Join Us!

SANS SIFT Workstati...
 
Notifications
Clear all

SANS SIFT Workstation 2.0 Released  

  RSS
robtlee
(@robtlee)
New Member

SIFT Workstation 2.0 Download Location

* http//computer-forensics.sans.org
o Look under the Community Tab -> Select Downloads

Background

Faculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation featured in the Computer Forensic Investigations and Incident Response course (FOR 508) in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools.

The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite. Optionally, you can download the SIFT Workstation DVD ISO which will allow you to install this on a stand-alone system.

SIFT Workstation 2.0 Capabilities

Ability to securely examine raw disks, multiple file systems, evidence formats. Places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed
File system support

* Windows (MSDOS, FAT, VFAT, NTFS)
* MAC (HFS)
* Solaris (UFS)
* Linux (EXT2/3)

Evidence Image Support

* Expert Witness (E01)
* RAW (dd)
* Advanced Forensic Format (AFF)

Software Includes

* The Sleuth Kit (File system Analysis Tools)
* log2timeline (Timeline Generation Tool)
* Regripper (registry mining)
* ssdeep & md5deep (Hashing Tools)
* Foremost/Scalpel (File Carving)
* WireShark (Network Forensics)
* Vinetto (thumbs.db examination)
* Pasco (IE Web History examination)
* Rifiuti (Recycle Bin examination)
* Volatility Framework (Memory Analysis)
* DFLabs PTK (GUI Front-End for Sleuthkit)
* Autopsy (GUI Front-End for Sleuthkit)
* PyFLAG (GUI Log/Disk Examination)
* And over 150 more tools/capabilities

Quote
Posted : 26/03/2010 9:53 am
DFICSI
(@dficsi)
Active Member

Rob,

Downloading this now, if you need mirrors for the VM let me know and I'll put it on Forensic 4cast.

ReplyQuote
Posted : 26/03/2010 1:26 pm
robtlee
(@robtlee)
New Member

First day will be the roughest. If it were me, I would download it tomorrow on the weekend. It will spike today. We usually do not have a great issue and like E-Fense, if something changes or I find a bug, much easier to switch the version out quickly with an updated one.

–Rob

ReplyQuote
Posted : 26/03/2010 4:27 pm
jhup
 jhup
(@jhup)
Community Legend

Agreed. Plus I am not going to register. Also waiting for .1 version D

ReplyQuote
Posted : 26/03/2010 7:48 pm
BitHead
(@bithead)
Community Legend

Rob,
Is there a change log? I have Version 2.0 (7-24-2009) from class.

ReplyQuote
Posted : 26/03/2010 8:44 pm
felixdz
(@felixdz)
New Member

Is there a way to download this with wget or aria2? I am in Cambodia on unreliable internet so I need a way to deal with interupted downloads.

Or could it be put on a torrent like Linuxtracker?

I am hoping to make it to SANS Singapore but I would like to practice a bit before I arrive.

ReplyQuote
Posted : 27/03/2010 1:46 pm
johnt
(@johnt)
New Member

Are there any mirrors or other sources to download SIFT from? I've been repeatedly trying for the past three days, but the download site is frequently down and the downloads cut off after a few hundred MBs. I've tried from home, a friend's home, and work–all with the same results.

Thanks!

-John

ReplyQuote
Posted : 08/04/2010 11:17 pm
elorenz
(@elorenz)
New Member

Anyone found an alternate download location for this? The canonical download site appears well and truly hosed. Thanks in advance!

-Eric

ReplyQuote
Posted : 09/04/2010 12:21 am
reedsie
(@reedsie)
Junior Member

I have been looking as well no luck.

ReplyQuote
Posted : 09/04/2010 12:52 am
elorenz
(@elorenz)
New Member

The site just magically started responding and I'm getting good throughput.

-Eric

ReplyQuote
Posted : 09/04/2010 2:16 am
reedsie
(@reedsie)
Junior Member

Wish I could say the same

ReplyQuote
Posted : 09/04/2010 4:58 am
Share: