The important news is CAINE 12.4 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named Unblock present on CAINE's Desktop. IMPORTANT CHANGES:
All devices are blocked in Read-Only mode, by default. New tools, new OSINT, Autopsy 4.13 onboard, APFS ready,BTRFS forensic tool, NVME SSD drivers ready! SSH server disabled by default (see Manual page for enabling it). SCRCPY - screen your android device Autopsy 4.13 + additional plugins by McKinnon. X11VNC Server - to control CAINE remotely. hashcat NEW SCRIPTS (Forensics Tools - Analysis menu)
AutoMacTc - a forensics tool for Mac. Bitlocker - volatility plugin Autotimeliner - Automagically extract forensic timeline from volatile memory dumps. Firmwalker - firmware analyzer. CDQR - Cold Disk Quick Response tool
many others fixing and software updating.
------------------------------------------------ ADDED/CHANGED:
CAINE 10.0 INFINITY released 09/11/2018 (Updated 18/Dec/2018) CHANGELOG CAINE 10.0 "INFINITY"
New tools, new OSINT, Autopsy 4.9.1 onboard, APFS ready,BTRFS foresic tool, NVME SSD drivers ready!
SSH server disabled by default (see Manual page for enabling it).
OSINT: Carbon14, OsintSpy added. Mobile: gMTP and ADB added. Added: Recoll, Afro, Stegosuite,etc. etc. many others fixing and software updating. win-side
CAINE has got a Windows IR/Live forensics tools. If you need it you can use the IR/Live forensics framework you prefer, changing the tools in your pendrive. Tools: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView, Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write Protector, VLC, Windows File Analyzer. HibernationRecon by Arsenal Recon ------------------------------------------------
CAINE 9.0 QUANTUM released 25/10/2017 CHANGELOG CAINE 9.0 "QUANTUM"
ADDED/CHANGED:
RegRipper, VolDiff, SafeCopy, PFF tools, pslistutil, mouseemu, NBTempoX,Osint: Infoga, The Harvester, Tinfoleak regfmount and libregf-utils installed. many and many scripts and programs.... Windows Side:
Windows Side with for Incident Response/Live Analysis on Windows systems. Tools: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView, Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write Protector, VLC, Windows File Analyzer.
------------------------------------------------ CAINE 8.0 BLAZAR released 30/10/2016 CHANGELOG CAINE 8.0 "BLAZAR"
ADDED/CHANGED:
IMG_MAP (image dd/raw and ewf mounter) XAll 1.5 RecuperaBit SQLParse PEFrame Yara PDF analysis MemDump ADB and LibMobileDevice Gigolo (network filesystem client) Shrew (VPN manager) wxHexEditor Jeex XRCed PffLib imount, vhdimount and vhdiinfo samba vblade iscsitarget hashdb Tilda trim disabled many and many scripts and programs.... Windows Side: Win-UFO with for Incident Response/Live Analysis on Windows systems. Win-UFO 6.0 but the tools are renewed and some tools have been removed; There are extra tools. ADDED/CHANGED in CAINE 7.0: The important news is CAINE 7.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named BlockON/OFF present on Caine's Desktop. This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode. If you need to write a disk, you can unlock it with BlockOn/Off or using "Mounter" changing the policy in writable mode. fixed FMOUNT, XAll, BTCScan (Bitcoin scanner), Dmraid, okteta, x11vnc server, gvncviewer, ssh, openssh, wput, unBlock (block in RO/RW block devices), mount-nfs, scalpel 2.1, new peframe, damm, find_times, parse_VSS_RFC 4n6 scripts updated quickhash updated, bleachbit, usnj, vshot, zulucrypt, ddrescue-gui, ddrescueView, dd utility, iloot, python_regparse, libmobiledevice, ifuse, ddrescueview, INDEXparse.py, Shellbags.py, evtxexport.py, extxinfo.py NFS client, PDF Tools (pdf malware analysis) ADDED/CHANGED in Caine 6.0: fixed password request in polkit fixed password request in textmode e tty Bash bug fixed shellshock mount policy always in ro and loop mode, fstrim disabled (enable uncommenting the row in /etc/cron.weekly/fstrim) autopsy patched by Maxim Suhanov: (HFS directories handling fixed, Sun VTOC volume system handling fixed, incorrect timestamps (that are equal to zero) are handled as 01/01/1970 00:00:00) gzrt, dislocker, img_map, photorec gui, undbx, ddrescueview, gddrescue, disktype, Peframe, Quickhash, BEViewer Bulk Extractor, Ddrutility, ataraw, frag_find.log2timeline plaso – supertimeline. tinfoleak, inception memory dumper by firewire,volatility,4n6-scripts ADDED/CHANGED in CAINE 5.0: Gimp,libfusedev,fileinfo 0.6,traceroute, sdpar, log2timeline 0.64,rdiff, mdbtool, undbx, readdbx, myrescue, libshadow, vshadowmount, zfs-fuse, fmount, rdd, unhide, ext3grep, e2undel recover, bulk_extractor, gzrecover, dislocker, undbx, aoetools, boot-repair, grub-customizer ,Broadcom Corporation BCM4313 wireless card drivers ADDED (Caine 4.0): LibreOffice 4.0.1,Sqliteman,Sdparm,Remote Filesystem Mounter,netdiscover ADDED (Caine 3.0) Iphonebackupanalyzer,exiftool, phil harvey,tcpflow,tshark,john, wireshark, firefox, vinetto, mdbtool, gdisk,LVM2,Tcpdump, Mobius, QuickHash, SQLiteBrowser, FRED, Docanalyzer, nerohistanalyzer, knowmetanalyzer, EFrame, grokEVT , zenmap (nmap), blackberry tools, IDevice tools The first CAINE's tools list: AIR 2.0.0, Stands for Automated Image and Restore, AIR is a GUI front-end to dd and dc3dd designed for easily creating forensic bit images. Double hash. Abiword, AbiWord is a free word processing program similar to Microsoft® Word. It is suitable for a