CAINE 1.5 Installed to capture image file from CAINE 1.5 Live CD

[joetekno]

I highly recommend using a hardware write blocker when imaging a suspect hard drive.

NOTE: These instructions are for using a CAINE 1.5 Live CD to image a computer with a single SATA hard disk (suspect workstation) to a computer with CAINE 1.5 installed to the hard drive (forensic workstation). You need to have enough free space on the computer with CAINE 1.5 installed to save an image file the size of the suspect workstations hard drive.

CAINE 1.5 Installed
1. Boot the CAINE Forensic Drive and log in.
2. Open a terminal window
3. Type "sudo su" and then the password
4. Type "ifconfig" and document your ip address
5. Type "cd /"
6. Type "mkdir evidence"
7. Type "cd evidence"
8. Type "cryptcat -k 123456 -l -p 8888 > sda-img.dd
a. NOTE: the 123456 above is the key for encrypting the connection, you probably want to use something more secure!

CAINE 1.5 Live CD
1. Boot off the CD on the suspect workstation
2. Select "Menu"... Forensics Tools... AIR
3. Click the "OK" button if prompted
4. Click the "SDA" (hard drive icon) button
5. Click the "Set as Source" button
6. Click the "Cryptcat" button
7. Type the key 123456
8. Click the "Net" button
9. Click the "Destination" button
10. Type the ip address found using the ifconfig command found above in number 4
11. Type the port 8888
12. Click the "OK" button
13. Click the “OK” button
14. Click the "Start" button
15. Click the "Yes" button
16. Click the "MD5" button
17. Click the "Show Status Window" button
18. When it completes document the md5 Hash value

[nannib]

Did you try the new AIR 2.0.0 ? I modded it and Steve Gibson published it :-)
Read here:
http://www.nannibassetti.com/dblog/articolo.asp?articolo=99