It may be said that Linux distributions are like buses: we can wait at the roadside and see many interesting things go by, when we are waiting for our favourite to come around the corner it seems an age and we worry we’ve missed something, the old adage that we wait and - eventually - many turn up at once. No more true is that than now because Ubuntu has just had a new release, Fedora is currently in beta awaiting its finishing touches and, our feature presentation, CAINE has just turned the big one-point-zero.

• Summary

Italian-born “Computer Aided Investigative Environment” is an Ubuntu-based Live CD for collection, analysis and reporting, featuring many common tools to form a decent forensic toolkit. Most notably a straightforward graphical front-end is included to guide users through the stages and - crucially, usefully - log the output of the called applications. Also noteworthy is the project’s Netbook edition, based on the USB edtion. At the time of writing however this was unavailable, so this review concentrates on the (perhaps greater used) Live CD version. I assume that my reader is familiar with the acquisition process and has previously used some of the applications included, such as dc3dd or AIR, as emphasis is not placed on them but the environment in which they are run.

• Starting

The initial screen presented by CAINE is a customised GRUB boot-loader; it presents options to run the Live environment (in both full and safe graphics modes), install it using the standard Ubuntu installer, check the media for errors or continue to boot the computer as normal. I make a point of this because of one cosmetic feature: when an option has been selected, the menu appears to fade out to black. Tiny and insignificant, certainly, but its there in case you missed it. Other than this, the boot-loader… ummm… works. Good.

For some reason, the media check procedure is a hastily-added Crunchbang Linux feature, as the aesthetically-displeasing graphics show. I feel a simple text-based interface would have sufficed, as a defective disc is a defective disc; one could not do much to fix it.

Traditionally, Ubuntu(-based) distributions are hesitant to flood the user with messages as the system loads; they are often hidden behind a graphical splash containing a loading bar and a handful of text. CAINE refutes this, and adopts the more techie-friendly method of line-by-line output. Perhaps this is a good thing, but it may seem more polished if added.

In fact, it is a good thing for one simple reason: it allows a user to see what is going on and thus the boot process can be verified. To prove this point, one will notice a peculiar message is displayed, reading:

EXT2-fs warning (device: sda1) ext2-fill-super: mounting ext3 file-system as ext2

“Ahh! Mounting?! No!” may be your thoughts. Fear not; this simply means that the ext3 driver will be ignored when ext2 and ext3 partitions are mounted in the future and the ext2 driver used instead. This protects any ext3 partitions from a forensic point-of-view. Why? ext2 does not use journalling, so when an ext3 partition is mounted, there is no danger of modifying the meta-data when increasing the count inside said journal.

While we are on the subject of partitions: when they are mounted, the flags include ‘ro’ (read-only) and ‘loop’ (the loop-back device is used). The advantage of the ‘ro’ flag should be obvious but ‘loop’ perhaps not. By mounting an image file through the loop-back device, it can be treated as a physical disk. Another layer of read-only protection can be applied to the loop-back device. Furthermore, if a physical drive/partition is used, it should protect the meta-data. (I have not yet tested this, so if please provide me with a more correct/accurate explanation!) While this is effective for image files, take heed with physical partitions:

Warning: When using a loop-back device, occasionally the ext2 file-system seems to get corrupted for no apparent reason. If you start getting errors in the middle of make_root_fs from sys() complaining that a directory doesn’t exist, this may be what is happening. I don’t know why this happens and I can’t reproduce it consistently; however, unmounting, deleting and re-creating the file seems to get rid of the problem. Source (from 1998, I cannot be sure how correct this is!)

I have been informed that this v1.0 release is the first CAINE to be fully forensically sound. This is due to modifications applied to the start-up procedures (the init scripts) and patches applied to file-system drivers. I have not yet tested this distro to as fully a practical extent but hope to do so soon. I would imagine that the 1.0 milestone would b the perfect place to ensure such a claim is upheld!

