NEW! CAINE 11.0 "Wormhole" is out!

CAINE 12.4 "Sidereal" 64bit
Official CAINE GNU/Linux distro latest NOT INSTALLABLE release, it's only live.

KERNEL 5.4.0-90
Based on Ubuntu 20.04 64BIT - UEFI Ready!

CAINE 11.0 "Wormhole" 64bit
Official CAINE GNU/Linux distro latest INSTALLABLE release.

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project
Currently the project manager is Nanni Bassetti (Bari - Italy).
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:

  • an interoperable environment that supports the digital investigator during the four phases of the digital investigation
  • a user-friendly graphical interface
  • user-friendly tools
We recommend you to read the page on the CAINE policies carefully.

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, everyone could take on the legacy of the previous developer or project manager. The distro is open source, the Windows side is freeware and, the last but not least, the distro is installable, thus giving the opportunity to rebuild it in a new brand version, so giving a long life to this project ....

Nanni Bassetti

SPECIAL THANKS TO: Raul Capriotti, Aniello Luongo, Lorenzo Faletra, Andrea Lazzarotto

CHANGELOG CAINE 11.0 "Wormhole"

Kernel 5.0.0-32
Based on Ubuntu 18.04 64BIT - UEFI Ready!

CAINE 11.0 can boot on Uefi/Uefi/Legacy Bios/Bios.

If secureboot failed, try to disable it from UEFI.

If you want to create an hybrid image, try this:
isohybrid -u caine11.0.iso

The important news is CAINE 11.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named Unblock present on CAINE's Desktop.
This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode.
If you need to write a disk, you can unlock it with UnBlock or using "Mounter" changing the policy in writable mode.

CAINE is always more fast during the boot.
CAINE 11.0 can boot to RAM (toram).

INSTALLING CAINE: UnBlock (blockdev) put the device in WRITABLE mode -> use Ubiquity -> Choose System Install -> Choose user: CAINE password: CAINE host: CAINE -> Go!
Ubiquity is the installer, even if for old BIOS based computers, you need to run BootRepair after the end of Ubiquity!.
Then after the first boot, run Grub Customizer and put RW instead of RO in the boot menu.



All devices are blocked in Read-Only mode, by default.
New tools, new OSINT, Autopsy 4.13 onboard, APFS ready,BTRFS forensic tool, NVME SSD drivers ready!
SSH server disabled by default (see Manual page for enabling it).
SCRCPY - screen your android device
Autopsy 4.13 + additional plugins by McKinnon.
X11VNC Server - to control CAINE remotely.
NEW SCRIPTS (Forensics Tools - Analysis menu)

AutoMacTc - a forensics tool for Mac.
Bitlocker - volatility plugin
Autotimeliner - Automagically extract forensic timeline from volatile memory dumps.
Firmwalker - firmware analyzer.
CDQR - Cold Disk Quick Response tool

many others fixing and software updating.

many and many scripts and programs....

Windows Side:

CAINE has got a Windows IR/Live forensics tools.
New release of Arsenal Image Mounter by Arsenal Recon
If you need it you can use the IR/Live forensics framework you prefer, changing the tools in your pendrive.


NEW RBFstab and Mounter

1) "rbfstab" is a utility that is activated during boot or when a device is plugged in.  It writes read-only entries to /etc/fstab so devices are safely mounted for forensic imaging/examination.  It is self installing with 'rbfstab -i' and can be disabled with 'rbfstab -r'.  It contains many improvements over past rebuildfstab incarnations.  Rebuildfstab is a traditional mean for read-only mounting in forensics-orient distributions.
2) "mounter" is a GUI mounting tool that sits in the system tray.  Left-clicking the system tray drive icon activates a window where the user can select devices to mount or un-mount.  With rbfstab activated, all devices, except those with volume label "RBFSTAB", are mounted read-only on loop device.  Mounting block devices in Caja (file browser) is not possible for a normal user with rbfstab activated making mounter a consistent interface for users.
Mounter is a disk mounting application that runs in the system tray. General Informations:

A green disk icon means the system is SAFE and will mount devices READ-ONLY on loop device.
A red disk icon means WARNING, mounted devices will be WRITEABLE.

In CAINE 8.0 mounter can unlock and lock block devices in Read-Only mode.


Left-click the disk icon to mount a device.
Right-click the disk icon to change the system mount policy.
Middle-click will close the mounter application. Relaunch from the menu.

The mounted devices will not be affected by mount policy changes. Only subsequent mounting operations will be affected.

John Lehr

Live Preview Caja Scripts

CAINE includes scripts activated within the Caja web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering it with the appropriate tool.
The live preview Caja scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Caja window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and criticisms.
The preview scripts were born from a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can use the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
John Lehr
Root file system spoofing PATCH
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
Suhanov Maxim

Windows Side


CAINE has got a Windows IR/Live forensics tools.
If you need it you can use the IR/Live forensics framework you prefer, changing the tools in your pendrive.