From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Graphic Desktop Environment of CAINE Linux.

CAINE Linux stands for computer aided investigative environment and is an Italian Linux live distribution. It started as a digital forensics project.[when?]


CAINE is a professional open source forensic platform that integrates software tools as modules along with powerful scripts in a graphical interface environment.[1] Its operational environment was designed with the intent to provide the forensic professional all the tools required to perform the digital forensic investigate process (preservation, collection, examination and analysis).[2][3] CAINE is a live Linux distribution so it can be booted from removable media (flash drive) or from an optical disk and run in memory.[4] It can also be installed onto a physical or virtual system. In Live mode, CAINE can operate on data storage objects without having to boot up a supporting operating system. The latest version 9.0 can boot on UEFI/UEFI+Secure and Legacy BIOS allowing CAINE to be used on information systems that boot older operating systems (e.g. Windows NT) and newer platforms (Linux, Windows 10).


CAINE is based on Ubuntu 16.04 64-bit, using Linux kernel 4.4.0-97. CAINE system requirements to run as a live disc are similar to Ubuntu 16.04 (2 GHz dual core processor or better; 2 GB system memory). It can run on a physical system or in a virtual machine environment such as VMware Workstation.

Supported platforms[edit]

The CAINE Linux distribution has numerous software applications, scripts and libraries that can be used in a graphical or command line environment to perform forensic tasks. CAINE can perform data analysis of data objects created on Microsoft Windows, Linux and some Unix systems.[5] One of the key forensic features in version 9.0 is that it sets all block devices by default to read-only mode. Write-blocking is a critical methodology to ensure that disks are not subject to writing operations by the operating system or forensic tools.[6] This ensures that attached data objects are not modified, which would negatively impact digital forensic preservation.


CAINE provides software tools that support database, memory, forensic and network analysis.[7] File system image analysis of NTFS, FAT/ExFAT, Ext2, Ext3, HFS and ISO 9660 is possible via command line and through the graphic desktop.[8] Examination of Linux, Microsoft Windows and some Unix platforms is built-in. CAINE can import disk images in raw (dd) and expert witness/advanced file format. These may be obtained from using tools that are included in CAINE or from another platform such as EnCase or the Forensic Tool Kit.[9]

Some of the tools included with the CAINE Linux distribution include:

  • The Sleuth Kit – open source command line tools that support forensic inspection of disk volume and file system analysis.
  • Autopsy – open source digital forensics platform that supports forensic analysis of files, hash filtering, keyword search, email and web artifacts. Autopsy is the graphical interface to The Sleuth Kit.
  • RegRipper – open source tool, written in Perl, extracts/parses information (keys, values, data) from the Registry database for data analysis.
  • Tinfoleak – open source tool for collecting detailed Twitter intelligence analysis.
  • Wireshark – supports interactive collection of network traffic and non real-time analysis of data packet captures (*.pcap).
  • PhotoRec – supports recovery of lost files from hard disk, digital camera and optical media.
  • Fsstat – displays file system statistical information about an image or storage object.


  1. ^ "CAINE Live USB/DVD - computer forensics digital forensics". Retrieved 2018-07-02.
  2. ^ James, Joshua I.; Gladyshev, Pavel (2013-09-01). "A survey of digital forensic investigator decision processes and measurement of decisions based on enhanced preview". Digital Investigation. 10 (2): 148–157. doi:10.1016/j.diin.2013.04.005. ISSN 1742-2876.
  3. ^ Sean-Philip., Oriyano (2011). Hacker techniques, tools, and incident handling. Gregg, Michael. Sudbury, Mass.: Jones & Bartlett Learning. ISBN 978-0763791834. OCLC 702369433.
  4. ^ "CAINE 8.0". TechRadar. Retrieved 2018-07-02.
  5. ^ Chaudhary, Charulata; Kang, Ishupal Singh (2011), "Pirates of the Copyright and Cyberspace", Cyber Security, Cyber Crime and Cyber Forensics, Advances in Digital Crime, Forensics, and Cyber Terrorism, IGI Global, pp. 59–68, doi:10.4018/978-1-60960-123-2.ch005, ISBN 9781609601232
  6. ^ Decusatis, Casimer; Carranza, Aparicio; Ngaide, Alassane; Zafar, Sundas; Landaez, Nestor (October 2015). Methodology for an Open Digital Forensics Model Based on CAINE. 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing. IEEE. doi:10.1109/cit/iucc/dasc/picom.2015.61. ISBN 9781509001545.
  7. ^ "CAINE Provides Sturdy Support for Forensic Specialists". Retrieved 2018-07-02.
  8. ^ Kerner, Sean Michael (7 November 2017). "CAINE 9.0 Linux Expands Computer Forensic Investigation Capabilities". eWeek.
  9. ^ "Tactical Objectives and Challenges in Investigative Computer Forensics", Investigative Computer Forensics, John Wiley & Sons, Inc., 2013-04-11, pp. 157–166, doi:10.1002/9781118572115.ch6, ISBN 9781118572115