banner

layer2

Tools and packages included in CAINE Live DVD


CAINE 11.0 "Wormhole" 64bit - Official CAINE GNU/Linux distro latest release.
IMPORTANT CHANGES:

All devices are blocked in Read-Only mode, by default.
New tools, new OSINT, Autopsy 4.13 onboard, APFS ready,BTRFS forensic tool, NVME SSD drivers ready!
SSH server disabled by default (see Manual page for enabling it).
SCRCPY - screen your android device
Autopsy 4.13 + additional plugins by McKinnon.
X11VNC Server - to control CAINE remotely.
hashcat
NEW SCRIPTS (Forensics Tools - Analysis menu)

AutoMacTc - a forensics tool for Mac.
Bitlocker - volatility plugin
Autotimeliner - Automagically extract forensic timeline from volatile memory dumps.
Firmwalker - firmware analyzer.
CDQR - Cold Disk Quick Response tool

many others fixing and software updating.

------------------------------------------------

ADDED/CHANGED:

CAINE 10.0 INFINITY released 09/11/2018 (Updated 18/Dec/2018)

CHANGELOG CAINE 10.0 "INFINITY"

New tools, new OSINT, Autopsy 4.9.1 onboard, APFS ready,BTRFS foresic tool, NVME SSD drivers ready!

SSH server disabled by default (see Manual page for enabling it).

OSINT: Carbon14, OsintSpy added.
Mobile: gMTP and ADB added.
Added: Recoll, Afro, Stegosuite,etc. etc.
many others fixing and software updating.

win-side

CAINE has got a Windows IR/Live forensics tools.
If you need it you can use the IR/Live forensics framework you prefer, changing the tools in your pendrive.
Tools: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView, Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write Protector, VLC, Windows File Analyzer.
HibernationRecon by Arsenal Recon
------------------------------------------------

CAINE 9.0 QUANTUM released 25/10/2017

CHANGELOG CAINE 9.0 "QUANTUM"

ADDED/CHANGED:

RegRipper, VolDiff, SafeCopy, PFF tools, pslistutil, mouseemu, NBTempoX,Osint: Infoga, The Harvester, Tinfoleak regfmount and libregf-utils installed.
many and many scripts and programs....

Windows Side:


Windows Side with for Incident Response/Live Analysis on Windows systems.
Tools: Nirsoft suite + launcher, WinAudit, MWSnap, Arsenal Image Mounter, FTK Imager, Hex Editor, JpegView, Network tools, NTFS Journal viewer, Photorec & TestDisk, QuickHash, NBTempoW, USB Write Protector, VLC, Windows File Analyzer.

------------------------------------------------

CAINE 8.0 BLAZAR released 30/10/2016

CHANGELOG CAINE 8.0 "BLAZAR"

ADDED/CHANGED:

IMG_MAP (image dd/raw and ewf mounter)
XAll 1.5
RecuperaBit
SQLParse
PEFrame
Yara
PDF analysis
MemDump
ADB and LibMobileDevice
Gigolo (network filesystem client)
Shrew (VPN manager)
wxHexEditor
Jeex
XRCed
PffLib
imount, vhdimount and vhdiinfo
samba
vblade
iscsitarget
hashdb
Tilda
trim disabled
many and many scripts and programs....

Windows Side:


Win-UFO with for Incident Response/Live Analysis on Windows systems.
Win-UFO 6.0 but the tools are renewed and some tools have been removed; There are extra tools.
------------------------------------------------

ADDED/CHANGED in CAINE 7.0:

The important news is CAINE 7.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named BlockON/OFF present on Caine's Desktop.
This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode.
If you need to write a disk, you can unlock it with BlockOn/Off or using "Mounter" changing the policy in writable mode.


fixed FMOUNT
XAll
BTCScan (Bitcoin scanner)
dmraid
okteta
x11vnc server
gvncviewer
ssh
openssh
wput
unBlock (block in RO/RW block devices)
mount-nfs
scalpel 2.1
new peframe
damm
find_times
parse_VSS_RFC
4n6 scripts updated
quickhash updated
bleachbit
usnj
vshot
zulucrypt
ddrescue-gui
ddrescueView
dd utility
iloot
python_regparse
libmobiledevice
ifuse
ddrescueview
INDEXparse.py, Shellbags.py, evtxexport.py, extxinfo.py
NFS client
PDF Tools (pdf malware analysis)

