Professional Documents
Culture Documents
url: https://www.caine-live.net/page5/page5.html
C.A.IN.E
url:https://www.caine-live.net/page8/page8.html
per Windows:
https://www.caine-live.net/page11/page11.html
CAINE 9.0 "Quantum" 64bit - Official CAINE GNU/Linux distro latest release.
CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, everyone
could take on the legacy of the previous developer or project manager. The distro is open source, the Windows side
(Win-Ufo) is freeware and, the last but not least, the distro is installable, thus giving the opportunity to rebuild it in a
new brand version, so giving a long life to this project ....
Nanni Bassetti
Kernel 4.4.0-97
Based on Ubuntu 16.04 64BIT - UEFI/SECURE BOOT Ready!
The important news is CAINE 9.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can
use a tool with a GUI named BlockON/OFF present on CAINE's Desktop.
This new write-blocking method assures all disks are really preserved from accidentally writing
operations, because they are locked in Read-Only mode.
If you need to write a disk, you can unlock it with BlockOn/Off or using "Mounter" changing the policy in
writable mode.
Another important news is the VNC server and client, for controlling CAINE from remote and finally CAINE is
always more fast during the boot.
CAINE 9.0 can boot to RAM (toram).
INSTALLING CAINE: BlockON/OFF (blockdev) put the device in WRITABLE mode -> use SYSTEMBACK ->
Choose System Install -> Choose user: CAINE password: CAINE host: CAINE -> check "transfer user
configuration files" -> Go!
HOW TO INSTALL CAINE - VIDEO
ADDED/CHANGED:
RegRipper, VolDiff, SafeCopy, PFF tools, pslistutil, mouseemu, NBTempoX,Osint: Infoga, The Harvester,
Tinfoleak regfmount and libregf-utils installed.
Mounter fixed.
SSH server disabled by default (see Manual page for enabling it).
Autopsy 2.24 fixed - srch_strings changed with "GNU strings" renamed in srch_strings.
many others fixing and software updating.
many and many scripts and programs....
Windows Side:
------------------------------------------------
A green disk icon means the system is SAFE and will mount devices READ-ONLY on loop device.
A red disk icon means WARNING, mounted devices will be WRITEABLE.
In CAINE 8.0 mounter can unlock and lock block devices in Read-Only mode.
Instructions:
The mounted devices will not be affected by mount policy changes. Only subsequent mounting operations
will be affected.
by John Lehr
CAINE includes scripts activated within the Caja web browser designed to make examination of allocated files
simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and
extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining
the file type and rendering it with the appropriate tool.
The live preview Caja scripts also provide easy access to administrative functions, such as making an attached
device writeable, dropping to the shell, or opening a Caja window with administrator privileges. The "Save as
Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about
the file containing file metadata and an investigator comment, if desired.
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted
iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator
has the option to search allocated media files and unallocated space for iTunes user information present in media
purchased through the Apple iTunes store, i.e., Real Name and email address.
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the
existing scripts. The CAINE developers welcome feature requests, bug reports, and criticisms.
The preview scripts were born from a desire to make evidence extraction simple for any investigator with basic
computer skills. They allow the investigator to get basic evidence to support the investigation without the need of
advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can use
the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
John Lehr
------------------------------------------
Root file system spoofing PATCH
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk
drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to
find the boot media with correct root file system image on it - because common bootloaders do not pass any data
about media used for booting to an operating system in Live CD configurations). Our patch is implemented for
CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would
select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
Suhanov Maxim
Windows Side
CAINE has got a Windows IR/Live forensics tools.If you need it you can use the IR/Live forensics framework you
prefer, changing the tools in your pendrive.
Tools: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView,
Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write
Protector, VLC, Windows File Analizer.