Autopsy
The Autopsy Forensic Browser is a graphical interface for TheSleuthKit tools that are originally based on command lines. They allow a digital investigator to analyze Windows and UNIX disks, and related file systems such as NTFS, FAT, UFS1/2, Ext2/3. CAINE maintains the same browser-like interface of Autopsy, but it controls output production and report generation through BASH scripts.
Help page that is automatically updated.
Foremost and Scalpel
CAINE provides the investigator with Foremost and Scalpel that are data carving programs recovering files based on their headers, footers, and internal data structures.
Scalpel is a modified and better version of Foremost 0.69, and works directly on a drive or on image files, such as those generated by dd, Safeback, Encase. Both programs are provided with a tailored interface that allows multiple windows for input/output selection and direct access to the user/help manual.
SFDumper 2.1
SFDumper is a Bash script which can retrieve all the files of a chosen type (e.g. .doc or .jpg), regardless if they are active, deleted or unallocated.
It automatically runs Foremost for carving, and Sleuthkit for deleted files retrieval. It then eliminates duplicated files by comparing the SHA256 hashes of the carved files and the active and deleted files. Thanks to carving, files renamed with a different extension can be easily identified. Moreover, it is possible to expand the Foremost configuration file inside the script to add new extensions, and to carry out a keyword search on the extracted files.
The script can work on an RAW, EWF, AFF image file or can be directly applied to a device.
Stegdetect
It is an open source tool for steganography that is useful to discover hidden information in stored images. CAINE adds a graphical interface to the command in the main interface, and it provides also an alternative graphical front-end Xsteg.
Stegdetect works through a simple syntax that asks the user to provide a directory in which JPEG images are stored. The graphical interface allows the investigator to select a folder in which suspected steganographic pictures are stored. At the end of the process, the interface saves the results in a temporary file, that is ready to be included in the final investigation report.
Ophcrack
This is a famous program for password exploiting. CAINE does not provide rainbow tables to Ophcrack because of memory space problems of the live CD version, however it guarantees full compatibility between Ophcrack and the CAINE distribution. This program comes with a graphical interface that is integrated within CAINE.
Fundl 2.0
Fundl is a file bash shell for Linux (requires the use of Sleuthkit), which is used to retrieve all files deleted from a disk or a bitstream image. HTML reporting
Bash Scripts Tools They are useful tools for retrieving informations. (Raw2fs, fod, offset_brute_force, LRRP, FKLook)
