CAINE Provides Sturdy Support for Forensic Specialists

CAINE (Computer Aided INvestigative Environment) is a professional-grade digital forensic Linux distro. It uses an old-school desktop environment hardened with top-notch specialty tools.CAINE provides tight security and built-in digital investigation tools, but it is less inviting for non-forensic specialists to use as an everyday Linux desktop. However, it could serve the purpose for users who are willing to handle several interface inconveniences.

CAINE is an Italian GNU/Linux derivative built around a complete investigative environment that is organized to integrate existing software tools as software modules. It does this through a mostly friendly graphical interface.

CAINE 6.0 Dark Matter, the latest version, was released Oct. 7. It is based on Ubuntu 14.04.1 64-bit and supports UEFI/Secure Boot/Legacy/Bios.

CAINE 6.0 is built around Ubuntu 14.04 and the MATE desktop.

The included software is part of an interoperable environment that supports the four phases of the digital investigation: seizure, acquisition, analysis and reporting.

Rich Software Resources

CAINE comes bundled with more standard Linux programs than you usually find in general purpose Linux distros. For the typical user, this means not spending time installing software packages for everyday computing tasks. When you need a program not already preinstalled, CAINE has access to the full inventory of software using both the Ubuntu Software Center and the Synaptic Package Manager.

The traditional menu provides quick access to CAINE Linux’s specialized forensic tools and well-stocked array of standard Linux apps.

CAINE 6 comes with LibreOffice 4.3 and Firefox 32. It includes some of the most popular software for working with documents and other data. These include GIMP Image Editor, Shtowell, VLC Media Player, RecordMyDesktop and Rythmbox.

This niche distro also bundles some impressive software forensic applications. These include Guymager, a forensic imaging tool; Fred, a cross-platform MS registry hive editor; and iPhone Backup Analyzer, a tool for data analysis of iOS backup data.

Some of these forensic tools are hyperlinked to the Mozilla Web browser and launch in their own windows. For example, the Autopsy Forensic Browser launches a connection to Autopsy.

This is a digital forensics platform and graphical interface to the Sleuth Kit and other digital forensics tools. It can be used by law enforcement, military and corporate examiners to investigate what happened on a computer. It also can recover photos from a camera’s memory card.

Other software included in the forensics bundle is freeware but not open source. In either case, the packages are tweaked to open in supervisor mode. This is a nice touch, since even the standard file manager tools are otherwise set by default to work in read-only mode.

The Forensics Tools category in the CAINE menu has 18 applications plus four subfolders with more specialty forensic tools: Memory Forensics, Database, Mobile Forensics and Network Forensics.

Numerous programs in these subfolders use command line interfaces in terminal windows. Others just as easily might have been listed elsewhere in the non-forensic categories. That is the case with the SQLite Database Viewer.

Key to getting the most specialty output from this distro is the interoperable environment. It tracks the data revealed in the digital analysis phase and feeds it into a semi-automated compilation of the final report.

Tricky Installation

The live DVD session runs well. It could be an ideal environment for knowledgeable users to work on computers in place at workstations or on systems brought to a central location for review.

Another option is to run CAINE in a USB-based live session. To do that, first download additional elements available from the developer’s website. Be sure to check out the tech notes for creating a pendrive installation.

CAINE 6.0 is less cooperative when installing it on UEFI systems, which involves creating a small Vfat partition for the mount point and installing all the system in the mount point “/”.

The hard drive installation also needs a workaround. CAINE uses the SystemBack installer. It is a bit quirky to use.

One issue with installing to the hard drive is that SystemBack can not set a swap partition. CAINE seemed to run fine without a swap partition. However, you can add a swap partition after installation using gParted and booting into a live DVD session. Then edit /etc/fstab file before installing Caine.

Look and Feel

CAINE Linux uses only the MATE desktop environment. MATE is a fork of the GNOME 2 desktop environment. This is a good choice for a fast, reliable desktop. MATE keeps the no-frills and no-nonsense user interface of the pre-GNOME 3 upgrade.

Eye candy and fancy screen effects have little place in the strictly business routine of forensic techs and IT pros. The CAINE and MATE combination contribute to the smooth interface and straightforward desktop. The default setting for full panel bar transparency blends it right into the desktop’s background. This further extends the uncluttered appearance of the desktop.

The default setting for full panel transparency blends the panel bar into the desktop’s background.

The very functional GNOME 2-style panel sits across the bottom of the screen. Application icons easily pin to the panel or desktop for quick launch. Add the virtual workplace switcher applet to the dock for easy point-and-switch access.

CAINE Workarounds

The only real drawback I found with CAINE — besides the installation quirks — results from the need to address forensic issues. A bit of documentation reading will provide even inexperienced Linux users with ample workarounds.

For example, Depending on your needs for a swap area on the hard drive, you will have to edit /usr/sbin/rbfstab to change the swap options. That requires a bit of reading tech notes.

Convenience suffers a bit due to CAINE’s mounting policy. CAINE does not automatically mount any device when it is inserted. That requires actually clicking the icon in Caja, the MATE file manager.

That mounts the device — for example, an external USB hard drive, SD card or USB drive. However, the system mounts the device only in read-only mode. To gain write access, you will need to issue commands in the terminal window. Unless you are an experienced Linux/Unix user, that means making another foray into technical documents.

Bottom Line

CAINE 6.0 is a near perfect OS for forensic and IT troubleshooters. It is a great choice for anyone curious about system integrity and computer security.

Users looking for a no-hassle Linux operating system no doubt will find CAINE 6.0 to be a very workable solution for most everyday computing tasks. Even without running any of the specialized forensic tools, CAINE provides a safe and secure computing environment typical of Linux in general.

Want to Suggest a Review?

Is there a Linux software application or distro you’d like to suggest for review? Something you love or would like to get to know?

Please email your ideas to me, and I’ll consider them for a future Linux Picks and Pans column.

And use the Talkback feature below to add your comments!

Jack M. Germain has been writing about computer technology since the early days of the Apple II and the PC. He still has his original IBM PC-Jr and a few other legacy DOS and Windows boxes. He left shareware programs behind for the open source world of the Linux desktop. He runs several versions of Windows and Linux OSes and often cannot decide whether to grab his tablet, netbook or Android smartphone instead of using his desktop or laptop gear. You can connect with him onGoogle+.

1 Comment

  • Thank you for your review 🙂 I need only to highlight something:

    1) Swap file is deactivated for forensic purposes, because a forensic distro with the swap file activated, could use the swap file of the host disk changing it…it does not sound forensic proof….for this reason the swap file is deactivated by default.

    2) You can mount EASILY in writable mode, did you see the mounter tool? It is showed in the home page, there is the bottom-left of the screen a green disk, if you click with the second button of the mouse, you can change the mounting policy and the disk becomes red, then you can mount in writable mode….

    All the mountings are in GUI mode…you can do an entire forensic procedure with only one hand 😛

    3) It is normal that a forensic distro must not mount automatically anything…its purpose is don’t touch anything…this is forensically sound 🙂

    Finally here is something else:

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Reviews

LinuxInsider Channels