In my point of view, SIFT is the definitive forensic toolkit!

The SIFT Workstation is a collection of tools for forensic investigators and incident responders, put together and maintained by a team at SANS and specifically Rob Lee, also available bundled as a virtual machine.

Here some features:

File system support

  • NTFS (NTFS)
  • iso9660 (ISO9660 CD)
  • hfs (HFS+)
  • raw (Raw Data)
  • swap (Swap Space)
  • memory (RAM Data)
  • fat12 (FAT12)
  • fat16 (FAT16)
  • fat32 (FAT32)
  • ext2 (EXT2)
  • ext3 (EXT3)
  • ext4 (EXT4)
  • ufs1 (UFS1)
  • ufs2 (UFS2)
  • vmdk

Evidence Image Support

  • raw (Single raw file (dd))
  • aff (Advanced Forensic Format)
  • afd (AFF Multiple File)
  • afm (AFF with external metadata)
  • afflib (All AFFLIB image formats (including beta ones))
  • ewf (Expert Witness format (encase))
  • split raw (Split raw files) via affuse
  • affuse - mount 001 image/split images to view single raw file and metadata
  • split ewf (Split E01 files) via mount_ewf.py
  • mount_ewf.py - mount E01 image/split images to view single raw file and metadata
  • ewfmount - mount E01 images/split images to view single raw file and metadata

Incident Response Support

  • F-Response Tool Suite Compatible
  • Rapid Scripting and Analysis
  • Threat Intelligence and Indicator of Compromise Support
  • Threat Hunting and Malware Analysis Capabilities

Included Tools

Name Version
4n6time-static 1.0.1-1ubuntu1
aeskeyfind 1:1.0-1
afflib-tools 3.6.6-1.1
afterglow 1.6.4-ubuntu1
aircrack-ng 1.2-beta2-sift1
arp-scan 1.8.1-1
autopsy 2.24-1
bcrypt 1.1-6
binplist 0.1.4-0ubuntu1
bitpim 1.0.7+dfsg1-2build1
bitpim-lib 1.0.7+dfsg1-2build1
bkhive 1.1.1-1
bless 0.6.0-3
blt 2.4z-4.2ubuntu1
build-essential 11.5ubuntu2.1
bulk-extractor 1.4.0-beta5-ubuntu5
cabextract 1.4-1
ccrypt 1.9-4
clamav 0.97.8+dfsg-1ubuntu1.12.04.1
cmospwd 5
cryptcat 20031202-4
cryptsetup 2:1.4.1-2ubuntu4
curl 7.22.0-3ubuntu4.7
dc3dd 7.1.614-1
dcfldd 1.3.4.1-2
dconf-tools 0.12.0-0ubuntu1.1
dff 1.2.0+dfsg.1-1
driftnet 0.1.6-9ubuntu1
dumbpig 0.10-ubuntu1
e2fslibs-dev 1.42-1ubuntu2
ent 1.1debian-1.1
epic5 1.1.2-2build1
etherape 0.9.12-1
ettercap-graphical 1:0.7.4.2-1
ettercap-text-only 1:0.7.4.2-1
exif 0.6.20-1
extundelete 0.2.0-2 precise
f-spot 0.8.2-4
fdupes 1.50-PR2-3
flare 0.15.1-1
flasm 1.62-6
flex 2.5.35-10ubuntu3
foremost 1.5.7-1
fuse-utils 2.8.6-2ubuntu2
g++ 4:4.6.3-1ubuntu5
gcc 4:4.6.3-1ubuntu5
gdb 7.4-2012.04-0ubuntu2.1
gddrescue 1.14-1
ghex 3.4.0-0ubuntu1
gthumb 3:2.14.3-0ubuntu1
gzrt 0.5-2ubuntu1
hal 0.5.14-8
hal-info 20091130-1
hexedit 1.2.12-4
honeyd 1.5c-8ubuntu1
htop 1.0.1
hydra 7.1-1build1
hydra-gtk 7.1-1build1
ipython 0.12.1+dfsg-0ubuntu1
jdgui 0.3.5
kdiff3 0.9.96-2
knocker 0.7.1-3.1
kpartx 0.4.9-3ubuntu5
libafflib0 3.6.6-1.1
libbde 20130908-1ubuntu2
libbde-tools 20130908-1ubuntu2
libesedb 20120102-1ubuntu1
libesedb-tools 20120102-1ubuntu1
libevt 20131013-1ubuntu1
libevt-tools 20131013-1ubuntu1
libevtx 20131013-1ubuntu1
libevtx-tools 20131013-1ubuntu1
libewf 20131210-1ubuntu2
libewf-dev 20131210-1ubuntu2
libewf-python 20131210-1ubuntu2
libewf-tools 20131210-1ubuntu2
libfuse-dev 2.8.6-2ubuntu2
libfvde 20130305-1ubuntu3
libfvde-tools 20130305-1ubuntu3
liblightgrep 1.2.1-ubuntu2
libmsiecf 20131015-1ubuntu1
libnet1 1.1.4-2.1
libolecf 20131108-1ubuntu1
libparse-win32registry-perl 0.60-1
libplist1 1.8-1
libplist-dev 1.8-1
libregf 20130922-1ubuntu2
libregf-dev 20130922-1ubuntu2
libregf-python 20130922-1ubuntu2
libregf-tools 20130922-1ubuntu2
libssl-dev 1.0.1-4ubuntu5.10
libtext-csv-perl 1.21-1
libvshadow 20131209-1ubuntu2
libvshadow-dev 20131209-1ubuntu2
libvshadow-python 20131209-1ubuntu2
libvshadow-tools 20131209-1ubuntu2
libxml2-dev 2.7.8.dfsg-5.1ubuntu4.6
lft 2.2-4
mac-robber 1.02-sift1
maltegoce 3.4.0.5004-ubuntu1
md5deep 3.9.2-1
myunity 3.1.3-0ubuntu1
nbd-client 2.9.25-2ubuntu1
nbtscan 1.5.1-6
netcat 1.10-39
netpbm 2:10.0-15
netsed 1.00b-2
netwox 5.36.0-1.2
nfdump 1.6.11-sift1
ngrep 1.45.ds2-11
nikto 1:2.1.4-2
ntopng 1.1
okular 4:4.8.5-0ubuntu0.1
openjdk-6-jdk 6b27-1.12.6-1ubuntu0.12.04.4
ophcrack 3.3.0-1build1
ophcrack-cli 3.3.0-1build1
outguess 1:0.2-7
perl-log2timeline UNKNOWN
p7zip-full 9.20.1~dfsg.1-4
phonon 4:4.7.0really4.6.0-0ubuntu1
p0f 2.0.8-2
pv 1.2.0
pyew 2.0-3
python 2.7.3-0ubuntu2.2
python-analyzemft 2.0.11-ubuntu2
python-flowgrep 0.9-ubuntu2
python-nids 0.6.1-1build1
python-ntdsxtract 1.2-beta-ubuntu6
python-pefile 1.2.9.1-1
python-plaso 1.0.2-3
python-qt4 4.9.1-2ubuntu1
python-tk 2.7.3-1ubuntu1
python-yara 1.7-1ubuntu1~ppa1~p
pytsk3 4.1.2-1ubuntu2
qemu 1.0+noroms-0ubuntu14.12
qemu-utils 1.0+noroms-0ubuntu14.12
readpst 0.6.54-0ubuntu1
rsakeyfind 1:1.0-2build1
safecopy 1.6-1build1
scalpel 1.60-1build1
samdump2 1.1.1-1
socat 1.7.1.3-1.2
sleuthkit 4.1.3-1ubuntu5
ssdeep 2.7-1
ssldump 0.9b3-4.1
stegdetect 1.0-precise1
stunnel4 3:4.42-1
tcl 8.5.0-2 precise
tcpflow 0.21.ds1-6
tcpreplay 3.4.3-2ubuntu2
tcpstat 1.5-7
tcptrace 6.6.7-4
tcptrack 1.4.2-1build1
tcpxtract 1.0.1-8
testdisk 6.13-1
tofrodos 1.7.9.debian.1-1
torsocks 1.2-1
transmission 2.51-0ubuntu1.3
unrar 1:4.0.3-1
upx-ucl 3.08-2ubuntu1
vbindiff 3.0-beta3-1
virtuoso-minimal 6.1.4+dfsg1-0ubuntu1
winbind 2:3.6.3-2ubuntu2.9
wine 1.4-0ubuntu4.1
wireshark 1.6.7-1
xmount 0.4.5-1
zenity 3.4.0-0ubuntu4

