Overview
As the name suggests, C.A.IN.E. (Computer Aided Investigative Environment) is an investigative support environment for PCs. While there are several Linux distributions designed for forensics, C.A.IN.E. stands out because it's specifically engineered for that purpose, making it intuitive to use with well-organized documentation. I personally recommend it.
In this article, I will cover how to preserve disk images of devices under forensic investigation using C.A.IN.E.
I have also experimented with the Tsurugi and Paladin versions.
- https://dev.to/sum3sh1/disk-preservation-using-the-forensic-linux-tsurugi-linux-21im
- https://dev.to/sum3sh1/disk-preservation-using-the-forensic-linux-paladin-3mn1
C.A.IN.E. is an Ubuntu-based OS.
Launch
In this article, I will focus on C.A.IN.E. 13.0 "WARP". After downloading, make sure to check the hash value:
› certutil -hashfile caine13.0.iso sha256
SHA256 hash of caine13.0.iso:
6d25180757d6a8a71e98706009d7a9ba3613131727fc96c2037d78bbd4c8ce3a
CertUtil: -hashfile command completed successfully.
In practice, you'd likely boot from USB on the target device, but for explanatory purposes, I will use VMware this time.
Preservation Procedure
The official website provides instructions on how to preserve image files. Please refer to it as well:
Imaging with CAINE
In this procedure, I am using msuhanov/ntfs-samples/ntfs.raw as the disk image to be preserved. It's small at 64GB (compressed to 80MB), making it convenient for testing.
Preparation
First, adjust the time zone to match your local region. Also, make sure to record the actions taken and their timestamps during preservation. For detailed guidelines, refer to trusted organizations.
Mounting the Disk
Click on the Mounter (the green HDD icon at the bottom right of the screen) to mount the target for preservation. Using this Mounter ensures the disk is mounted in ReadOnly mode for safety.
Here, the target for preservation is Test_volume.
Next, set up the destination for the image. Prepare a disk larger than the preservation image (128GB), partition it, and then right-click the Mounter icon to switch to Writable mount mode.
Be cautious, as disks mounted from this point will be in Writable mode. As before, select the disk and click OK to confirm it's mounted as Writable.
Preservation
Use Guymager to perform the image preservation. Right-click on /dev/sdb, the target disk, and select Acquire Image.
While there are various settings available, I will proceed with mostly the defaults. The image will be saved in E01 format, split into 2GB segments.
Click Start to begin the disk preservation. The progress will be displayed.
Confirmation
Once the preservation is complete, you can verify that the .E01 files and a .info file are saved on the specified disk.
The .info file contains details like the version of Guymager used, detailed information, and the hash value of the preserved image.
Conclusion
By using C.A.IN.E., I was able to easily preserve the disk through a GUI. It includes essential features like default ReadOnly mode, showing that it's developed with real forensic use in mind.
Personally, I find it quite user-friendly, so having a Live boot USB ready and handy might be a good idea.
This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/a497f834ce1bbc
Top comments (0)