CAINE (Computer Aided INvestigative Environment) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio Emilia.



www.caine-live.net/

This is a first forensically sound CAINE release. Unlike many other "forensic" Live CDs it does not recover file systems during the boot

So stay up to date.

For what it's worth, I've started a personal blog on digital forensics with open-source, and it just so happens I've spent a couple of hours with CAINE 1 too. It's hardly a comprehensive review but I'd love any feedback you may have, especially if you have used it to perform acquisitions or analyses.

There is a note about its handling of filesystems. One of the team have been in contact, too.

Thanks!
Ben @ www.seawolfsanctuary.com

Greetings,

A minor complaint. If your review, and the comments, are moved off the site it becomes more difficult to find all, or most, of the information in one place. One of the things I like about FF, and the CCE list, is that I can search them and usually find the entire discussion thread in one place.

I also understand the desire to drive traffic to your blog, particularly since I've been considering blogging myself.

I wonder if there is a happy medium?

-David

kovar wrote:

It becomes more difficult to find all, or most, of the information in one place. One of the things I like about FF, and the CCE list, is that I can search them and usually find the entire discussion thread in one place. I also understand the desire to drive traffic to your blog, particularly since I've been considering blogging myself. I wonder if there is a happy medium?

I do understand your point and I agree that everything has it's place (e.g. experiences of members here) but publishing it elsewhere opens up commenting & discussion to a wider audience and perhaps inviting others in to the conversation. That, and being I haven't used it in a more professional context, are the only reasons I haven't discussed it directly on this board.
I linked to it, as I'm sure you see, to make those interested aware that it is there. I'm pretty sure that comments are open to anyone as a guest so there aren't any restrictions.

I do see the point you're making and agree with it, it would be good to collect it together. For now though, links are all I have!

Quote::

This is a first forensically sound CAINE release. Unlike many other "forensic" Live CDs it does not recover file systems during the boot

Where is your documentation to support this statement (IE, which "many other "forensic" Live CDs" recover file systems during the boot process)?


Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com

Quote::

Where is your documentation to support this statement (IE, which "many other "forensic" Live CDs" recover file systems during the boot process)?

Here (on FF) and here: www.computer-forensics...gators.pdf

A few random points ...

1) The topic of mounting or recovering a file system seems to be much like steganography ... in that there's seemingly a bit of hype about it but in the end not much activity. Perhaps with mounting this is because the acquisition of a target does not depend upon its mount status? You aren't required to mount a file system to authenticate it nor acquire it. Additionally, many forensic applications (such as SMART by ASR Data) also do not require the target file system to be mounted in order to process the data within it.

I wouldn't get too hyped on mounting/recovering read-only vs. true read-only. Understanding the file system, the recovery process, and what may be updated and why is important. Being able to articulate that knowledge is key. Killing yourself to live ...

2) An interesting thought about "all these Linux forensic CDs" ... depending upon how they handle mounting and recovery of file systems ... the marketers behind many of them seem to focus on the target, but what of the destination? Careful consideration of what massaging has gone on for the mounting and recovery _should_ be undertaken by the user before use in the field. Anyone want to mount a corrupt ext3 destination file system to write an image file to using a CD that has disabled file system recovery, only to learn later in the lab their image file is junk? Hmm ...


As for the referenced paper I have some feedback and questions, but I've got Halloween candy to dine on and will update later.

Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com

@David (and others) there's also some thoughts on CAINE from BJ here: www.forensicfocus.com/...-to-helix3

You can find all the mount policies and the How-To here:

www.caine-live.net/page8/page8.html

Nanni Bassetti