wide variety of word processing tasks Autopsy,The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3). Conduct File Listing, View File Content, Compare files in user created or downloaded Hash Databases, File Type Sorting by internal signatures, Create a Timeline of File Activity, conduct Keyword Searches, File System Meta Data Analysis, Data Unit (File Content) Analysis in multiple formats, File System Image Details: Case Management of one or more host computers, Event Sequencer allows you to add time-based events from other systems (ie firewall/ids logs), Notes about case, Image Integrity verification, Report Creation, Audit Logging of investigation, Afflib, The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. AFF is an open and extensible file format to store disk images and associated metadata. Using AFF, the user is not locked into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents. Ataraw, Linux user-level ATA raw command utility AtomicParsley, AtomicParsley is a lightweight command line program for reading, parsing and setting metadata into MPEG-4 files BBT.py,BBthumbs.dat parser (for BlackBerry) Bkhive,bkhive is a tool to extract the Windows System-key that is used to encrypt the hashes of the userpasswords. Bloom,NPS Bloom filter package (includes frag_find) ByteInvestigator, A suite of bash scripts by Tony Rodriguez Bulk Extractor,Bulk Email and URL extraction tool Cryptcat,Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. Chntpw,This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system. There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing. Epiphany,Web Browser Disk Utility,Disk manager DMIDecode,reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard dos2unix,dos2unix - DOS/MAC to UNIX text file format converter Ddrescue, ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to Dcfldd,dcfldd is an enhanced version of GNU dd with features useful for forensics and security. dcfldd can hash the input data as it is being transferred, helping to ensure data integrity, verify that a target drive is a bit-for-bit match of the specified input file or pattern, output to multiple files or disks at the same time, split output to multiple files with more configurability than the split command, send all its log data and output to commands as well as files natively. dc3dd,dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd. dc3dd can write a single hexadecimal value or a text string to the output device for wiping purposes. Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1, SHA-256, and SHA-512. Hashes can be computed before or after conversions are made. Progress meter with automatic input/output file size probing. Combined log for hashes and errors. Error grouping. Produces one error message for identical sequential errors. Verify mode. Able to repeat any transformations done to the input file and compare it to an output. Ability to split the output into chunks with numerical or alphabetic extensions. Dvdisaster,dvdisaster stores data on CD/DVD/BD (supported media) in a way that it is fully recoverable even after some read errors have developed. This enables you to rescue the complete data to a new medium. Exif,The Exchangeable image file format (Exif) is an image file format which adds or reveals lots of metadata to or from existing image formats, mainly JPEG. Foremost, Foremost is a console program to recover files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. FileInfo,Jpeg and P32 analyzer FiWalk,File and Inode Walk Program Fundl 2.0,This is a selective deleted file retriever with HTML reporting. It is TSK based. FKLook, This script can be used to search for a keyword in many files and it copies only the files that have a matching keyword to a separate directory of your choosing. Fod, FOD stands for Foremost output divide. This is a script for splitting foremost output directories contents into subdirectories with a defined number of files for each type of format file. Fatback,A program for recovering files from FAT file systems. GCalcTool, 'gcalctool' is the desktop calculator. Geany, Geany is a text editor. Gparted, The GParted application is a partition editor for creating, reorganizing, and deleting disk partitions. gtk-recordmydesktop, recordMyDesktop is a desktop session recorder that attempts to be easy to use, yet also effective at it's primary task. Galleta, Galleta is an Internet Explorer Cookie Forensic Analysis Tool. Galleta was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Gtkhash, A GTK+ utility for computing message digests or checksums using the mhash library. Currently supported hash functions include MD5, SHA1, SHA256, SHA512, RIPEMD, HAVAL, TIGER and WHIRLPOOL. Guymager,guymager is a forensic imager for media acquisition. HDSentinel, Monitoring hard disk health and temperature. Test and repair HDD problems and predict failures. Prevent data loss by automatic and scheduled backup Hex Editor (Ghex), GHex - a hex editor for GNOME, GHex allows the user to load data from any file, view and edit it in either hex or ascii. HFSutils, HFS is the “Hierarchical File System,” the native volume format used on modern Macintosh computers. hfsutils is the name of a comprehensive software package being developed to permit manipulation of HFS volumes from UNIX and other systems. LRRP, LRRP is a bash script for gathering information on the devices you