Computer Aided Investigative Environment (CAINE)

The Linux distribution Computer Aided Investigative Environment (CAINE) [5], currently maintained by Nanni Bassetti, provides a collection of software tools for postmortem analysis and live forensics. Many of the tools have a graphical user interface. Version 3.0, which we looked at, has now been superseded by the current 4.0 version. Forensic duplication was implemented here as a virtual read-only disk, and we used the CAINE tools Forensic Registry Editor (FRED), Galleta, Pasco, NBTempo, Autopsy Forensic Browser, and TSK.

FRED is used to open and then search a registry. When we opened the NTUSER.DAT registry file, FRED showed the last three URLs entered in the IE address field in the Software\Microsoft\Internet_Explorer\TypedURLs key, which led to eBay and Amazon, as shown in Figure 5.

Figure 5: Registry entries (FRED).

The Galleta [7] console tool by McAfee is used for processing IE's cookies. When you run Galleta against a cookie file, the tool creates a spreadsheet, as shown in Figure 6. The data is converted into a table, thus improving clarity and usability for the investigator. However, you first need to identify the relevant cookies, which you can often do based on the file name, which contains the domain name of the visited website.

Figure 6: Spreadsheets with cookie content (Galleta).

McAfee is also the company behind the Pasco tool [8]; its focus is on processing IE's Internet activity based on the index.dat file. To do this, Pasco produces a spreadsheet with the contents of the file. Figure 7 shows the URL history from the scenario. The Type column distinguishes between URLs and redirects that are marked with REDR. Pasco makes it easier for investigators to reconstruct the browser or cookie history. Furthermore, it lets you sort, filter, and process content as needed.

Figure 7: Generating spreadsheets from the contents of index.dat (Pasco).

NBTempo is a Bash script with a GUI by Nanni Bassetti that generates timelines. The investigator selects a forensic duplicate as an image file or disk. Then, after specifying the target directory, the time zone, the time delay of the data on the victim's system, and the time period under investigation, NBTempo provides rapid results.

Three files are created. The file named data.txt provides an overview of the image directory, the selected time period, the time zone, and the delay. The times.txt file saves the results in a raw format that is readable for many downstream processing tools, and the report.csv spreadsheet represents the timeline in a table with column names that reflect the investigator's needs (Figure 8). The timeline can then be sorted, filtered, and processed by the investigator. NBTempo helps the forensic investigator reconstruct the computer's history. This helps determine which files were created or executed parallel to the browser session, which may provide clues to other data sources.

Figure 8: Excerpt from the report table (NBTempo).

The Autopsy Forensic Browser is a graphical add-on for TSK (as was its successor, Autopsy), but it uses a different graphical interface. Analysis is performed in a browser, and investigators can save the forensic duplicates on a server. This means that analysis can be performed by several investigators using separate computers. When the case is created, a host is defined along with the details of the case name, name of the system under investigation, time zone, and time vector.

The duplicate we examined was created as a linked partition and was protected with an MD5 hash value. The Autopsy Forensic Browser primarily works with filesystem structures. For example, it can access the details of the NTFS Master File Table (MFT), including its clusters.

Data storage device analysis is carried out in five consecutive steps:

• In the first step, File Analysis accesses the folder structure and searches for file names and deleted files. The search results can be reviewed in ASCII, hex, and ASCII string views. The tool also offers an export function and an annotation function for relevant files. If you add a note, the Autopsy Forensic Browser creates a report with generic information (file name, hash value, creation time stamp, investigator) with metadata (position in the MFT, attributes) and the appropriate content.
• The next step is the Keyword Search . In this step, the investigator can search for individual and compound keywords, as well as regular expressions with the grep tool. Some restrictions apply, and the search is thus not totally reliable, as stated in Brian Carrier's overview of "grep Search Limitations" [6]. The search is very time consuming because the image is not indexed. Results are listed by clusters with reference to the source directory. A cluster can be exported as a file and annotated.
• Next, the investigator is taken to File Type sortings, where the files are output and sorted into the following categories: archives, audio, compression, crypto, data, disk, documents, executable files, images, system, text, unknown, video, and extension mismatches. The results can be saved as a .html file without links.
• In Meta Data mode, investigators can search for a specific MFT record or display the allocation list. Each MFT entry specifies which file is associated with it. You can also display the content here, export the file as a cluster, and add notes and reports.
• Finally, you can search for clusters in Data Unit mode. This step provides the same information and functionality as the previous step. After analysis, the results can be processed to create File Activity Time Lines , which involves generating a timeline structured in months. Previously created notes can be viewed here. This timeline is stored in tabular form on the workstation.

The Event Sequencer lists all events along with the associated annotations. An event can be individually time stamped and the source added.

Autopsy Forensic Browser is primarily used for data analysis. The bulk of the information is only available in plain text without any links or evaluation. It thus offers insufficient support in this scenario. Only validation through hashes, case management, and categorization of file types facilitate the investigator's task.

Comparison

As a CAINE tool, TSK [9] restricts itself to command-line tools for the analysis of filesystems, partitions, images, and disks. The partition tools do not support the analysis of Windows systems. Thus, only the filesystem and image tools were considered.

Using the tsk_gettimes and fls-m tools, we created a timeline of the files in raw format as a body file that is equivalent to NBTempo's times.txt. We then ran the mactime tool to convert this to a clear-cut table with column names, which in turn matched the report.csv from NBTempo.

The fsstat module provided information about the filesystem, in terms of the layout, sizes, and labels. We noticed here that the Windows 7 operating system on the victim's system was identified as Windows XP. Details of file extensions and image sizes were provided by the imgstat tool. Depending on the image, this tool provides additional information. The sorter tool assigned files to file types as per the File Type sortings in Autopsy Forensic Browser. The default installation of TSK provides little support for analyzing a browser session. Functions such as reporting, keyword search, and registry analysis require a retroactive installation of the TSK Framework.

Although CAINE offers no central case management (meaning that the investigator must enter the case name and investigators after every reboot), you can manually generate a final report via the interface as a .rtf or .html file or a personal report. CAINE differs in this respect from the other extensive tool collections, SIFT and BackTrack, in that the distribution of the individual tools within the interface is structured on forensic process models and therefore requires comparatively less training time.

Other Toolkits

Besides OSForensics, Autopsy, and CAINE, the following toolkits were analyzed in our test:

• Digital Forensics Framework (DFF) by ArxSys offers a Windows and Linux distribution for the analysis of drives, filesystems, and user and application data. It also provides a search function for metadata, hidden, and deleted data. The analyzed version was the Windows release 1.2.0 with dependencies. The current version is Windows release 1.3.0 with dependencies.
• The TSK command-line tool collection is developed by Brian Carrier for both Windows and Linux. We investigated Windows version 4.0.1, which has been replaced by the current version, 4.1.0.
• The Paladin toolkit for Linux by Sumuri is primarily used for creating images. We were unable to create an image with the 3.0 version that we looked at. The current version is 4.0.

We also looked at the two major Linux toolkits, SANS Investigate Forensics Toolkit (SIFT) in the latest version 2.14 and BackTrack in the current version 5.0 R3. BackTrack has now been replaced by Kali Linux and primarily serves to review the overall security of a network. BackTrack and Kali also provide attack, audit, and penetration tools.