CAINE Linux

CAINE Linux (Computer Aided INvestigative Environment) is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

Purpose
CAINE is a professional open source forensic platform that integrates software tools as modules along with powerful scripts in a graphical interface environment. Its operational environment was designed with the intent to provide the forensic professional all the tools required to perform the digital forensic investigate process (preservation, collection, examination and analysis). CAINE is a live Linux distribution so it can be booted from removable media (flash drive) or from an optical disk and run in memory. It can also be installed onto a physical or virtual system. In Live mode, CAINE can operate on data storage objects without having to boot up a supporting operating system. The latest version 11.0 can boot on UEFI/UEFI+Secure and Legacy BIOS allowing CAINE to be used on information systems that boot older operating systems (e.g. Windows NT) and newer platforms (Linux, Windows 10).

Requirements
CAINE is based on Ubuntu 18.04 64-bit, using Linux kernel 5.0.0-32. CAINE system requirements to run as a live disc are similar to Ubuntu 18.04. It can run on a physical system or in a virtual machine environment such as VMware Workstation.

Supported platforms
The CAINE Linux distribution has numerous software applications, scripts and libraries that can be used in a graphical or command line environment to perform forensic tasks. CAINE can perform data analysis of data objects created on Microsoft Windows, Linux and some Unix systems. One of the key forensic features since version 9.0 is that it sets all block devices by default to read-only mode. Write-blocking is a critical methodology to ensure that disks are not subject to writing operations by the operating system or forensic tools. This ensures that attached data objects are not modified, which would negatively impact digital forensic preservation.

Tools
CAINE provides software tools that support database, memory, forensic and network analysis. File system image analysis of NTFS, FAT/ExFAT, Ext2, Ext3, HFS and ISO 9660 is possible via command line and through the graphic desktop. Examination of Linux, Microsoft Windows and some Unix platforms is built-in. CAINE can import disk images in raw (dd) and expert witness/advanced file format. These may be obtained from using tools that are included in CAINE or from another platform such as EnCase or the Forensic Tool Kit.

Some of the tools included with the CAINE Linux distribution include:


 * The Sleuth Kit – open source command line tools that support forensic inspection of disk volume and file system analysis.
 * Autopsy – open source digital forensics platform that supports forensic analysis of files, hash filtering, keyword search, email and web artifacts. Autopsy is the graphical interface to The Sleuth Kit.
 * RegRipper – open source tool, written in Perl, extracts/parses information (keys, values, data) from the Registry database for data analysis.
 * Tinfoleak – open source tool for collecting detailed Twitter intelligence analysis.
 * Wireshark – supports interactive collection of network traffic and non real-time analysis of data packet captures (*.pcap).
 * PhotoRec – supports recovery of lost files from hard disk, digital camera and optical media.
 * Fsstat – displays file system statistical information about an image or storage object.