CAINE

CAINE (Computer Aided INvestigative Environment) is a freely distributed and open source GNU/Linux distribution, a desktop-oriented operating system based on the latest LTS (Long Term Support) release of the world’s most popular distribution of Linux, Ubuntu, and designed to be used for digital forensics operations.

Distributed as a 64-bit, hybrid Live DVD

The CAINE distribution can be downloaded for free from Softoware as a hybrid Live DVD ISO image that contains software packages optimized only for the 64-bit (x86_64/amd64) hardware platforms. Being hybrid, the ISO image can be written on a blank DVD disc or a USB flash drive of 4GB or higher capacity, allowing you to boot the OS from the BIOS of your computer.

Boot options

From the boot menu, the user will be able to start the live system with normal configuration or in safe graphics mode, perform a system memory (RAM) diagnostic test, boot an existing operating system from the local drive, as well as to directly start the installer, change the language and add extra kernel parameters.

Xfce is in charge of the graphical session

The default and only graphical desktop environment of CAINE is Xfce, which provides users with a very lightweight and low on resources interface, which uses a traditional layout comprised of a single, transparent panel located on the bottom edge of the screen. The panel includes various useful widgets, such as the main menu, an application launcher, a task manager and the system tray area.

Comes pre-loaded with a wide range of tools for digital forensic operations

Being designed from the ground up to be used for digital forensic operations, the CAINE distribution comes pre-loaded with a wide range of tools that can be used for various digital forensic operations. These include Mobius, Autopsy, PhotoRec, QuickHash, TestDisk, XDview, FMount, NBTempo, Fred, Remote Filesystem Mounter, Log2Timeline, TkDiff and XHFS.

What is new in this release:

• ADDED/CHANGED in CAINE 9.0:
• RegRipper, VolDiff, SafeCopy, PFF tools, pslistutil, mouseemu, NBTempoX,Osint: Infoga, The Harvester, Tinfoleak regfmount and libregf-utils installed.
• many and many scripts and programs....
• SSH server disabled by default (see Manual page for enabling it).
• Autopsy 2.24 fixed - srch_strings changed with "GNU strings" renamed in srch_strings.
• many others fixing and software updating.
• Windows Side:
• Windows Side with for Incident Response/Live Analysis on Windows systems.
• Tools: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView, Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write Protector, VLC, Windows File Analyzer.

What is new in version 8.0:

• Kernel 4.4.0-45
• Based on Ubuntu 16.04 64BIT - UEFI/SECURE BOOT Ready!
• CAINE 8.0 can boot on Uefi/Uefi+secure boot/Legacy Bios/Bios.
• SystemBack is the installer.
• The important news is CAINE 8.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named BlockON/OFF present on CAINE's Desktop.
• This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode.
• If you need to write a disk, you can unlock it with BlockOn/Off or using "Mounter" changing the policy in writable mode.
• Another important news is the VNC server and client, for controlling CAINE from remote and finally CAINE is always more fast during the boot.
• CAINE 8.0 can boot to RAM (toram).
• ADDED/CHANGED:
• IMG_MAP (image dd/raw and ewf mounter)
• XAll 1.5
• RecuperaBit
• SQLParse
• PEFrame
• Yara
• PDF analysis
• MemDump
• ADB and LibMobileDevice
• Gigolo (network filesystem client)
• Shrew (VPN manager)
• wxHexEditor
• Jeex
• XRCed
• PffLib
• Tilda
• imount, vhdimount and vhdiinfo
• samba
• vblade
• iscsitarget
• hashdb
• many and many scripts and programs
• NEW RBFstab and Mounter:
• "rbfstab" is a utility that is activated during boot or when a device is plugged in. It writes read-only entries to /etc/fstab so devices are safely mounted for forensic imaging/examination. It is self installing with 'rbfstab -i' and can be disabled with 'rbfstab -r'. It contains many improvements over past rebuildfstab incarnations. Rebuildfstab is a traditional mean for read-only mounting in forensics-orient distributions.
• "mounter" is a GUI mounting tool that sits in the system tray. Left-clicking the system tray drive icon activates a window where the user can select devices to mount or un-mount. With rbfstab activated, all devices, except those with volume label "RBFSTAB", are mounted read-only on loop device. Mounting block devices in Caja (file browser) is not possible for a normal user with rbfstab activated making mounter a consistent interface for users.
• Mounter is a disk mounting application that runs in the system tray.
• Live Preview Caja Scripts:
• CAINE includes scripts activated within the Caja web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering it with the appropriate tool.
• The live preview Caja scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Caja window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
• A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
• The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and criticisms.
• The preview scripts were born from a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can use the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
• Root file system spoofing PATCH:
• The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc).

