On 19/Sept/2011 the version 2.5 of CAINE it’s been released, but you could ask… what’s this ?
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics
Currently the project manager is Nanni Bassetti.
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
- an interoperable environment that supports the digital investigator during the four phases of the digital investigation
- a user friendly graphical interface
- a semi-automated compilation of the final report
We recommend you to read the page on the CAINE policies carefully.
CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, everyone could take the legacy of the previous developer or project manager. The distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the distro is installable, so giving the opportunity to rebuild it in a new brand version, so giving a long life to this project ….
Nanni Bassetti
CAINE it’s full of useful tools for Digital forensic, you can see the full list of them here, just to name a few of them :
Autopsy : The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer.
Chntpw : chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry’s SAM file. You do not need to know the old password to set a new one.
Dcfldd : dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils package, dcfldd has the following additional features:
- Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
- Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
- Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
- Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
- Multiple outputs – dcfldd can output to multiple files or disks at the same time.
- Split output – dcfldd can split output to multiple files with more configurability than the split command.
- Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.
Exif : The Exchangeable image file format (Exif) is an image file format which adds or reveals lots of metadata to or from existing image formats, mainly JPEG.
Foremost : Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Galleta : Galleta is a forensic tool that examines the content of cookie files produced by microsofts internet explorer. it parses the file and outputs a field separated that can be loaded in a spreadsheet.
mork.pl : This is a program that can read the Mozilla URL history file —
# normally $HOME/.mozilla/default/*.slt/history.dat — and prints out
# a list of URLs and their time of last access.
Offset_Brute_Force : This shell script will brute force the partition offset looking for a hidden partition and try to mount it.
Pasco : Many important files within Microsoft Windows have structures that are undocumented. One of the principals of computer forensics is that all analysis methodologies must be well documented and repeatable, and they must have an acceptable margin of error. Currently, there are a lack of open source methods and tools that forensic analysts can rely upon to examine the data found in proprietary Microsoft files.
rifiuti2 s its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.
And there are many more tools on this live Distribution.
How does this compare with Encase? Would it be a practical replacement for the commercial tools used by a cybercrimes unit? Any difference in the legal aspects?