Emmabuntus, Ubuntu, Derivate, Linux, Open Source BackTrack, Linux, distributions, Ubuntu, derivate, securuty, forensic VirtualBox, Linux, Ubuntu, Raring Ringtail synaptic, Ubuntu, Linux, software packages jwplayer, multimedia, Linux, Ubuntu, flash Meshlab, graphic, software, Ubuntu, open source, Linux Synapse, Linux, Ubuntu, raring, Quantal Gimp, Ubuntu, Linux FreeMind, Linux, open source Linux, infographic, history

Caine is a simple Ubuntu 12.04 customized for the computer forensics.

caine3.0Caine is a simple Ubuntu 12.04 customized for the computer forensics, all you need to read is here and the rest is: http://linuxleo.com/Docs/linuxintro-LEFE-3.78.pdf and all the single manuals of the tools (e.g. the Sleuthkit, Autopsy, Foremost,etc. etc.)

1. Mounting policy of CAINE .
The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read only mode on loop device.

- A user cannot mount a device through the Disk Mounter applet, but only by Terminal Window or by Mounter (GUI) Mounter and the system will always mounted with the following options: ro,noatime,noexec,nosuid,nodev,noload.

For UMOUNTING a device you can use Caja by root (eg. gksudo Caja) or by terminal window (xterm or sudo umount) or Mounter GUI

General Information:
A green disk icon means the system is SAFE and will mount devices READ-ONLY.

A red disk icon means WARNING, mounted devices will be WRITEABLE.

Left-click the disk icon to mount a device.

Right-click the disk icon to change the system mount policy.

Middle-click will close the mounter application. Relaunch from the menu.

The mounted devices will not be affected by mount policy changes. Only subsequent mounting operations will be affected.

- If the user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.

- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g -o rw /dev/sda1 /media/sda1).

    sudo ntfs-3g -o rw /device-path /your-mount-point

You can redirect the output on an RW mounted device in these ways:

    Terminal window --> sudo su --> (eg. fdisk -lu > /media/sdb1/fdisk.txt)
    Terminal window --> output redirect in, for example: /home/caine, then sudo cp

fdisk.txt /media/sdb1

    sudo bash -c "fdisk -lu > /media/sdb1/fdisk.txt"

The ext3 driver will be ignored when ext2 and ext3 partitions are mounted in the future and the ext2 driver used instead. This protects any ext3 partitions from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 partition is mounted, there is no danger of modifying the meta-data when increasing the count inside said journal.

Applying a special patch (Maxim Suhanov's patch) we fixed the bug, that changed the journal of the ext3/ext4 file system, when the computer was switch off not using the shutdown procedure. Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "esotic names" like /dev/sdad1

Bash Scripts Tools directory:
the tools MUST be launched by sudo sh script_name.sh

2. LiveUSB issue .
Cannot create LiveUSB Caine from this distro, you have to DOWNLOAD NBCaine from Caine's website to get it! (for Caine 3.0 previous releases) OR if you need CAINE on pendrive (USB), you can sobstitute the file /usr/share/initramfs-tools/scripts/casper with THIS and use your preferred tool for making it.

3. Installed version .
After installing Caine on your HD, you have to edit the /usr/sbin/rbfstab, changing swapoff -a in swapon -a and the row swap) OPTIONS=ro,noauto ;; with #swap) OPTIONS=ro,noauto ;;. Or simply write sudo rbfstab –r

If you need CAINE on pendrive (USB), you can sobstitute the file /usr/share/initramfs-tools/scripts/casper with THIS and use your preferred tool for making it.

After the installation, CHANGE your /etc/sudoers with THIS, for avoiding the password asking after the login.

4. Language Support .
The CAINE report supports the following languages: English, Italian, French, German and Portuguese. The translations of report template in French and German were kindly made by Guy Vucken, developer of Guymager, who previously cooperate with the team to integrate his forensic software inside CAINE. The Portuguese translation has been gently provided by Tony Rodrigues a portuguese Digital and Computer Forensics expert.Turkish thanks to Burkay Sucu.
We hope to increase the number of translations in the future. If you wish to participate by providing the translation of the report in your language or if you report a translation mistake, please contact the CAINE team.

