Hands on with Caine Linux: Pentesting and UEFI compatible

Here's my take on Computer Aided INvestigative Environment - a Linux-based, UEFI-compatible LIVE USB/DVD digital forensic system.

Wow, do I have mixed feelings about Caine Linux. First and foremost, it is a Linux-based forensic analysis system which is UEFI-compatible. However, while it is reasonably easy to boot as a Live DVD or USB system, I found it to be rather difficult to install, and quite complicated to use. 

There are a variety of special-purpose Linux distributions which I can easily imagine being used for everyday work - Kali Linux, Knoppix, AV Linux and others. But I have difficult time imagining even an experienced Linux user using Caine for everyday tasks.

Maybe this is a good thing. Honestly, a pentest/forensic system should be used for that, and nothing else.  When you use it for other purposes, and in other situations, or you connect regularly to the internet and mount other removable storage devices, you are taking the risk that it could become compromised, corrupted or otherwise damaged and made unsuitable for its primary use.

So that is the reason I have such mixed feelings. Maybe it would be best to use it only as it is distributed, as a standalone Live system. I would be interested in hearing other opinions about this.

But of course the really big question is, does it work on UEFI-firmware systems? This is not a trivial question - for example, Kali Linux (formerly BackTrack), which is my preferred distribution of this type, added UEFI compatibility not long ago, and to say that they had mixed result would be very generous. So having a system that works with UEFI out of the box would be very nice.

The short answer is yes, it does work as a stand-alone UEFI-boot Live system. The long answer is that if you want to go beyond that and create an installed system, well, that works too but you have to be very careful, and there are some potentially serious pitfalls along the way.

Let's start with the basics of the distribution. Caine 6.0 is derived from Ubuntu 14.04.1 (64 bit). That is a Long Term Support release, so that is a good thing. It uses the MATE desktop, rather than Unity, which is another really good thing. The ISO image can be obtained from their Downloads page (duh), and is relatively large (2.68GB).

You can either burn the ISO to a DVD, or copy it to a USB stick. The downloads page specifically says that you can use rufus (on Windows) or unetbootin (on Linux, MacOS or Windows).  I am curious/stubborn/lazy/set in my ways (choose one or more which you think applies), so I decided to try a couple of other possibilities. The first and most obvious option, copy directly to a USB stick with dd, doesn't work. Bummer.  The other obvious choice, because this is an Ubuntu derivative, was to try the Ubuntu Startup Disk Creator. I recently installed Ubuntu 14.10, so I fired that up, and it worked just fine. Yay.

The Live USB stick can then be booted on either "Legacy" (MBR) or UEFI-boot systems, and on UEFI systems it can be booted with Secure Boot enabled (or not). That's very good news.

Caine Linux
Caine 6.0 Live MATE Desktop

That looks like a pretty nice MATE desktop, with a number of useful desktop icons for commonly used utilitites and programs, and panel launchers for some others.  It gets more interesting when you open the MATE menus, and you see the list of software included in the 'Forensic Tools' menu. Without going into a lot of depth that would just bore experienced security analysts and confuse most average users, I will just say that the list is long and impressive - and unlikely to be exactly right for anyone who works in this field. We all have our own preferred tool selection, based on a combination of personal experience and preference, and the specific types of investigation and testing we need to do. The important thing is that the packages included with Caine are a very good base.

But look a little further in the MATE menus, and you find that there is a lot of other general-purpose software included as well.  For example:

  • Firefox
  • Thunderbird
  • LibreOffice
  • Shotwell
  • GIMP
  • Rhythmbox
  • VLC media player

Without voicing my own opinion too strongly here, I think there is a lot of room for discussion about whether these kinds of packages "belong" on a forensic system. I would say no, but I can see where others might disagree. I suppose the important thing here is that Caine includes both the Ubuntu Software Center and Synaptic Package Manager, so you can easily add and remove packages to fit your own preferences.