ADDED/CHANGED in Caine 6.0:

fixed password request in polkit
fixed password request in textmode e tty
Bash bug fixed shellshock
mount policy always in ro and loop mode
fstrim disabled (enable uncommenting the row in /etc/cron.weekly/fstrim)
autopsy patched by Maxim Suhanov:
(HFS directories handling fixed,
Sun VTOC volume system handling fixed,
incorrect timestamps (that are equal to zero) are handled as 01/01/1970 00:00:00)
gzrt
dislocker
img_map
photorec gui
undbx
ddrescueview
gddrescue
disktype
Peframe
quickhash
BEViewer Bulk Extractor
ddrutility
ataraw
frag_find
log2timeline plaso - supertimeline
tinfoleak
inception memory dumper by firewire
volatility
4n6-scripts

ADDED/CHANGED in CAINE 5.0:

gimp
libfusedev
fileinfo 0.6
traceroute
sdparm
log2timeline 0.64
rdiff
mdbtool
undbx
readdbx
myrescue
libshadow vshadowmount
zfs-fuse
fmount
rdd
unhide
ext3grep
e2undel
recover
bulk_extractor
gzrecover
dislocker
undbx
aoetools
boot-repair
grub-customizer
Broadcom Corporation BCM4313 wireless card drivers



ADDED (Caine 4.0):
LibreOffice 4.0.1
Sqliteman
Sdparm
Remote Filesystem Mounter
netdiscover

ADDED (Caine 3.0)

iphonebackupanalyzer
exiftool phil harvey
tcpflow
tshark
john
wireshark
firefox
vinetto
mdbtool
gdisk
LVM2
tcpdump
Mobius
QuickHash
SQLiteBrowser
FRED
docanalyzer
nerohistanalyzer
knowmetanalyzer
PEFrame
grokEVT
zenmap (nmap)
blackberry tools
IDevice tools

The first CAINE's tools list:
(Special thanks to Joetekno for this list)
-----------------------------------------------------------

AIR 2.0.0
Stands for Automated Image and Restore
AIR is a GUI front-end to dd and dc3dd designed for easily creating forensic bit images. Double hash.

-----------------------------------------------------------

Abiword
AbiWord is a free word processing program similar to Microsoft® Word. It is suitable for a wide variety of word processing tasks.

-----------------------------------------------------------

Autopsy
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).
Conduct File Listing, View File Content, Compare files in user created or downloaded Hash Databases, File Type Sorting by internal signatures, Create a Timeline of File Activity, conduct Keyword Searches, File System Meta Data Analysis, Data Unit (File Content) Analysis in multiple formats, File System Image Details: Case Management of one or more host computers, Event Sequencer allows you to add time-based events from other systems (ie firewall/ids logs), Notes about case, Image Integrity verification, Report Creation, Audit Logging of investigation,

-----------------------------------------------------------

Afflib
The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. AFF is an open and extensible file format to store disk images and associated metadata. Using AFF, the user is not locked into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents.

-----------------------------------------------------------

Ataraw
Linux user-level ATA raw command utility
-----------------------------------------------------------

AtomicParsley
AtomicParsley is a lightweight command line program for reading, parsing and setting metadata into MPEG-4 files

-----------------------------------------------------------

BBT.py
BBthumbs.dat parser (for BlackBerry)
-----------------------------------------------------------

Bkhive
bkhive is a tool to extract the Windows System-key that is used to encrypt the hashes of the userpasswords.

-----------------------------------------------------------

Bloom
NPS Bloom filter package (includes frag_find)
-----------------------------------------------------------
ByteInvestigator
A suite of bash scripts by Tony Rodriguez

----------------------------------------------------------
Bulk Extractor
Bulk Email and URL extraction tool

-----------------------------------------------------------
Cryptcat
Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.
-----------------------------------------------------------

Chntpw
This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system. There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.

-----------------------------------------------------------
Epiphany
Web Browser

-----------------------------------------------------------

Disk Utility
Disk manager

-------------------------------------------------------------
DMIDecode
reports information about your system's hardware as described in your system
BIOS according to the SMBIOS/DMI standard

-----------------------------------------------------------
dos2unix
dos2unix - DOS/MAC to UNIX text file format converter

-----------------------------------------------------------

Ddrescue
ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.

-----------------------------------------------------------

Dcfldd
dcfldd is an enhanced version of GNU dd with features useful for forensics and security. dcfldd can hash the input data as it is being transferred, helping to ensure data integrity, verify that a target drive is a bit-for-bit match of the specified input file or pattern, output to multiple files or disks at the same time, split output to multiple files with more configurability than the split command, send all its log data and output to commands as well as files natively.

