SIFT Workstation - Digital Forensics and Incident Response Distribution
SIFT is a computer forensics distribution that installs all necessary tools on Ubuntu to perform a detailed digital forensic and incident response examination. It is compatible with expert witness format (E01), advanced forensic format (AFF), raw (dd), and memory analysis evidence formats.
| Developer(s) | Rob Lee Harbingers LLC |
|---|---|
| Initial release | December 13, 2008 |
| Repository | github.com/sans-dfir/sift |
| Operating system | Ubuntu |
| Available in | English |
| Type | Computer forensics |
| Website | digital-forensics.sans.org |
Use
The toolkit has the ability to securely examine raw disks, multiple file systems, and evidence formats. It places strict guidelines on how evidence is examined (read-only), verifying that the evidence has not changed.
File system support
- Windows (MS-DOS, FAT, VFAT, NTFS)
- Mac (HFS)
- Solaris (UFS)
- Linux (ext2/3)
Evidence image support
- Expert Witness (E01/L01)
- RAW (dd)
- Advanced Forensic Format (AFF)
*Memory Forensics Images
Software[1]
- The Sleuth Kit (file system analysis tools)
- Plaso and log2timeline (timeline generation tools)
- ssdeep & md5deep (hashing tools)
- Foremost/Scalpel (file carving)
- Wireshark (network forensics)
- Volatility Framework (memory analysis)
- Autopsy (GUI front-end for Sleuthkit)
Features
1) Ubuntu LTS 16.04 Base
2) 64-bit base system
3) Auto-DFIR package update and customization.
4) VMware appliance ready to tackle forensics.
5) Cross-compatibility between Windows and Linux.
6) Choice to install stand-alone via (.iso) or use VMware player/Workstation.
References
- "Investigate and fight cyberattacks with SIFT Workstation".
{{cite web}}: CS1 maint: url-status (link)