What is SIFT Workstation and how install it on my Linux (or Windows) system?
In my point of view, SIFT is the definitive forensic toolkit!
The SIFT Workstation is a collection of tools for forensic investigators and incident responders, put together and maintained by a team at SANS and specifically Rob Lee, also available bundled as a virtual machine.
Here some features:
File system support
- NTFS (NTFS)
- iso9660 (ISO9660 CD)
- hfs (HFS+)
- raw (Raw Data)
- swap (Swap Space)
- memory (RAM Data)
- fat12 (FAT12)
- fat16 (FAT16)
- fat32 (FAT32)
- ext2 (EXT2)
- ext3 (EXT3)
- ext4 (EXT4)
- ufs1 (UFS1)
- ufs2 (UFS2)
- vmdk
Evidence Image Support
- raw (Single raw file (dd))
- aff (Advanced Forensic Format)
- afd (AFF Multiple File)
- afm (AFF with external metadata)
- afflib (All AFFLIB image formats (including beta ones))
- ewf (Expert Witness format (encase))
- split raw (Split raw files) via affuse
- affuse - mount 001 image/split images to view single raw file and metadata
- split ewf (Split E01 files) via mount_ewf.py
- mount_ewf.py - mount E01 image/split images to view single raw file and metadata
- ewfmount - mount E01 images/split images to view single raw file and metadata
Incident Response Support
- F-Response Tool Suite Compatible
- Rapid Scripting and Analysis
- Threat Intelligence and Indicator of Compromise Support
- Threat Hunting and Malware Analysis Capabilities
Included Tools
Name | Version |
4n6time-static | 1.0.1-1ubuntu1 |
aeskeyfind | 1:1.0-1 |
afflib-tools | 3.6.6-1.1 |
afterglow | 1.6.4-ubuntu1 |
aircrack-ng | 1.2-beta2-sift1 |
arp-scan | 1.8.1-1 |
autopsy | 2.24-1 |
bcrypt | 1.1-6 |
binplist | 0.1.4-0ubuntu1 |
bitpim | 1.0.7+dfsg1-2build1 |
bitpim-lib | 1.0.7+dfsg1-2build1 |
bkhive | 1.1.1-1 |
bless | 0.6.0-3 |
blt | 2.4z-4.2ubuntu1 |
build-essential | 11.5ubuntu2.1 |
bulk-extractor | 1.4.0-beta5-ubuntu5 |
cabextract | 1.4-1 |
ccrypt | 1.9-4 |
clamav | 0.97.8+dfsg-1ubuntu1.12.04.1 |
cmospwd | 5 |
cryptcat | 20031202-4 |
cryptsetup | 2:1.4.1-2ubuntu4 |
curl | 7.22.0-3ubuntu4.7 |
dc3dd | 7.1.614-1 |
dcfldd | 1.3.4.1-2 |
dconf-tools | 0.12.0-0ubuntu1.1 |
dff | 1.2.0+dfsg.1-1 |
driftnet | 0.1.6-9ubuntu1 |
dumbpig | 0.10-ubuntu1 |
e2fslibs-dev | 1.42-1ubuntu2 |
ent | 1.1debian-1.1 |
epic5 | 1.1.2-2build1 |
etherape | 0.9.12-1 |
ettercap-graphical | 1:0.7.4.2-1 |
ettercap-text-only | 1:0.7.4.2-1 |
exif | 0.6.20-1 |
extundelete | 0.2.0-2 precise |
f-spot | 0.8.2-4 |
fdupes | 1.50-PR2-3 |
flare | 0.15.1-1 |
flasm | 1.62-6 |
flex | 2.5.35-10ubuntu3 |
foremost | 1.5.7-1 |
fuse-utils | 2.8.6-2ubuntu2 |
g++ | 4:4.6.3-1ubuntu5 |
gcc | 4:4.6.3-1ubuntu5 |
gdb | 7.4-2012.04-0ubuntu2.1 |
gddrescue | 1.14-1 |
ghex | 3.4.0-0ubuntu1 |
gthumb | 3:2.14.3-0ubuntu1 |
gzrt | 0.5-2ubuntu1 |
hal | 0.5.14-8 |
hal-info | 20091130-1 |
hexedit | 1.2.12-4 |
honeyd | 1.5c-8ubuntu1 |
htop | 1.0.1 |
hydra | 7.1-1build1 |
hydra-gtk | 7.1-1build1 |
ipython | 0.12.1+dfsg-0ubuntu1 |