What is new in version 7.0:

• Kernel 3.13.0-66
• Based on Ubuntu 14.04.1 64BIT - UEFI/SECURE BOOT Ready!
• Caine 7.0 can boot on Uefi/Uefi+secure boot/Legacy Bios/Bios.
• SystemBack is the installer.
• The important news is CAINE 7.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named BlockON/OFF present on Caine's Desktop.
• This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode.
• If you need to write a disk, you can unlock it with BlockOn/Off or using "Mounter" changing the policy in writable mode.
• Another important news is the VNC server and client, for controlling Caine from remote and finally Caine is always more fast during the boot.
• Caine 7.0 can boot to RAM (toram).
• ADDED/CHANGED:
• fixed FMOUNT
• XAll
• BTCScan (Bitcoin scanner)
• dmraid
• okteta
• x11vnc server
• gvncviewer
• ssh
• openssh
• wput
• unBlock (block in RO/RW block devices)
• mount-nfs
• scalpel 2.1
• new peframe
• damm
• find_times
• parse_VSS_RFC
• 4n6 scripts updated
• quickhash updated
• bleachbit
• usnj
• vshot
• zulucrypt
• ddrescue-gui
• ddrescueView
• dd utility
• iloot
• python_regparse
• libmobiledevice
• ifuse
• ddrescueview
• INDEXparse.py, Shellbags.py, evtxexport.py, extxinfo.py
• NFS client.

What is new in version 6.0:

• fixed password request in polkit
• fixed password request in textmode e tty
• Bash bug fixed shellshock
• mount policy always in ro and loop mode
• fstrim disabled (enable uncommenting the row in /etc/cron.weekly/fstrim)
• autopsy patched by Maxim Suhanov
• (HFS directories handling fixed,
• Sun VTOC volume system handling fixed,
• incorrect timestamps (that are equal to zero) are handled as 01/01/1970 00:00:00)
• gzrt
• img_map
• photorec gui
• undbx
• ddrescueview
• gddrescue
• disktype
• Peframe
• quickhash
• BEViewer Bulk Extractor
• ddrutility
• ataraw
• frag_find
• log2timeline plaso - supertimeline
• tinfoleak
• inception memory dumper by firewire
• volatility
• 4n6-scripts
• boot-repair
• grub-customizer
• Broadcom Corporation BCM4313 wireless card drivers

What is new in version 5.0:

• Kernel 3.8.0-35
• Based on Ubuntu 12.04.3 64BIT - UEFI/SECURE BOOT Ready!
• Caine 5.0 on pendrive can boot on Uefi/Uefi+secure boot/Legacy Bios/Bios.
• Caine 5.0 on DVD can boot on Legacy Bios/Bios.
• SystemBack is the new installer.
• Caine has a new logo, thanks to Mr. Nino Salvati.
• ADDED/CHANGED:
• gimp
• libfusedev
• fileinfo 0.6
• traceroute
• sdparm
• log2timeline 0.64
• rdiff
• mdbtool
• undbx
• readdbx
• myrescue
• libshadow vshadowmount
• zfs-fuse
• fmount
• rdd
• unhide
• ext3grep
• e2undel
• recover
• bulk_extractor
• gzrecover
• dislocker
• undbx
• aoetools
• boot-repair
• grub-customizer
• Broadcom Corporation BCM4313 wireless card drivers

What is new in version 3.0:

• Kernel 3.2.0-32
• MATE 1.4
• iphonebackupanalyzer
• exiftool phil harvey
• tcpflow
• tshark
• john
• wireshark
• firefox
• vinetto
• mdbtool
• gdisk
• LVM2
• tcpdump
• Mobius
• QuickHash
• SQLiteBrowser
• FRED
• docanalyzer
• nerohistanalyzer
• knowmetanalyzer
• PEFrame
• grokEVT
• zenmap (nmap)
• blackberry tools
• IDevice tools

What is new in version 2.5:

• New NAUTILUS SCripts
• ataraw
• bloom
• fiwalk
• xnview
• NOMODESET in starting menu
• xmount
• sshfs
• Reporting by Caine Interface fixed
• xmount-gui
• nbtempo
• fileinfo
• TSK_Gui
• Raid utils e bridge utils
• SMBFS
• BBT.py

What is new in version 2.0:

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
• a user friendly graphical interface
• a semi-automated compilation of the final report

What is new in version 1.5:

• Kernel 2.6-24.25 updated.
• ADDED:
• lnk_parse
• lnk.sh
• mork
• steghide
• UserAssist
• dos2unix
• chntpw
• tkdiff
• xdeview
• md5deep,foremost updated
• launchers fixed
• manual updated
• README.txt in the bash scripts directory
• Photorec and Testdisk and XSteg in the Forensics menu
• Window list and Show Desktop added.

What is new in version 0.5:

• - WinTaylor, forensic frontend for Windows environment
• - Html page IE-compatible to run the forensic tools in Windows
• - Ntfs-3g updated to 2009.1.1 (resolve a ntfs-3g bug)
• - New boot option: text mode.
• - Ubuntu 8.04 packages updated
• - Firefox 3.0.6
• - Gtkhash, frontend for hashing files
• - New reporting features: investigators and case name added
• - Multi-language report: italian, english, german, french and portuguese
• - Firefox starts with the list of tools and a brief utilization manual.