Cado Live

Documentation

Cado Live is a free tool for securely copying systems into cloud storage for forensic analysis from a bootable USB disk.

Why Image Systems to the Cloud?

When done right, cloud storage is cheap, secure, and can be local to your region. It also enables you to spin up systems to quickly analyse data in cloud storage.

Cado Live enables a number of scenarios such as:

An examiner can go to a target machine with just a USB and securely create an image that can be examined later in their remote office

An examiner can instruct a customer on the other side of the world on how to create a USB and quickly deliver a forensic image of a machine back to them

Which Cloud Storage Providers are supported?

Cado Live can upload data to:

  • Amazon Web Services (AWS) S3
  • Azure Storage Blobs
  • Google Cloud Storage
  • Local Storage (such as a plugged-in USB Drive)

What Target Systems are supported?

Any system that can boot Ubuntu Linux 20.04 should be supported.

We have tested Cado Live on various pieces of new and old hardware, including various Linux, Windows and Apple-based products, and it should work for the most devices. See the FAQ below for more details on issues, and possible solutions you may encounter for some devices.

Creating a Bootable USB Disk

First you will need to create a bootable USB disk from our image:

We recommend creating the Cado Live image using a tool Rufus or UNetBootIn for OSX and Linux. The default selections in Rufus should produce a USB that you can boot from.

  • Under Device, select your USB disk.
  • Click Select and select the ISO file for Cado Live.
  • Click Start to create the bootable USB Disk.

You now have a USB disk that is ready to image. You can use this yourself, or safely deliver to someone else to image systems for you to access.

Note: Rufus will wipe anything that is on your USB drive. Make sure you have the right drive selected.

Creating Secure Credentials

It is important to use credentials with access limited to only write objects to your cloud storage.

Otherwise, if an attacker finds your credentials, they could compromise data.

Before using Cado Live, you will need to create secure credentials to upload with:

Tip: to save you typing out the credentials into Cado Live, we recommend you save them somewhere securely. So you can access them via the browser in Cado Live itself or via secure USB storage, and copy and paste.

Booting from the USB

Now insert the USB into the target machine, and reboot into the USB.

If the machine doesn’t load Cado Live from the USB, you may need to change your boot order or disable secure boot. Note: don’t forget to change your settings back once you’re done.

Getting Started

You can start the GUI by clicking the “Cado Live Icon” on the desktop side panel.

You can start the command line interface by running “cado_cli” in a terminal window.

Should you require it, the administrator (“sudo”) account is called cado and the password is odac

Creating an Image – GUI

When you first open the UI, you will be presented with a screen like this:

  • Click Enter Settings to open the settings page.
  • Select the Disk you would like to image:
  • Enter the credentials for the Cloud Storage (or local storage) you would like to use:
  • Now enter the Acquisition Settings you would like to use.
  • The Compress option will gzip compress your disk image (supported on Azure, AWS, and local, not GCP).
  • Enabling Detailed Logging will produce more verbose logs, viewable on the tasks page.
  • The Generate Hash option will let you select either SHA256 or MD5 hash of the target drive prior to acquisition.
  • If you do not set the Output Filename, an autogenerated filename (cado_$RandomLetter_$Timestamp) will be used.

Optionally, you can choose to enter Case Notes for the acquisition. This will be stored in logs sent to cloud storage:

Cado Live – Acknowledgements

We call a number of compiled applications during execution:

Cado Live also uses a portion of code for listing disks attached to Linux systems from Google’s GiftStick tool, which was released under an Apache License.

We also use the Airframe Bootstrap theme, released under a MIT license.

We would like to thank some of our initial testers, Al and @bethlogic.