CAINE 2.5.1 - SUPERNOVA
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics
Currently the project manager is Nanni Bassetti.
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
Currently the project manager is Nanni Bassetti.
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
- an interoperable environment that supports the digital investigator during the four phases of the digital investigation
- a user friendly graphical interface
- a semi-automated compilation of the final report
Nanni Bassetti
CHANGELOG CAINE 2.5.1 "SuperNova"
Kernel 2.6-32.35ADDED:
ZFS Fuse
exFat support
Epiphany browser
new mounter
new TSK (Sleuthkit)
some fixings
New NAUTILUS SCripts
ataraw
bloom
fiwalk
xnview
NOMODESET in starting menu
xmount
sshfs
Reporting by Caine Interface fixed
xmount-gui
nbtempo
fileinfo
TSK_Gui
Raid utils e bridge utils
SMBFS
BBT.py
------------------------------------------------
Widows Side:
Wintaylor updated & upgraded
RBFstab and Mounter
1) "rbfstab" is a utility that is activated during boot or when a device is plugged. It writes read-only entries to /etc/fstab so devices are safely mounted for forensic imaging/examination. It is self installing with 'rbfstab -i' and can be disabled with 'rbfstab -r'. It contains many improvements over past rebuildfstab incarnations. Rebuildfstab is a traditional means for read-only mounting in forensics-orient distributions.
2) "mounter" is a GUI mounting tool that sits in the system tray. Left clicking the system tray drive icon activates a window where the user can select devices to mount or un-mount. With rbfstab activated, all devices, except those with volume label "RBFSTAB", are mounted read-only. Mounting of block devices in Nautilus (file browser) is not possible for a normal user with rbfstab activated making mounter a consistent interface for users.
by John Lehr
Live Preview Nautilus Scripts
CAINE includes scripts activated within the Nautilus web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering with the appropriate tool.
The live preview Nautilus scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Nautilus window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and critiques.
The preview scripts were born of a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can used the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
John Lehr
------------------------------------------
CASPER PATCH
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
Suhanov Maxim
Current downloads:
| Caine2.5.1.iso (MD5) | GARR/MIRROR | ||
NBCAINE 2.5.1 (MD5 ZIP file) - (MD5 dd file) - GARR/MIRROR
is the raw dd image of a live USB version of CAINE for NetBooks, new Wintaylor 2.5.1 is included!
VERY IMPROVED!
To install it you must have a USB stick of 1 GB or more and write the command:
$ dd if=nbcaine.dd of=/dev/sdX bs=32K
Where /dev/sdX is the path of your USB stick (e.g.: /dev/sda, /dev/sdb, ...)
NBCaine does not have the Casper patch
For running SYSTEM INFO button of Wintaylor 2.5.1 you have to rename /programs/tools/msix.exe in msi.exe.
is the raw dd image of a live USB version of CAINE for NetBooks, new Wintaylor 2.5.1 is included!
VERY IMPROVED!
To install it you must have a USB stick of 1 GB or more and write the command:
$ dd if=nbcaine.dd of=/dev/sdX bs=32K
Where /dev/sdX is the path of your USB stick (e.g.: /dev/sda, /dev/sdb, ...)
NBCaine does not have the Casper patch
For running SYSTEM INFO button of Wintaylor 2.5.1 you have to rename /programs/tools/msix.exe in msi.exe.
WinTaylor 2.5.1 - GARR/MIRROR
(MD5: 20DD7CC67931895072DEC5D464FE60A4)
Do not put Wintaylor 2.5.1 in a directory named with spaces included!
WARNING!!!: Many Firewalls and AntiViruses could give a fake alert message!
For running SYSTEM INFO button of Wintaylor 2.5.1 you have to rename /programs/tools/msix.exe in msi.exe.
(MD5: 20DD7CC67931895072DEC5D464FE60A4)
Do not put Wintaylor 2.5.1 in a directory named with spaces included!
WARNING!!!: Many Firewalls and AntiViruses could give a fake alert message!
For running SYSTEM INFO button of Wintaylor 2.5.1 you have to rename /programs/tools/msix.exe in msi.exe.
Source -
http://www.caine-live.net/
For More information on list of tools
http://www.caine-live.net/page11/page11.html
