What is SIFT Workstation and how install it on my Linux (or Windows) system?

In my point of view, SIFT is the definitive forensic toolkit!

The SIFT Workstation is a collection of tools for forensic investigators and incident responders, put together and maintained by a team at SANS and specifically Rob Lee, also available bundled as a virtual machine.

Here some features:

File system support

  • NTFS (NTFS)
  • iso9660 (ISO9660 CD)
  • hfs (HFS+)
  • raw (Raw Data)
  • swap (Swap Space)
  • memory (RAM Data)
  • fat12 (FAT12)
  • fat16 (FAT16)
  • fat32 (FAT32)
  • ext2 (EXT2)
  • ext3 (EXT3)
  • ext4 (EXT4)
  • ufs1 (UFS1)
  • ufs2 (UFS2)
  • vmdk

Evidence Image Support

  • raw (Single raw file (dd))
  • aff (Advanced Forensic Format)
  • afd (AFF Multiple File)
  • afm (AFF with external metadata)
  • afflib (All AFFLIB image formats (including beta ones))
  • ewf (Expert Witness format (encase))
  • split raw (Split raw files) via affuse
  • affuse – mount 001 image/split images to view single raw file and metadata
  • split ewf (Split E01 files) via mount_ewf.py
  • mount_ewf.py – mount E01 image/split images to view single raw file and metadata
  • ewfmount – mount E01 images/split images to view single raw file and metadata

Incident Response Support

  • F-Response Tool Suite Compatible
  • Rapid Scripting and Analysis
  • Threat Intelligence and Indicator of Compromise Support
  • Threat Hunting and Malware Analysis Capabilities

Included Tools

Name Version
4n6time-static 1.0.1-1ubuntu1
aeskeyfind 1:1.0-1
afflib-tools 3.6.6-1.1
afterglow 1.6.4-ubuntu1
aircrack-ng 1.2-beta2-sift1
arp-scan 1.8.1-1
autopsy 2.24-1
bcrypt 1.1-6
binplist 0.1.4-0ubuntu1
bitpim 1.0.7+dfsg1-2build1
bitpim-lib 1.0.7+dfsg1-2build1
bkhive 1.1.1-1
bless 0.6.0-3
blt 2.4z-4.2ubuntu1
build-essential 11.5ubuntu2.1
bulk-extractor 1.4.0-beta5-ubuntu5
cabextract 1.4-1
ccrypt 1.9-4
clamav 0.97.8+dfsg-1ubuntu1.12.04.1
cmospwd 5
cryptcat 20031202-4
cryptsetup 2:1.4.1-2ubuntu4
curl 7.22.0-3ubuntu4.7
dc3dd 7.1.614-1
dcfldd 1.3.4.1-2
dconf-tools 0.12.0-0ubuntu1.1
dff 1.2.0+dfsg.1-1
driftnet 0.1.6-9ubuntu1
dumbpig 0.10-ubuntu1
e2fslibs-dev 1.42-1ubuntu2
ent 1.1debian-1.1
epic5 1.1.2-2build1
etherape 0.9.12-1
ettercap-graphical 1:0.7.4.2-1
ettercap-text-only 1:0.7.4.2-1
exif 0.6.20-1
extundelete 0.2.0-2 precise
f-spot 0.8.2-4
fdupes 1.50-PR2-3
flare 0.15.1-1
flasm 1.62-6
flex 2.5.35-10ubuntu3
foremost 1.5.7-1
fuse-utils 2.8.6-2ubuntu2
g++ 4:4.6.3-1ubuntu5
gcc 4:4.6.3-1ubuntu5
gdb 7.4-2012.04-0ubuntu2.1
gddrescue 1.14-1
ghex 3.4.0-0ubuntu1
gthumb 3:2.14.3-0ubuntu1
gzrt 0.5-2ubuntu1
hal 0.5.14-8
hal-info 20091130-1
hexedit 1.2.12-4
honeyd 1.5c-8ubuntu1
htop 1.0.1
hydra 7.1-1build1
hydra-gtk 7.1-1build1
ipython 0.12.1+dfsg-0ubuntu1
jdgui 0.3.5
kdiff3 0.9.96-2
knocker 0.7.1-3.1
kpartx 0.4.9-3ubuntu5
libafflib0 3.6.6-1.1
libbde 20130908-1ubuntu2
libbde-tools 20130908-1ubuntu2
libesedb 20120102-1ubuntu1
libesedb-tools 20120102-1ubuntu1
libevt 20131013-1ubuntu1
libevt-tools 20131013-1ubuntu1
libevtx 20131013-1ubuntu1
libevtx-tools 20131013-1ubuntu1
libewf 20131210-1ubuntu2
libewf-dev 20131210-1ubuntu2
libewf-python 20131210-1ubuntu2
libewf-tools 20131210-1ubuntu2
libfuse-dev 2.8.6-2ubuntu2
libfvde 20130305-1ubuntu3
libfvde-tools 20130305-1ubuntu3
liblightgrep 1.2.1-ubuntu2
libmsiecf 20131015-1ubuntu1
libnet1 1.1.4-2.1
libolecf 20131108-1ubuntu1
libparse-win32registry-perl 0.60-1
libplist1 1.8-1
libplist-dev 1.8-1
libregf 20130922-1ubuntu2
libregf-dev 20130922-1ubuntu2
libregf-python 20130922-1ubuntu2
libregf-tools 20130922-1ubuntu2
libssl-dev 1.0.1-4ubuntu5.10
libtext-csv-perl 1.21-1
libvshadow 20131209-1ubuntu2
libvshadow-dev 20131209-1ubuntu2
libvshadow-python 20131209-1ubuntu2
libvshadow-tools 20131209-1ubuntu2
libxml2-dev 2.7.8.dfsg-5.1ubuntu4.6
lft 2.2-4
mac-robber 1.02-sift1
maltegoce 3.4.0.5004-ubuntu1
md5deep 3.9.2-1
myunity 3.1.3-0ubuntu1
nbd-client 2.9.25-2ubuntu1
nbtscan 1.5.1-6
netcat 1.10-39
netpbm 2:10.0-15
netsed 1.00b-2
netwox 5.36.0-1.2
nfdump 1.6.11-sift1
ngrep 1.45.ds2-11
nikto 1:2.1.4-2
ntopng 1.1
okular 4:4.8.5-0ubuntu0.1
openjdk-6-jdk 6b27-1.12.6-1ubuntu0.12.04.4
ophcrack 3.3.0-1build1
ophcrack-cli 3.3.0-1build1
outguess 1:0.2-7
perl-log2timeline UNKNOWN
p7zip-full 9.20.1~dfsg.1-4
phonon 4:4.7.0really4.6.0-0ubuntu1
p0f 2.0.8-2
pv 1.2.0
pyew 2.0-3
python 2.7.3-0ubuntu2.2
python-analyzemft 2.0.11-ubuntu2
python-flowgrep 0.9-ubuntu2
python-nids 0.6.1-1build1
python-ntdsxtract 1.2-beta-ubuntu6
python-pefile 1.2.9.1-1
python-plaso 1.0.2-3
python-qt4 4.9.1-2ubuntu1
python-tk 2.7.3-1ubuntu1
python-yara 1.7-1ubuntu1~ppa1~p
pytsk3 4.1.2-1ubuntu2
qemu 1.0+noroms-0ubuntu14.12
qemu-utils 1.0+noroms-0ubuntu14.12
readpst 0.6.54-0ubuntu1
rsakeyfind 1:1.0-2build1
safecopy 1.6-1build1
scalpel 1.60-1build1
samdump2 1.1.1-1
socat 1.7.1.3-1.2
sleuthkit 4.1.3-1ubuntu5
ssdeep 2.7-1
ssldump 0.9b3-4.1
stegdetect 1.0-precise1
stunnel4 3:4.42-1
tcl 8.5.0-2 precise
tcpflow 0.21.ds1-6
tcpreplay 3.4.3-2ubuntu2
tcpstat 1.5-7
tcptrace 6.6.7-4
tcptrack 1.4.2-1build1
tcpxtract 1.0.1-8
testdisk 6.13-1
tofrodos 1.7.9.debian.1-1
torsocks 1.2-1
transmission 2.51-0ubuntu1.3
unrar 1:4.0.3-1
upx-ucl 3.08-2ubuntu1
vbindiff 3.0-beta3-1
virtuoso-minimal 6.1.4+dfsg1-0ubuntu1
winbind 2:3.6.3-2ubuntu2.9
wine 1.4-0ubuntu4.1
wireshark 1.6.7-1
xmount 0.4.5-1
zenity 3.4.0-0ubuntu4