jdgui | 0.3.5 |
kdiff3 | 0.9.96-2 |
knocker | 0.7.1-3.1 |
kpartx | 0.4.9-3ubuntu5 |
libafflib0 | 3.6.6-1.1 |
libbde | 20130908-1ubuntu2 |
libbde-tools | 20130908-1ubuntu2 |
libesedb | 20120102-1ubuntu1 |
libesedb-tools | 20120102-1ubuntu1 |
libevt | 20131013-1ubuntu1 |
libevt-tools | 20131013-1ubuntu1 |
libevtx | 20131013-1ubuntu1 |
libevtx-tools | 20131013-1ubuntu1 |
libewf | 20131210-1ubuntu2 |
libewf-dev | 20131210-1ubuntu2 |
libewf-python | 20131210-1ubuntu2 |
libewf-tools | 20131210-1ubuntu2 |
libfuse-dev | 2.8.6-2ubuntu2 |
libfvde | 20130305-1ubuntu3 |
libfvde-tools | 20130305-1ubuntu3 |
liblightgrep | 1.2.1-ubuntu2 |
libmsiecf | 20131015-1ubuntu1 |
libnet1 | 1.1.4-2.1 |
libolecf | 20131108-1ubuntu1 |
libparse-win32registry-perl | 0.60-1 |
libplist1 | 1.8-1 |
libplist-dev | 1.8-1 |
libregf | 20130922-1ubuntu2 |
libregf-dev | 20130922-1ubuntu2 |
libregf-python | 20130922-1ubuntu2 |
libregf-tools | 20130922-1ubuntu2 |
libssl-dev | 1.0.1-4ubuntu5.10 |
libtext-csv-perl | 1.21-1 |
libvshadow | 20131209-1ubuntu2 |
libvshadow-dev | 20131209-1ubuntu2 |
libvshadow-python | 20131209-1ubuntu2 |
libvshadow-tools | 20131209-1ubuntu2 |
libxml2-dev | 2.7.8.dfsg-5.1ubuntu4.6 |
lft | 2.2-4 |
mac-robber | 1.02-sift1 |
maltegoce | 3.4.0.5004-ubuntu1 |
md5deep | 3.9.2-1 |
myunity | 3.1.3-0ubuntu1 |
nbd-client | 2.9.25-2ubuntu1 |
nbtscan | 1.5.1-6 |
netcat | 1.10-39 |
netpbm | 2:10.0-15 |
netsed | 1.00b-2 |
netwox | 5.36.0-1.2 |
nfdump | 1.6.11-sift1 |
ngrep | 1.45.ds2-11 |
nikto | 1:2.1.4-2 |
ntopng | 1.1 |
okular | 4:4.8.5-0ubuntu0.1 |
openjdk-6-jdk | 6b27-1.12.6-1ubuntu0.12.04.4 |
ophcrack | 3.3.0-1build1 |
ophcrack-cli | 3.3.0-1build1 |
outguess | 1:0.2-7 |
perl-log2timeline | UNKNOWN |
p7zip-full | 9.20.1~dfsg.1-4 |
phonon | 4:4.7.0really4.6.0-0ubuntu1 |
p0f | 2.0.8-2 |
pv | 1.2.0 |
pyew | 2.0-3 |
python | 2.7.3-0ubuntu2.2 |
python-analyzemft | 2.0.11-ubuntu2 |
python-flowgrep | 0.9-ubuntu2 |
python-nids | 0.6.1-1build1 |
python-ntdsxtract | 1.2-beta-ubuntu6 |
python-pefile | 1.2.9.1-1 |
python-plaso | 1.0.2-3 |
python-qt4 | 4.9.1-2ubuntu1 |
python-tk | 2.7.3-1ubuntu1 |
python-yara | 1.7-1ubuntu1~ppa1~p |
pytsk3 | 4.1.2-1ubuntu2 |
qemu | 1.0+noroms-0ubuntu14.12 |
qemu-utils | 1.0+noroms-0ubuntu14.12 |
readpst | 0.6.54-0ubuntu1 |
rsakeyfind | 1:1.0-2build1 |
safecopy | 1.6-1build1 |
scalpel | 1.60-1build1 |
samdump2 | 1.1.1-1 |
socat | 1.7.1.3-1.2 |
sleuthkit | 4.1.3-1ubuntu5 |
ssdeep | 2.7-1 |
ssldump | 0.9b3-4.1 |
stegdetect | 1.0-precise1 |
stunnel4 | 3:4.42-1 |
tcl | 8.5.0-2 precise |
tcpflow | 0.21.ds1-6 |
tcpreplay | 3.4.3-2ubuntu2 |
tcpstat | 1.5-7 |
tcptrace | 6.6.7-4 |
tcptrack | 1.4.2-1build1 |
tcpxtract | 1.0.1-8 |
testdisk | 6.13-1 |
tofrodos | 1.7.9.debian.1-1 |
torsocks | 1.2-1 |
transmission | 2.51-0ubuntu1.3 |
unrar | 1:4.0.3-1 |
upx-ucl | 3.08-2ubuntu1 |
vbindiff | 3.0-beta3-1 |
virtuoso-minimal | 6.1.4+dfsg1-0ubuntu1 |