If you aren't planning to use Caine only as a DVD/USB Live system, the next step is to install it to the disk.  This is where things get a lot more quirky. As you can see on the screenshot above, Caine uses the Systemback installer. There's the first quirk, because Systemback is much more of a backup/restore utility than an installer, and the difference in functionality and flexibility is important.

For one thing, you are only going to be able to install the entire system to a single partition - no separate root, boot, user, var or whatever.  Of course (I will say this for the last time) if you are an experienced Linux user you can adjust any or all of this after the installation is complete, but that is not the point right now.  Just prepare a parition of 8GB or more (the installed system will be about 5.5GB), and move on. Things get worse...

Warning! UEFI system - pay attention: if you are installing Caine on a UEFI system, you have to give it an EFI Boot partition.  It must have its own EFI partition, because it is going to format that partition during installation.  If you give it the existing partition, and you already have other Linux distributions installed (and perhaps Windows), it is going to wipe the EFI boot files for everything else. You will not be a happy camper after this happens. I promise.  Not happy at all.

Beyond that, even if you are clever enough to figure out how to merge the Caine EFI boot setup with other installations, Caine has what I call the "Linux Mint UEFI Curse" - it still uses 'ubuntu' as the name of its EFI boot directory, so if you already have either Ubuntu or Linux Mint (the Ubuntu-derived variety) installed, you're going to have a conflict and something is going to be overwritten.

The simple solution is to just create a small FAT32 partition, and give that to Caine to use for /boot/efi.  The partition can be very small (100MB is more than enough). Trying to do anything else is just a lot more trouble and a lot more dangerous than it is worth.

The rest of the installation is routine, and completes pretty quickly. When you reboot to the installed system, the desktop looks essentially the same as the Live system did. Oh, during installation it asked for a user account and password, and a root password. After installation the user account is created, but without password, and the root password is set to whatever you gave.

At this point I got one of the few really pleasant surprises from this system. I installed it on the Acer Aspire E11, and with other Linux installations (including Ubuntu 14.10) I had a bit of a struggle getting the wi-fi adapter working, but Caine got it right from the start, all on its own.  I actually saw this because after booting I went straight into the 'Additional Drivers' utility, expecting to have to select and activate the wireless driver, and I found that it was already recognized and working.

But after that pleasant discovery, I was confronted with the reality of using and managing Caine Linux.  This is a system that is intended for experienced Linux users, not for beginners or even average casual users. It expects that you understand quite a bit about Linux administration, and that you will be able to understand end either adjust or learn to live with a number of things which are quite different from "typical" Linux systems.  Here are just a few examples:

Removable storage is handled by 'RBfstab' and 'Mounter'.  The important thing to remember here is that by default, removable filesystems do not mount automatically, and when they are mounted they are read-only by default. To change this right-click on the mounter icon in the task bar (looks like a disk if you use a little imagination).

Network Management uses either 'RutilT WLAN Manager' or simply 'Network Connections'. Those who are accustomed to Network Manager might be surprised and/or disappointed. Once you establish a connection there is a nice status/monitor icon in the MATE panel (MATE Netspeed).

Swap space is not configured by default.  If you want/need it, set it up manaually or via RBfstab.

Those are the obvious things I have come across so far. Some are explained in more detail in the release notes on the Caine web site. Some are not. The important thing is that it seems like I keep find more and more and of these quirks as I continue working with the system. So again, don't go into this thinking that it is going to be a simple install-and-use kind of Linux system. Be prepared to get your hands dirty.

I will finish this with the same statement that I started with. Wow, do I have mixed feelings about Caine Linux. If your number one priority is a Linux-based, UEFI-compatible penetrations testing / forensic analysis system, then Caine is likely to make you happy. 

It includes an awesome set of forensic tools, and it works very well. But it is moderately difficult to install, and it can give you some unpleasant surprises during installation on UEFI systems.  In my opinion it includes a lot of packages which are not relevant to pentest/forensic systems, but it is too complex and too difficult to administer to be used as a general-purpose Linux system.