CAINE Live CD uses the USA keyboard layout. We suggest to change the layout using the program “Keyboard Preferences” in System -> Preferences, in the GNOME menu or using the command “sudo setxkbmap -layout xy” (xy = “it”, “gb”, “de”...) in the command line. BTW there is a launcher on the desktop.

In the CAINE TEXT MODE only, change the keyboard layout by "sudo loadkeys xy" (xy = “it”, “gb”, “de”...)

Current downloads:


Tools and packages included in CAINE Live CD.
ADDED (Caine 4.0):
LibreOffice 4.0.1
Remote Filesystem Mounter
ADDED (Caine 3.0)
exiftool phil harvey
zenmap (nmap)
blackberry tools
IDevice tools
AIR 2.0.0
Stands for Automated Image and Restore
AIR is a GUI front-end to dd and dc3dd designed for easily creating forensic bit images. Double hash.
AbiWord is a free word processing program similar to Microsoft® Word. It is suitable for a wide variety of word processing tasks.
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).
Conduct File Listing, View File Content, Compare files in user created or downloaded Hash Databases, File Type Sorting by internal signatures, Create a Timeline of File Activity, conduct Keyword Searches, File System Meta Data Analysis, Data Unit (File Content) Analysis in multiple formats, File System Image Details: Case Management of one or more host computers, Event Sequencer allows you to add time-based events from other systems (ie firewall/ids logs), Notes about case, Image Integrity verification, Report Creation, Audit Logging of investigation,
The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. AFF is an open and extensible file format to store disk images and associated metadata. Using AFF, the user is not locked into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents.
Linux user-level ATA raw command utility
AtomicParsley is a lightweight command line program for reading, parsing and setting metadata into MPEG-4 files
BBthumbs.dat parser (for BlackBerry)
bkhive is a tool to extract the Windows System-key that is used to encrypt the hashes of the userpasswords.
NPS Bloom filter package (includes frag_find)
A suite of bash scripts by Tony Rodriguez

Bulk Extractor
Bulk Email and URL extraction tool
Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.
This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system. There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.
Web Browser
Disk Utility
Disk manager
reports information about your system's hardware as described in your system
BIOS according to the SMBIOS/DMI standard
dos2unix - DOS/MAC to UNIX text file format converter
ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
dcfldd is an enhanced version of GNU dd with features useful for forensics and security. dcfldd can hash the input data as it is being transferred, helping to ensure data integrity, verify that a target drive is a bit-for-bit match of the specified input file or pattern, output to multiple files or disks at the same time, split output to multiple files with more configurability than the split command, send all its log data and output to commands as well as files natively.
dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd.
dc3dd can write a single hexadecimal value or a text string to the output device for wiping purposes. Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1, SHA-256, and SHA-512. Hashes can be computed before or after conversions are made. Progress meter with automatic input/output file size probing. Combined log for hashes and errors. Error grouping. Produces one error message for identical sequential errors. Verify mode. Able to repeat any transformations done to the input file and compare it to an output. Ability to split the output into chunks with numerical or alphabetic extensions.
dvdisaster stores data on CD/DVD/BD (supported media) in a way that it is fully recoverable even after some read errors have developed. This enables you to rescue the complete data to a new medium.
The Exchangeable image file format (Exif) is an image file format which adds or reveals lots of metadata to or from existing image formats, mainly JPEG.
Foremost is a console program to recover files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.
Jpeg and P32 analyzer
File and Inode Walk Program
Fundl 2.0
This is a selective deleted file retriever with HTML reporting. It is TSK based.
This script can be used to search for a keyword in many files and it copies only the files that have a matching keyword to a separate directory of your choosing.