And here a long video by Rob Lee with a big overview of the toolkit:

https://www.youtube.com/watch?v=ai_7Fkv6igw


Download and Install SIFT Workstation

VM appliance

The most simple way is download the VM Appliance, from this link:

Download SIFT Workstation Virtual Appliance (.ova format)

Note: a valid SANS account is required. You can register here.

After, you should import the OVA file into your virtualization environment:

One started the VM, you can login using this credentials:

  • Login: sansforensics
  • Password: forensics

Manual installation on a Linux System

You can also install the toolkit on an Ubuntu 16.04 installation:

  1. Download and install SIFT-CLI 
    1. Go to  Latest Releases page on GitHub repository.
    2. Download all the release files
      • sift-cli-linux
      • sift-cli-linux.sha256.asc
    3. Import the PGP Key
      gpg --keyserver pgp.mit.edu --recv-keys 22598A94
    4. Validate the signature
      gpg --verify sift-cli-linux.sha256.asc
    5. Validate SHA256 signature
      shasum -a 256 -c sift-cli-linux.sha256.asc

      OR

      sha256sum -c sift-cli-linux.sha256.asc

      Note: You'll see an error about improperly formatted lines, it can be ignored so long as you see sift-cli-linux: OKbefore it

    6. Move the file to
      sudo mv sift-cli-linux /usr/local/bin/sift
    7. Run
      chmod 755 /usr/local/bin/sift
  2. Run
    $ sudo sift install

Manual installation under Windows Subsystem for Linux

  1. Install Linux subsystem
    • Open PowerShell as Administrator and run:
      Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  2. Launch Ubuntu Bash Shell from a windows.
  3. Download and install SIFT-CLI Tool by following the instruction on Step 1 of previous list.
  4. Run
    $ sudo sift install
Some limitations on Windows Subsystem
  • Image mounting: due to fuse driver issues, using ewfmount, mountwin or imageMounter.py will result in the following error:
    fuse: device not found, try 'modprobe fuse' first
    Unable to create fuse channel.
  • No GUI Support: the lack of an X Server prevents you from running graphical applications.
    This isn't a huge issue with SIFT as the overwhelming majority of the tools you will have installed SIFT for are command line.

References