SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3

Download SIFT Workstation VMware Appliance Now – 1.5 GB

Having trouble downloading?
If you are having trouble downloading the SIFT Kit please contact sift-support@sans.org and include the URL you were given, your IP address, browser type, and if you are using a proxy of any kind.

Having trouble with SIFT 3?
If you are experiencing errors in SIFT 3 itself, please submit errors, bugs, and recommended updates here: https://github.com/sans-dfir/sift/issues

How To:

1. Download Ubuntu 14.04 ISO file and install Ubuntu 14.04 on any system. -> http://www.ubuntu.com/download/desktop
2. Once installed, open a terminal and run “wget –quiet -O – https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s — -i -s -y”
3. Congrats — you now have a SIFT workstation!!

Page Links

• SIFT Workstation 3 Overview
• Download SIFT Workstation 3 Locations
• Manual SIFT 3 Installation
• SIFT Workstation 3 Capabilities
• SIFT Workstation 3 How-Tos
• Report Bugs
• SIFT Recommendations

---

SIFT Workstation 3 Overview

An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS’ Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Offered free of charge, the SIFT 3 Workstation will debut during SANS’ Advanced Computer Forensic Analysis and Incident Response course (FOR508) at DFIRCON. SIFT 3 demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

“Even if SIFT were to cost tens of thousands of dollars, it would still be a very competitive product,” says, Alan Paller, director of research at SANS. “At no cost, there is no reason it should not be part of the portfolio in every organization that has skilled forensics analysts.”

Developed and continually updated by an international team of forensic experts, the SIFT is a group of free open-source forensic tools designed to perform detailed digital forensic examinations in a variety of settings. With over 100,000 downloads to date, the SIFT continues to be the most popular open-source forensic offering next to commercial source solutions.

“The SIFT Workstation has quickly become my “go to” tool when conducting an exam. The powerful open source forensic tools in the kit on top of the versatile and stable Linux operating system make for quick access to most everything I need to conduct a thorough analysis of a computer system,” said Ken Pryor, GCFA Robinson, IL Police Department

Key new features of SIFT 3 include:

• Ubuntu LTS 14.04 Base
• 64 bit base system
• Better memory utilization
• Auto-DFIR package update and customizations
• Latest forensic tools and techniques
• VMware Appliance ready to tackle forensics
• Cross compatibility between Linux and Windows
• Option to install stand-alone via (.iso) or use via VMware Player/Workstation
• Online Documentation Project at http://sift.readthedocs.org/
• Expanded Filesystem Support

Download SIFT Workstation 3 Locations

Download SIFT Workstation VMware Appliance – 1.5 GB

Note: The file is zipped using 7zip in the 7z format. We recommend 7zip to unzip it. Download 7zip.

Manual SIFT 3 Installation

Installation

We tried to make the installation (and upgrade) of the SIFT workstation as simple as possible, so we create the SIFT Bootstrap project, which is a shell script that can be downloaded and executed to convert your Ubuntu installation into a SIFT workstation.

Check the project out at https://github.com/sans-dfir/sift-bootstrap

Quickstart

Using wget to install the latest, configure SIFT, and SIFT theme

wget –quiet -O – https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s — -i -s -y

Using wget to install the latest (tools only)

wget –quiet -O – https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s — -i

SIFT Login/Password:

After downloading the toolkit, use the credentials below to gain access.

• Login “sansforensics”
• Password “forensics”
• $ sudo su –
  • Use to elevate privileges to root while mounting disk images.

SIFT Workstation 3 Capabilities

Ability to securely examine raw disks, multiple file systems, evidence formats. Places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed

File system support

• ntfs (NTFS)
• iso9660 (ISO9660 CD)
• hfs (HFS+)
• raw (Raw Data)
• swap (Swap Space)
• memory (RAM Data)
• fat12 (FAT12)
• fat16 (FAT16)
• fat32 (FAT32)
• ext2 (EXT2)
• ext3 (EXT3)
• ext4 (EXT4)
• ufs1 (UFS1)
• ufs2 (UFS2)
• vmdk

Evidence Image Support

• raw (Single raw file (dd))
• aff (Advanced Forensic Format)
• afd (AFF Multiple File)
• afm (AFF with external metadata)
• afflib (All AFFLIB image formats (including beta ones))
• ewf (Expert Witness format (encase))
• split raw (Split raw files) via affuse
• affuse x2010 mount 001 image/split images to view single raw file and metadata
• split ewf (Split E01 files) via mount_ewf.py
• mount_ewf.py x2010 mount E01 image/split images to view single raw file and metadata
• ewfmount – mount E01 images/split images to view single rawfile and metadata

Partition Table Support

• dos (DOS Partition Table)
• mac (MAC Partition Map)
• bsd (BSD Disk Label)
• sun (Sun Volume Table of Contents (Solaris))
• gpt (GUID Partition Table (EFI))

Software Includes:

• log2timeline (Timeline Generation Tool)
• Rekall Framework (Memory Analysis)
• Volatility Framework (Memory Analysis)
• Autopsy (GUI Front-End for Sleuthkit)
• PyFLAG (GUI Log/Disk Examination)afflib
  • afflib-tools
• libbde
• libesedb
• libevt
• libevtx
• libewf
  • libewf-tools
  • libewf-python
• libfvde
• libvshadow
• log2timeline
• Plaso
• qemu
• SleuthKit
• 100s more tools -> See Detailed Package Listing

SIFT Workstation 3 How-Tos

• SANS DFIR Posters and Cheat Sheets
• SIFT Documentation Project
• How To Mount a Disk Image In Read-Only Mode
• How To Create a Filesystem and Registry Timeline
• How To Create a Super Timeline
• How to use the SIFT Workstation for Basic Memory Image Analysis

Report Bugs

As with any release, there will be bugs and requests, please report all issues and bugs to the following website and location.

https://github.com/sans-dfir/sift/issues

SIFT Recommendations

SIFT workstation is playing an important role for the Brazilian national prosecution office, especially due to Brazilian government budgetary constraints. Its forensic capabilities are bundled on a way that allows an investigation to be conducted much faster than it would take if not having the right programs grouped on such great Linux distribution. The new version, which will be bootable, will be even more helpful. I’d highly recommend SIFT for government agencies or other companies as a first alternative, for acquisition and analysis, from the pricey forensics software available on the market.

• Marcelo Caiado, M.Sc., CISSP, GCFA, EnCE

What I like the best about SIFT is that my forensic analysis is not limited because of only being ableto run a forensic tool on a specific host operating system. With the SIFT VM Appliance, I can create snapshots to avoid cross-contamination of evidence from case to case, and easily manage system and AV updates to the host OS on my forensic workstation. Not to mention, being able to mount forensic images and share them as read-only with my host OS, where I can run other forensic tools to parse data, stream-lining the forensic examination process.