And here a long video by Rob Lee with a big overview of the toolkit:


Download and Install SIFT Workstation

VM appliance

The most simple way is download the VM Appliance, from this link:

Download SIFT Workstation Virtual Appliance (.ova format)

Note: a valid SANS account is required. You can register here.

After, you should import the OVA file into your virtualization environment:

One started the VM, you can login using this credentials:

  • Login: sansforensics
  • Password: forensics

Manual installation on a Linux System

You can also install the toolkit on an Ubuntu 16.04 installation:

  1. Download and install SIFT-CLI 
    1. Go to  Latest Releases page on GitHub repository.
    2. Download all the release files
      • sift-cli-linux
      • sift-cli-linux.sha256.asc
    3. Import the PGP Key
      gpg --keyserver pgp.mit.edu --recv-keys 22598A94
    4. Validate the signature
      gpg --verify sift-cli-linux.sha256.asc
    5. Validate SHA256 signature
      shasum -a 256 -c sift-cli-linux.sha256.asc

      OR

      sha256sum -c sift-cli-linux.sha256.asc

      Note: You’ll see an error about improperly formatted lines, it can be ignored so long as you see sift-cli-linux: OKbefore it

    6. Move the file to
      sudo mv sift-cli-linux /usr/local/bin/sift
    7. Run
      chmod 755 /usr/local/bin/sift
  2. Run
    $ sudo sift install

Manual installation under Windows Subsystem for Linux

  1. Install Linux subsystem
    • Open PowerShell as Administrator and run:
      Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  2. Launch Ubuntu Bash Shell from a windows.
  3. Download and install SIFT-CLI Tool by following the instruction on Step 1 of previous list.
  4. Run
    $ sudo sift install
Some limitations on Windows Subsystem
  • Image mounting: due to fuse driver issues, using ewfmount, mountwin or imageMounter.py will result in the following error:
    fuse: device not found, try ‘modprobe fuse’ first
    Unable to create fuse channel.
  • No GUI Support: the lack of an X Server prevents you from running graphical applications.
    This isn’t a huge issue with SIFT as the overwhelming majority of the tools you will have installed SIFT for are command line.

References

 

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.