-----------------------------------------------------------

dc3dd
dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd.
dc3dd can write a single hexadecimal value or a text string to the output device for wiping purposes. Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1, SHA-256, and SHA-512. Hashes can be computed before or after conversions are made. Progress meter with automatic input/output file size probing. Combined log for hashes and errors. Error grouping. Produces one error message for identical sequential errors. Verify mode. Able to repeat any transformations done to the input file and compare it to an output. Ability to split the output into chunks with numerical or alphabetic extensions.

-----------------------------------------------------------

Dvdisaster
dvdisaster stores data on CD/DVD/BD (supported media) in a way that it is fully recoverable even after some read errors have developed. This enables you to rescue the complete data to a new medium.

-----------------------------------------------------------

Exif
The Exchangeable image file format (Exif) is an image file format which adds or reveals lots of metadata to or from existing image formats, mainly JPEG.

-----------------------------------------------------------

Foremost
Foremost is a console program to recover files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

-----------------------------------------------------------
FileInfo
Jpeg and P32 analyzer

-----------------------------------------------------------
FiWalk
File and Inode Walk Program

-----------------------------------------------------------
Fundl 2.0
This is a selective deleted file retriever with HTML reporting. It is TSK based.

-----------------------------------------------------------

FKLook
This script can be used to search for a keyword in many files and it copies only the files that have a matching keyword to a separate directory of your choosing.

-----------------------------------------------------------

Fod
FOD stands for Foremost output divide. This is a script for splitting foremost output directories contents into subdirectories with a defined number of files for each type of format file.

-----------------------------------------------------------

Fatback
A program for recovering files from FAT file systems.

-----------------------------------------------------------

GCalcTool
'gcalctool' is the desktop calculator.

-----------------------------------------------------------

Geany
Geany is a text editor.

-----------------------------------------------------------

Gparted
The GParted application is a partition editor for creating, reorganizing, and deleting disk partitions.

-----------------------------------------------------------

gtk-recordmydesktop
recordMyDesktop is a desktop session recorder that attempts to be easy to use, yet also effective at it's primary task.

-----------------------------------------------------------

Galleta
Galleta is an Internet Explorer Cookie Forensic Analysis Tool. Galleta was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.

-----------------------------------------------------------

Gtkhash
A GTK+ utility for computing message digests or checksums using the mhash library. Currently supported hash functions include MD5, SHA1, SHA256, SHA512, RIPEMD, HAVAL, TIGER and WHIRLPOOL.

-----------------------------------------------------------

Guymager
guymager is a forensic imager for media acquisition.

-----------------------------------------------------------
HDSentinel
Monitoring hard disk health and temperature. Test and repair HDD problems and predict failures. Prevent data loss by automatic and scheduled backup
-----------------------------------------------------------
Hex Editor (Ghex)
GHex - a hex editor for GNOME
GHex allows the user to load data from any file, view and edit it in either hex or ascii.

-----------------------------------------------------------
HFSutils
HFS is the “Hierarchical File System,” the native volume format used on modern Macintosh computers. hfsutils is the name of a comprehensive software package being developed to permit manipulation of HFS volumes from UNIX and other systems.
LRRP
LRRP is a bash script for gathering information on the devices you need to acquire for making a forensic image file.

-----------------------------------------------------------

Libewf
Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART format (EWF-S01) and the EnCase format (EWF-E01). Libewf allows you to read and write media information within the EWF files.

-----------------------------------------------------------

Lnk-parse
This is a perl script for parsing the *.lnk files

-----------------------------------------------------------

lnk.sh
Analysis of Windows LNK files

-----------------------------------------------------------

Log2Timeline
log2timeline, a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts.
-----------------------------------------------------------

liveusb

-----------------------------------------------------------

mork.pl
This is a perl script for reading firefox history data

-----------------------------------------------------------

MC
The Midnight Commander useful for text only boot.

-----------------------------------------------------------

MD5deep
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. md5deep is able to recursive examine an entire directory tree. md5deep can accept a list of known hashes and compare them to a set of input files and more.

-----------------------------------------------------------

md5sum
md5sum - compute and check MD5 message digest

-----------------------------------------------------------
Nautilus Scripts
Live Preview Nautilus scripts...they do many things.

-----------------------------------------------------------
NBTempo
Timeline maker GUI

-----------------------------------------------------------

ntfs-3g
NTFS-3G is a stable read/write NTFS driver for Linux, Mac OS X, FreeBSD, NetBSD, OpenSolaris, QNX, Haiku, and other operating systems. It provides safe and fast handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 file systems.

