CAINE 3.0 Review – Linux Forensics
CAINE is a well-known specialised Linux distribution focusing on penetration testing. With its latest 3.0 release, it updates itself to the Ubuntu 12.04 base and adds a host of new tools
CAINE (Computer Aided INvestigative Environment, but also named after CSI: Miami ’s head of crime lab Horatio Caine) is a hyperspecialised Linux distro. As its full name implies, it’s aimed at digital forensic practitioners. The latest edition is CAINE 3.0 (codename Quasar), based on Ubuntu 12.04 and Linux kernel 3.2 but with the GNOME 2 fork, MATE, instead of Unity as its desktop environment. Unfortunately, the 1.3GB live DVD image isn’t a hybrid image and it doesn’t work out of the box with UNetbootin either. Writing the ISO to a USB stick and making it bootable is possible, but needs some fiddling. The installer, though, will be familiar to Ubuntu users, as it’s Canonical’s easy-to-use Ubiquity.
An interesting difference between CAINE and many other specialised distributions is that it also ships with a lot of general-purpose tools. When you have installed CAINE 3.0, MATE’s menu contains many applications that you would find in any regular desktop distribution. This is a good move, because in many other specialised distributions we found ourselves limited if we wanted them to use for daily tasks. You would then have to install many regular applications first, or constantly switch from the specialised distribution to a general-purpose distribution. In contrast, you can use CAINE perfectly as your regular desktop distribution, and on top of that, all the specialised tools are available in the Forensic Tools menu.
However, CAINE is much more than just Ubuntu with some forensic tools added. A regular desktop distribution isn’t suitable for forensic purposes, because it automatically mounts available drives as read/write. In a forensic investigation of a computer this is obviously a recipe for disaster, as it changes last mount times and also risks wiping out (potentially hidden) data when you write to the drive. That’s why CAINE’s policy for mounting devices is unrelenting: it never automatically mounts any device. Mounting is only possible through the Mounter applet in the system tray or on the command line with the mount command. A left-click on the Mounter applet lets you mount or unmount devices and a right-click lets you toggle the system policy for all future mounts with the applet from read-only to read/write and vice versa. If the current policy is read/write, the disk icon in the system tray becomes red to warn you to be careful.
Moreover, CAINE streamlines the process of conducting a forensic investigation. Just click on the Caine Interface icon on the desktop and click on ‘Create report’, after which you are guided through a four-step phase from data collection to a report. You can collect information from connected devices; recover files using known headers, footers and data structures; find image files containing hidden (steganographic) content, and so on. More specific tools, such as for forensics of iPhone and BlackBerry devices, can be found in the Forensic Tools menu, and MATE’s file manager Caja has been extended with countless handy scripts in the context menu of your files.
This isn’t to say that the distribution is not without its faults, however. We already touched upon the issues with booting the live ISO from a USB stick, but also after installation there are some minor annoyances. For instance, even though we had set a specific keyboard layout in the Ubiquity installer, the MATE desktop didn’t honour our choice. Moreover, you really have to read the distro’s online documentation, as it has some peculiar behaviour with respect to mounting. Unfortunately, there’s no overarching documentation about what the various tools do, either, so you have to discover their function by trial and error.
If you’re searching for a set of computer forensic tools, look no more, you have found it. It takes time to discover all the scripts and get used to the Caine Interface, but with this distribution you have all the relevant tools at your fingertips. Just don’t forget to read the documentation, as CAINE has