This article was provided to TechRadar by Linux Format, the number one magazine to boost your knowledge on Linux, open source developments, distro releases and much more. It appeared in issue 220, published February 2017. Subscribe to the print or digital version of Linux Format here.
CAINE, which stands for Computer Aided INvestigative Environment, is a live distro that’s designed to aid the specialised field of computer forensics. The distro is full of tools and utilities to aid every stage of a digital investigation.
You can use the distro to create an exact sector-level duplicate of the suspect media with tools such as Guymager, which is a graphical app for creating disk images. Besides dd, Guymager can also image disks in the EO1 and AFF formats which are commonly used in the digital forensics community and can incorporate metadata about the original media into the disk image itself. Once the media has been imaged, you can use CAINE to analyse its contents for evidence to support the investigation.
A key change in this release is that all devices are placed in read-only mode by default. This new write-blocking method assures all disks are preserved from accidental write operations. If you need to write a disk, you unlock it with the Block On/Off utility.
Buffet of tools
All the specialised tools are housed within a Forensic Tools menu. The menu catalogues the majority of the tools within purpose-based sub-menus, such as Analysis, Mobile forensics, Memory forensics and Network forensics. The menu also holds about two dozen more tools that aren’t filed under any category. While the submenus give the distro some structure and organisation, computer forensics is a specialised field and the tools won’t make much sense to inexperienced users.
What would have helped is documentation and this is one of CAINE’s weakest areas. The distro assumes familiarity with the tools and only includes the basic details to help you get started.
Among the distinguishing features of CAINE are the very helpful scripts that are mated to the Caja file manager. These scripts simplify the examination of any acquired files. The scripts can display browser history, analyse Windows registries, find deleted files and even extract EXIF data to text files for easy examination. There’s also a Save as Evidence script that will write the selected files to an Evidence folder on the desktop and create a text report about the file that contains metadata, along with an optional comment from the investigator for reference.
Another group of scripts is accessed using the Mixed scripts shortcut on the desktop – this folder includes a readme text file describing the purpose of some of the scripts. One noteworthy script from this collection is the Identify iPod Owner script which displays metadata about an attached iPod, and can even search for iTunes user information present in media purchased through the Apple store.
Besides the tools available in the live environment, you can also use the live medium to run forensics investigation on a running Windows installation. Just connect the CAINE live USB or optical media to a Windows machine and fire up the Win-UFO tool. The app has a user-friendly interface and can sniff out browser history, passwords, Wi-Fi passwords, and analyse browser cache, cookies and the search history without much effort.
The release also includes the x11vnc server to allow CAINE to be operated from a remote computer on the network. CAINE has been built atop Ubuntu 16.04 using the SystemBack tool. It’s designed to be used as a live environment, but it can be installed using SystemBack. Just ensure you refer to the installation documentation before heading down this path.
It lacks documentation, but CAINE is a fully equipped forensics-focused distro with plenty of tweaks to help dig up hidden PC secrets.