A free tool is changing the way digital forensic professionals perform detailed examinations. The SANS Investigative Forensic Toolkit (SIFT) Workstation 2.0, created by Rob Lee, is the first of its kind – an online virtualized workstation environment to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools…”The SIFT Workstation incorporates the majority of the open-source and free solutions into a single package to solve complex computer crime cases,” said Lee. “A seasoned digital forensic professional or an individual just starting in the digital forensics field does not need to spend thousands of dollars in order to perform computer forensics. This work station provides capability to forensicators who need critical analysis capability today.”
SIFT, first unveiled in Lee’s Computer Forensic Investigations and Incident Response SANS course (FOR 508), has the ability to securely examine raw disks, multiple file systems and evidence formats. The tool places strict guidelines on how evidence is examined while verifying that the evidence has not changed.
SIFT is a VMware Appliance or installation DVD that is preconfigured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.
Meanwhile, the workstation is a tool of choice for many that have earned GCFA certification. GCFA is the largest vendor neutral digital forensic certification available in the world, with over 2,000 certified people. Those certified have the knowledge and skills to handle advanced incident handling scenarios, conduct formal incident investigations, and carry out forensic investigation of networks and hosts. Additionally, GCFA was a finalist for this year’s SC Magazine Awards.
For more information and to try the tool, visit http://computer-forensics.sans.org and select “Downloads” under the “Forensics Community” drop down.