SANS Investigative Forensic Toolkit (SIFT) Version 2.0 in the wild

The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.

SANS SIFT Workstation 2.0 Overview

  • VMware Appliance
  • Ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Forensic tools preconfigured
  • A portable lab workstation you can now use for your investigations
  • Option to install stand-alone via (.iso) or use via VMware Player/Workstation

SIFT Workstation 2.0 Capabilities

Ability to securely examine raw disks, multiple file systems, evidence formats. Places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed
File system support

  • Windows (MSDOS, FAT, VFAT, NTFS)
  • MAC (HFS)
  • Solaris (UFS)
  • Linux (EXT2/3)
JPEG - 84.4 kb

Evidence Image Support

  • Expert Witness (E01)
  • RAW (dd)
  • Advanced Forensic Format (AFF)

Software Includes:

  • The Sleuth Kit (File system Analysis Tools)
  • log2timeline (Timeline Generation Tool)
  • ssdeep & md5deep (Hashing Tools)
  • Foremost/Scalpel (File Carving)
  • WireShark (Network Forensics)
  • Vinetto (thumbs.db examination)
  • Pasco (IE Web History examination)
  • Rifiuti (Recycle Bin examination)
  • Volatility Framework (Memory Analysis)
  • DFLabs PTK (GUI Front-End for Sleuthkit)
  • Autopsy (GUI Front-End for Sleuthkit)
  • PyFLAG (GUI Log/Disk Examination)

Detailed tools used along with SIFT

Post scriptum

Compliance Mandates

  • Forensics :

    PCI DSS 10.2, 12.9, A.1.4*, SOX DS7, HIPAA 164.308(a)(1) and (a)(6), FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
    *Shared Hosting Providers Only

Related Articles