Notifications
Clear all

CAINE usb

7 Posts
3 Users
0 Likes
3,276 Views
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

Hello

So I'm planing to use CAINE usb to do a memory/disk image from an "infected machine" I want to analyze

The theory is you use the bootable usb with caine to mount the "infected machine" as read-only and then write in the second usb but someone pointed out that in order to boot the caine usb I have to turn off the "infected machine" which would cause some evidence to get lost.

How do I boot the usb without restarting/turning off the "infected machine"
This is for windows machine.

Thanks!

 
Posted : 04/09/2019 1:52 pm
(@athulin)
Posts: 1156
Noble Member
 

How do I boot the usb without restarting/turning off the "infected machine"
This is for windows machine.

Strictly speaking, you can't. Booting establishes an execution environment on a computer platform if there already is an environment running on that platform, it is lost.

You may , however, establish sub-environments, similar to virtual machines or sandboxes, in which you will have the original environment running a sub-environment, which then, presumably, has been verified to be secure against the threats present. (If this is useful from a forensic standpoint, I have no idea … but I suspect not.)

A bit like in Windows starting a 'Linux for Windows' OS, or a VMWare system – though both of those require further installation, and , I think I remember, at least one reboot.

However, the original environment is still running. From the sub-environment you (probably) can't access it in any special way – that is, in any way different from another computer connected to the same LAN. So … no inspection of running registry or memory. At best you may able to image the drive, but … all access to the hardware will pass through the master environment … which is may be controlled by whatever malware you have running on it …

Disk image? Will be a live image, with all the problems that entails. You really want to do a snapshot-based image, but … can you do that from CAINE or other subenvironment?

Memory image? I think you can forget that any sub-environment will have its own memory, and will be very unlikely to be able to access that of the master environment – which is the entire idea.

My understanding of Caine (dated, and so possibly wrong) is that you either boot it on a work computer, or just run those tools included live on the system you're investigating. Not both at the same time, which seems what you're asking about.

If I have misunderstood your question, you may want to clarify.

 
Posted : 04/09/2019 2:24 pm
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

thanks for the reply

then I still don't get how people in real life get an image from a machine they want to investigate.

I was following this course https://www.cybrary.it/course/incident-response-and-handling/ and it says you have to have a usb with write blocker and another usb where you run all your tools, they made it sounds simple using ftk but the only option I found for the write blocker part was using caine but the problem is that I still need to reboot the machine .

 
Posted : 05/09/2019 7:11 am
(@athulin)
Posts: 1156
Noble Member
 

then I still don't get how people in real life get an image from a machine they want to investigate.

Post mortem, i.e. in fully-off state, its 'easy'.

During different power states, depends if on you want to preserve those power states. That, in turn, requires detailed knowledge on what OS you're running, and if you can retrieve that information after forced power-offs.

In general, though, you use the already established environment to do the image. In reduced-privilege environments (i.e. logged in as a unprivileged user), all you can do is to access the data that current user can access. In special circumstances, you can raise your privilege, and so get additional access, but that usually requires cooperation with the user or third party (becoming local admin/root).

I was following this course https://www.cybrary.it/course/incident-response-and-handling/ and it says you have to have a usb with write blocker and another usb where you run all your tools, they made it sounds simple using ftk but the only option I found for the write blocker part was using caine but the problem is that I still need to reboot the machine .

I suggest you put any questions you have to the course owners / makers / supports. They may need to improbve the course content.

An USB with a write blocker allows you to connect a disk with your own tools to a suspected hostile environment. (No booting.)

The tools are typically stand-alone programs, that run without needing to refer to any DLLs or soft-linked libraries in the target environments and which thus may be under hostile control. For example, local libraries under hostile control may prevent you from seeing directories/folders with specific names, or Windows registry resources in particular locations, and may possibly fake logins or requests for admin credentials, and send them outside. You don't want that.

The USB-tools are intended to be run as any other program in the target environment from portable medium insert USB stick, perhaps start a menu program or double-click or 'Run …' or whatever. They're not intended to run in a separately booted environment. (Check out the WinTaylor environment, for example. It's on the CAINE distro – I haven't checked in detail, but look at what CAINE calls 'Windows Side'.) FTK imager may be a tool present on this USB stick, for example.

(Many years ago, this kind of toolbox usually came on CD, which is automatically write protected. You can fairly easy (I think) still get write-protectable USB sticks that allow you to set up your own environment, once you have become familiar with the tools.)

The second USB is obviously for image destination, as well as any temporary files or logs produced by the tools on the write-blocked USB.

 
Posted : 05/09/2019 7:58 am
(@rich2005)
Posts: 535
Honorable Member
 

thanks for the reply

then I still don't get how people in real life get an image from a machine they want to investigate.

I was following this course https://www.cybrary.it/course/incident-response-and-handling/ and it says you have to have a usb with write blocker and another usb where you run all your tools, they made it sounds simple using ftk but the only option I found for the write blocker part was using caine but the problem is that I still need to reboot the machine .

Depends what you mean.
It's a live system. Plugging things in, running programs to acquire data, navigate the system, run scripts, are going to change the contents of memory and disk almost certainly. So there's no simple option to capture everything with zero impact (as far as I'm aware anyway!).
People might use tools like FTK Imager just to click a button and capture memory, might use tools/scripts to list/document processes/, people might take images of logical volumes before they turn off the machine. Some might capture just the memory and then image the disk itself when powered down.

Key is to understand what you're doing, and why, rather than following an arbitrary process from someone/somewhere that you don't fully understand.

 
Posted : 05/09/2019 8:00 am
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

thanks again

I got the part that the tools in the usb had to be standalone/executables but because I was looking for a cheap way to create the write blocker part I moved to caine.

I wanted to do the blocker part from software not hardware for money issues, do you have any recommendations here?

 
Posted : 05/09/2019 8:13 am
(@athulin)
Posts: 1156
Noble Member
 

I wanted to do the blocker part from software not hardware for money issues, do you have any recommendations here?

If you can't afford a USB write blocker, go with some other write-protected product.

Move the toolkit to a CD/DVD, and use a USB CD/DVD reader, for example.

It needs a little work in preparing the CD/DVD, but that shouldn't be a major hurdle.

(but again … ask the course makers. They may want to add that as an option and provide instruction for it …)

 
Posted : 05/09/2019 8:55 am
Share: