TechRadar Verdict
This distro is positively packed with forensics tools and dozens of nifty custom scripts to help analyse files, but you’ll have to know what you’re doing.
Pros
- +
Loads of useful forensics tools
- +
Powerful scripts
Cons
- -
Obviously a very niche distro
- -
Lack of help and documentation
Why you can trust TechRadar
This article was provided to TechRadar by Linux Format, the number one magazine to boost your knowledge on Linux, open source developments, distro releases and much more. It appeared in issue 220, published February 2017. Subscribe to the print or digital version of Linux Format here.
CAINE, which stands for Computer Aided INvestigative Environment, is a live distro that’s designed to aid the specialised field of computer forensics. The distro is full of tools and utilities to aid every stage of a digital investigation.
You can use the distro to create an exact sector-level duplicate of the suspect media with tools such as Guymager, which is a graphical app for creating disk images. Besides dd, Guymager can also image disks in the EO1 and AFF formats which are commonly used in the digital forensics community and can incorporate metadata about the original media into the disk image itself. Once the media has been imaged, you can use CAINE to analyse its contents for evidence to support the investigation.
A key change in this release is that all devices are placed in read-only mode by default. This new write-blocking method assures all disks are preserved from accidental write operations. If you need to write a disk, you unlock it with the Block On/Off utility.
Buffet of tools
All the specialised tools are housed within a Forensic Tools menu. The menu catalogues the majority of the tools within purpose-based sub-menus, such as Analysis, Mobile forensics, Memory forensics and Network forensics. The menu also holds about two dozen more tools that aren’t filed under any category. While the submenus give the distro some structure and organisation, computer forensics is a specialised field and the tools won’t make much sense to inexperienced users.
What would have helped is documentation and this is one of CAINE’s weakest areas. The distro assumes familiarity with the tools and only includes the basic details to help you get started.
Among the distinguishing features of CAINE are the very helpful scripts that are mated to the Caja file manager. These scripts simplify the examination of any acquired files. The scripts can display browser history, analyse Windows registries, find deleted files and even extract EXIF data to text files for easy examination. There’s also a Save as Evidence script that will write the selected files to an Evidence folder on the desktop and create a text report about the file that contains metadata, along with an optional comment from the investigator for reference.
Another group of scripts is accessed using the Mixed scripts shortcut on the desktop – this folder includes a readme text file describing the purpose of some of the scripts. One noteworthy script from this collection is the Identify iPod Owner script which displays metadata about an attached iPod, and can even search for iTunes user information present in media purchased through the Apple store.
Besides the tools available in the live environment, you can also use the live medium to run forensics investigation on a running Windows installation. Just connect the CAINE live USB or optical media to a Windows machine and fire up the Win-UFO tool. The app has a user-friendly interface and can sniff out browser history, passwords, Wi-Fi passwords, and analyse browser cache, cookies and the search history without much effort.
The release also includes the x11vnc server to allow CAINE to be operated from a remote computer on the network. CAINE has been built atop Ubuntu 16.04 using the SystemBack tool. It’s designed to be used as a live environment, but it can be installed using SystemBack. Just ensure you refer to the installation documentation before heading down this path.
Final verdict
It lacks documentation, but CAINE is a fully equipped forensics-focused distro with plenty of tweaks to help dig up hidden PC secrets.
Shashank Sharma is a trial lawyer in Delhi, India. Long before his foray into the world of litigation, he started his career by writing about Linux and open source software. Over the years, Shashank has also written various articles and reviews for TechRadar Pro, covering web hosting providers and website builder tools.