need to acquire for making a forensic image file. Libewf, Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART format (EWF-S01) and the EnCase format (EWF-E01). Libewf allows you to read and write media information within the EWF files. Lnk-parse,This is a perl script for parsing the *.lnk files lnk.sh,Analysis of Windows LNK files Log2Timeline, log2timeline, a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analyzed by forensic investigators/analysts. liveusb mork.pl, This is a perl script for reading firefox history data MC, The Midnight Commander useful for text only boot MD5deep, md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. md5deep is able to recursive examine an entire directory tree. md5deep can accept a list of known hashes and compare them to a set of input files and more. md5sum, md5sum - compute and check MD5 message digest Nautilus Scripts Live Preview Nautilus scripts...they do many things. NBTempo Timeline maker GUI ntfs-3g, NTFS-3G is a stable read/write NTFS driver for Linux, Mac OS X, FreeBSD, NetBSD, OpenSolaris, QNX, Haiku, and other operating systems. It provides safe and fast handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 file systems.
Offset_Brute_Force This shell script will brute force the partition offset looking for a hidden partition and try to mount it. Pasco Pasco is an Internet Explorer activity forensic analysis tool. Pasco was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Photorec PhotoRec recovers files from the unallocated space using file type-specific header and footer values. Read_open_xml Read MS Office metadata Reglookup, RegLookup is an small command line utility for reading and querying Windows NT-based registries. Currently the program allows one to read an entire registry and output it in a (mostly) standardized, quoted format. It also provides features for filtering of results based on registry path and data type. Rifiuti, Rifiuti is a Recycle Bin Forensic Analysis Tool. Rifiuti was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti2, As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format. Readpst, readpst converts PST (MS Outlook Personal Folders) files to mbox and other formats. Scalpel, Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. SQLJuicer,Perl script - tool that list database CRUD transactions, parsing SQL Server Transactions log entities SFDumper 2.2, SFDumper is a selective file retriever, it works on active, deleted and carved files. It can do a keyword search among the files retrieved. It is TSK based. SSDeep, ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes. SSHFS ans SMBFS Stegbreak Tool for extracting steganographic content in images. Storage Device Manager Another GUI mount manager. Smartmontools The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI harddisks. In many cases, these utilities will provide advanced warning of disk degradation and failure. Smartmontools… automatically reports and highlights any anomalies; allows enabling/disabling SMART; allows enabling/disabling Automatic Offline Data Collection - a short self-check that the drive will perform automatically every four hours with no impact on performance; supports configuration of global and per-drive options for smartctl; performs SMART self-tests; displays drive identity information, capabilities, attributes, and self-test/error logs; can read in smartctl output from a saved file, interpreting it as a read-only virtual device; works on most smartctl-supported operating systems; has extensive help information. sha256sum,sha256sum - compute and check SHA256 message digest Steghide,Steghide is a steganography program that is able to embed or extract data in various kinds of image- and audio-files. Shred,shred - delete a file securely, first overwriting it to hide its contents sha512sum, sha512sum, - compute and check SHA512 message digest Testdisk,TestDisk was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table). TheSleuthKit, The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. Autopsy is a frontend for TSK which allows browser-based access to the TSK tools. TSK_Gui, Another Sleuthkit GUI,Tigerdeep. tigerdeep - Computer Tiger message digest Tableau-Parm. tableau-parm is an small commandline utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under select UNIX platforms. Tkdiff, tkdiff is a graphical front end to the diff program. It provides a side-by-side view of the differences between two files, along with several innovative features such as diff bookmarks and a graphical map of differences for quick navigation. Userassist. This is a perl script offline parser for the “UserAssist” registry key. VLC VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols. Whirpooldeep. Compute Whirlpool message digests,Wipe,Wipe is a secure file wiping utility.Xhfs. xhfs presents a graphical front-end for browsing and copying files on HFS-formatted volumes.Xdeview. XDeview is a smart decoder for attachments that you have received in encoded form via electronic mail or from the usenet.
XNView, Image viewer, XMount and XMount-Gui,Virtual file systems creator, XSteg,GUI stegdetect interface,Tools and packages included in WinTaylorMany NIRSOFT tools and NirsoftMegaReport by Nanni Bassetti. SysInternals tools, FTK Imager, RAM dump tools, Net tools and many others.. I have SOLD 100`s of Bootable DVDs and CDs buy with confidence. |