• Desktop

As in previous versions, the desktop interface is a customised GNOME, with a very Windows-like layout. The useful inclusion of the disk mounter applet, shown at the bottom-centre of the screen, is a list of partitions available on the system. Right-click on those icons and you can mount it read-only. One bug surfaces here: upon mounting, the icon is duplicated. I suspect this is because the device holds both a ‘sda1’-type node and a loop0-type node, because of the use of the loop-back system. This does not matter on a practical level however because the node at ‘sda1’ is still perfectly accessible and is still applied through the loop-back system. The menu is boosted by a ‘Forensic Tools’ folder containing links to the range of applications bundled (described later). Many standard desktop applications are provided, including word processor (AbiWord), spreadsheet (Gnumeric) and sound & movie players. A decent inclusion lies in gtkRecordMyDesktop, which creates a video of the on-screen activity - useful for documentation and evidential proof. On the technical front, a partition editor (GParted) is included along with a network manager (wicd) and… not much else.

• Applications

The Forensic Tools folder is where the action is, quite literally. It is these applications that the distribution specialises in and the vast majority are controlled by a leading feature: the CAINE Interface. This GTK+ application guides the user through the stages a forensic investigation may take. A tabbed interface appears after we create the case and investigator name; each tab groups actions into image analysis, collection, system analysis and reporting. Each of these tabs simply launch various standard forensic applications and collects their output behind-the-scenes to present in a well-formed report. It may be a simple front-end that doesn’t do a lot of work but it doesn’t need to; it simply needs to collate the output of each program and attach some personal notes, which it does very well. In my quick testing of image acquisition and analysis, I could not find any problems with the end RTF-formatted report. In fact, if the application is kept open and parts of the process are completed after the report is generated, this is noted by adding revision information.

The applications  launched combine to create a good range of features. Acquisition can be performed using either a GTK+ or Qt application, to local, network or removable media in a variety of formats; the analysis tools carry out interesting operations that may yield effective results. They provide a decent level of logging - some even the command executed - to show activity, a standard practice if not requirement.

There are a few problems with each application but these are arguably outside the concern of CAINE’s developers. For example, AIR displays only IDE disks in the menu but both IDE and SATA in the toolbar (which rests at the bottom of the window, for some UX-related reason?) when they should reflect each other. Guymager automatically appends an extension to the image file, compromising some flexibility. Documentation could be improved - arguably across the board - too.

One area of concern lies in the folder named, “Bash Scripts” which contains a handful of scripts to run inside a terminal window. At a quick glance, I cannot work out what they are for and some of them do not work (the ddrescue and dc3dd contained in this folder are not even scripts but links, and return the error, “Too many levels of symbolic links,” on both display and execution). These are linked to both on the desktop and in the launcher menu, so one can assume they are of some usefulness or importance. One can run the commands, referring to those stored in /usr/bin etc. but then I cannot see why these links exist!

As with many Live CD environments, memory usage is an issue. By running the free command inside a terminal window as soon as the desktop has loaded, we can see that nearly five hundred megabytes of RAM is used. Of course, swap is not activated either, so this cannot compensate. On my test system, this left behind six for my applications! One would imagine that this adversely affects the performance of particularly the acquisition and hashing operations but I have not yet performed such tests. This will however decrease should the product be installed, an action I did not take during my testing.

• Conclusion

The first full release of CAINE fulfils nearly every requirement for an acquisition, analysis and reporting platform. It is apparently the first release to be fully forensically sound, thanks to the modifications applied to the start-up procedures. One may forgive the perhaps heavy desktop as it is a familiar one, but could argue that alternatives could be used satisfactorily. The applications included are all stable, useful and included for a purpose. One would hope that optimisation is on the developers minds for future releases.

• Post Updates
• 1st CAINE release to be fully forensically sound (31 Oct ‘09)
• init scripts & fs driver modifications (31 Oct ‘09)
• disambiguation (31 Oct ‘09)