-----------------------------------------------------------

Offset_Brute_Force
This shell script will brute force the partition offset looking for a hidden partition and try to mount it.

-----------------------------------------------------------

Pasco
Pasco is an Internet Explorer activity forensic analysis tool. Pasco was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.

-----------------------------------------------------------

Photorec
PhotoRec recovers files from the unallocated space using file type-specific header and footer values.

-----------------------------------------------------------
Read_open_xml
Read MS Office metadata

-----------------------------------------------------------
Reglookup
RegLookup is an small command line utility for reading and querying Windows NT-based registries. Currently the program allows one to read an entire registry and output it in a (mostly) standardized, quoted format. It also provides features for filtering of results based on registry path and data type.

-----------------------------------------------------------

Rifiuti
Rifiuti is a Recycle Bin Forensic Analysis Tool. Rifiuti was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.

-----------------------------------------------------------

Rifiuti2
As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.

-----------------------------------------------------------

Readpst
readpst converts PST (MS Outlook Personal Folders) files to mbox and other formats.

-----------------------------------------------------------

Scalpel
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.

-----------------------------------------------------------

SQLJuicer
Perl script - tool that list database CRUD transactions, parsing SQL Server Transactions log entities
-----------------------------------------------------------

SFDumper 2.2
SFDumper is a selective file retriever, it works on active, deleted and carved files. It can do a keyword search among the files retrieved. It is TSK based.

-----------------------------------------------------------
SSDeep
ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes.

-----------------------------------------------------------

SSHFS ans SMBFS

-----------------------------------------------------------
Stegbreak
Tool for extracting steganographic content in images.

------------------------------------------------------------

Storage Device Manager
Another GUI mount manager.

------------------------------------------------------------


Smartmontools
The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI harddisks. In many cases, these utilities will provide advanced warning of disk degradation and failure.
Smartmontools… automatically reports and highlights any anomalies; allows enabling/disabling SMART; allows enabling/disabling Automatic Offline Data Collection - a short self-check that the drive will perform automatically every four hours with no impact on performance; supports configuration of global and per-drive options for smartctl; performs SMART self-tests; displays drive identity information, capabilities, attributes, and self-test/error logs; can read in smartctl output from a saved file, interpreting it as a read-only virtual device; works on most smartctl-supported operating systems; has extensive help information.

-----------------------------------------------------------

sha256sum
sha256sum - compute and check SHA256 message digest

-----------------------------------------------------------

Steghide
Steghide is a steganography program that is able to embed or extract data in various kinds of image- and audio-files.

-----------------------------------------------------------

Shred
shred - delete a file securely, first overwriting it to hide its contents

-----------------------------------------------------------

sha512sum
sha512sum - compute and check SHA512 message digest

-----------------------------------------------------------

Testdisk
TestDisk was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table).

-----------------------------------------------------------

TheSleuthKit
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.


-----------------------------------------------------------

TSK_Gui
Another Sleuthkit GUI
-----------------------------------------------------------

Tigerdeep
tigerdeep - Computer Tiger message digests

-----------------------------------------------------------

Tableau-Parm
tableau-parm is an small commandline utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under select UNIX platforms.

-----------------------------------------------------------

Tkdiff
tkdiff is a graphical front end to the diff program. It provides a side-by-side view of the differences between two files, along with several innovative features such as diff bookmarks and a graphical map of differences for quick navigation.

-----------------------------------------------------------

Userassist
This is a perl script offline parser for the “UserAssist” registry key.

-----------------------------------------------------------

VLC
VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols.

-----------------------------------------------------------

Whirpooldeep
Compute Whirlpool message digests

-----------------------------------------------------------

Wipe
Wipe is a secure file wiping utility.

-----------------------------------------------------------

Xhfs
xhfs presents a graphical front-end for browsing and copying files on HFS-formatted volumes.

-----------------------------------------------------------

Xdeview
XDeview is a smart decoder for attachments that you have received in encoded form via electronic mail or from the usenet.
-----------------------------------------------------------
XNView
Image viewer
-----------------------------------------------------------
XMount and XMount-Gui
Virtual file systems creator

-----------------------------------------------------------

XSteg
GUI stegdetect interface
-----------------------------------------------------------


Tools and packages included in WinTaylor

  • Many NIRSOFT tools and NirsoftMegaReport by Nanni Bassetti.
  • SysInternals tools
  • FTK Imager
  • RAM dump tools
  • Net tools
  • and many others...