiki/CAINE_Live_CD ForensicsWiki]<br />
+
* [http://www.caine-live.net Sito ufficiale]
+
* [http://cris.unimore.it/cris/node/54 Sito del CRIS] dedicato a Caine
+
 
+
{{Linux}}
+

Revision as of 12:08, 31 March 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
  • ELF
  • Mach-O

External Links

ELF

MZ, PE/COFF

DBG, PDB

Mach-O

Packers

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)

Minidump