FOD stands for Foremost output divide. This is a script for splitting foremost output directories contents into subdirectories with a defined number of files for each type of format file.
A program for recovering files from FAT file systems.
'gcalctool' is the desktop calculator.
Geany is a text editor.
The GParted application is a partition editor for creating, reorganizing, and deleting disk partitions.
recordMyDesktop is a desktop session recorder that attempts to be easy to use, yet also effective at it's primary task.
Galleta is an Internet Explorer Cookie Forensic Analysis Tool. Galleta was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.
A GTK+ utility for computing message digests or checksums using the mhash library. Currently supported hash functions include MD5, SHA1, SHA256, SHA512, RIPEMD, HAVAL, TIGER and WHIRLPOOL.
guymager is a forensic imager for media acquisition.
Monitoring hard disk health and temperature. Test and repair HDD problems and predict failures. Prevent data loss by automatic and scheduled backup
Hex Editor (Ghex)
GHex - a hex editor for GNOME
GHex allows the user to load data from any file, view and edit it in either hex or ascii.
HFS is the “Hierarchical File System,” the native volume format used on modern Macintosh computers. hfsutils is the name of a comprehensive software package being developed to permit manipulation of HFS volumes from UNIX and other systems.
LRRP is a bash script for gathering information on the devices you need to acquire for making a forensic image file.
Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART format (EWF-S01) and the EnCase format (EWF-E01). Libewf allows you to read and write media information within the EWF files.
This is a perl script for parsing the *.lnk files
Analysis of Windows LNK files
log2timeline, a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts.
This is a perl script for reading firefox history data
The Midnight Commander useful for text only boot.
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. md5deep is able to recursive examine an entire directory tree. md5deep can accept a list of known hashes and compare them to a set of input files and more.
md5sum - compute and check MD5 message digest
Nautilus Scripts
Live Preview Nautilus scripts...they do many things.
Timeline maker GUI
NTFS-3G is a stable read/write NTFS driver for Linux, Mac OS X, FreeBSD, NetBSD, OpenSolaris, QNX, Haiku, and other operating systems. It provides safe and fast handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 file systems.
This shell script will brute force the partition offset looking for a hidden partition and try to mount it.
Pasco is an Internet Explorer activity forensic analysis tool. Pasco was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.
PhotoRec recovers files from the unallocated space using file type-specific header and footer values.
Read MS Office metadata
RegLookup is an small command line utility for reading and querying Windows NT-based registries. Currently the program allows one to read an entire registry and output it in a (mostly) standardized, quoted format. It also provides features for filtering of results based on registry path and data type.
Rifiuti is a Recycle Bin Forensic Analysis Tool. Rifiuti was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.
As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.
readpst converts PST (MS Outlook Personal Folders) files to mbox and other formats.
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
Perl script - tool that list database CRUD transactions, parsing SQL Server Transactions log entities
SFDumper 2.2
SFDumper is a selective file retriever, it works on active, deleted and carved files. It can do a keyword search among the files retrieved. It is TSK based.
ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes.
Tool for extracting steganographic content in images.
Storage Device Manager
Another GUI mount manager.
The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI harddisks. In many cases, these utilities will provide advanced warning of disk degradation and failure.
Smartmontools… automatically reports and highlights any anomalies; allows enabling/disabling SMART; allows enabling/disabling Automatic Offline Data Collection - a short self-check that the drive will perform automatically every four hours with no impact on performance; supports configuration of global and per-drive options for smartctl; performs SMART self-tests; displays drive identity information, capabilities, attributes, and self-test/error logs; can read in smartctl output from a saved file, interpreting it as a read-only virtual device; works on most smartctl-supported operating systems; has extensive help information.
sha256sum - compute and check SHA256 message digest
Steghide is a steganography program that is able to embed or extract data in various kinds of image- and audio-files.
shred - delete a file securely, first overwriting it to hide its contents
sha512sum - compute and check SHA512 message digest
TestDisk was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table).
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.
Another Sleuthkit GUI
tigerdeep - Computer Tiger message digests
tableau-parm is an small commandline utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under select UNIX platforms.
tkdiff is a graphical front end to the diff program. It provides a side-by-side view of the differences between two files, along with several innovative features such as diff bookmarks and a graphical map of differences for quick navigation.
This is a perl script offline parser for the “UserAssist” registry key.
VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols.
Compute Whirlpool message digests
Wipe is a secure file wiping utility.
xhfs presents a graphical front-end for browsing and copying files on HFS-formatted volumes.
XDeview is a smart decoder for attachments that you have received in encoded form via electronic mail or from the usenet.
Image viewer
XMount and XMount-Gui
Virtual file systems creator
GUI stegdetect interface

Custom Search

If you liked this article, subscribe to the feed by clicking the image below to keep informed about new contents of the blog:
Share on Google Plus

About Hugo Repetto

Ubuntu is a Linux distribution that offers an operating system predominantly focused on desktop computers but also provides support for servers. Based on Debian GNU / Linux, Ubuntu focuses on ease of use, freedom in usage restriction, regular releases (every 6 months) and ease of installation.
    Blogger Comment
    Facebook Comment


Post a Comment