winbind | 2:3.6.3-2ubuntu2.9 |
wine | 1.4-0ubuntu4.1 |
wireshark | 1.6.7-1 |
xmount | 0.4.5-1 |
zenity | 3.4.0-0ubuntu4 |
And here a long video by Rob Lee with a big overview of the toolkit:
https://www.youtube.com/watch?v=ai_7Fkv6igw
Download and Install SIFT Workstation
VM appliance
The most simple way is download the VM Appliance, from this link:
Download SIFT Workstation Virtual Appliance (.ova format)
Note: a valid SANS account is required. You can register here.
After, you should import the OVA file into your virtualization environment:
- Import OVA on VMWare: https://pubs.vmware.com/fusion-5/index.jsp#com.vmware.fusion.help.doc/GUID-275EF202-CF74-43BF-A9E9-351488E16030.html
- Import OVA on VirtualBOX: https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
One started the VM, you can login using this credentials:
- Login: sansforensics
- Password: forensics
Manual installation on a Linux System
You can also install the toolkit on an Ubuntu 16.04 installation:
- Download and install SIFT-CLI
- Go to Latest Releases page on GitHub repository.
- Download all the release files
- sift-cli-linux
- sift-cli-linux.sha256.asc
- Import the PGP Key
gpg --keyserver pgp.mit.edu --recv-keys 22598A94
- Validate the signature
gpg --verify sift-cli-linux.sha256.asc
- Validate SHA256 signature
shasum -a 256 -c sift-cli-linux.sha256.asc
OR
sha256sum -c sift-cli-linux.sha256.asc
Note: You'll see an error about improperly formatted lines, it can be ignored so long as you see
sift-cli-linux: OK
before it - Move the file to
sudo mv sift-cli-linux /usr/local/bin/sift
- Run
chmod 755 /usr/local/bin/sift
- Run
$ sudo sift install
Manual installation under Windows Subsystem for Linux
- Install Linux subsystem
- Open PowerShell as Administrator and run:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
- Open PowerShell as Administrator and run:
- Launch Ubuntu Bash Shell from a windows.
- Download and install SIFT-CLI Tool by following the instruction on Step 1 of previous list.
- Run
$ sudo sift install
Some limitations on Windows Subsystem
- Image mounting: due to fuse driver issues, using ewfmount, mountwin or imageMounter.py will result in the following error:
fuse: device not found, try 'modprobe fuse' first
Unable to create fuse channel. -
No GUI Support: the lack of an X Server prevents you from running graphical applications.
This isn't a huge issue with SIFT as the overwhelming majority of the tools you will have installed SIFT for are command line.
References
- https://digital-forensics.sans.org/community/downloads
- http://sift.readthedocs.io/en/latest/index.html
- https://pubs.vmware.com/fusion-5/index.jsp#com.vmware.fusion.help.doc/GUID-275EF202-CF74-43BF-A9E9-351488E16030.html
- https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
- https://digital-forensics.sans.org/media/sift_cheat_sheet.pdf
- https://digital-forensics.sans.org/blog/category/sift-workstation