SIFT: SANS Investigative Forensic Toolkit

Now a days, we are focussing a lot on forensics. There are many tools that are specialized for computer forensics. SIFT is one such tool or should we say operating system that performs all that you want with computer forensics with ease. SIFT stands for SANS Investigative Forensic Toolkit.

It is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. You can access Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats with SIFT. You can examine core file system data and metadata structures using SIFT. You can access FAT/NTFS/UNIX/LINUX file systems. This tool used to be a closed download source for SANS team only. They have now started offering the appliance as a download for normal users too. You can securely examine a raw disks, multiple file systems, evidence formats. It also places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed!

Softwares that are included with the appliance are: (under /usr/local/src)

• ssdeep & md5deep (Hashing Tools)
• Foremost/Scalpel (File Carving)
• WireShark (Network Forensics)
• HexEditor
• Vinetto (thumbs.db examination)
• Pasco (IE Web History examination)
• Rifiuti (Recycle Bin examination)
• Volatility Framework (Memory Analysis)
• DFLabs PTK (GUI Front-End for Sleuthkit)
• Autopsy (GUI Front-End for Sleuthkit)
• The Sleuth Kit (File system Analysis Tools)

PERL Tools under /usr/local/src/windows_perl
regripper.pl - Registry Forensic Carver
regslack.pl – Registry slack
deleted.pl – Registry deleted key examination
regtime.pl – Registry timelime creator – now with sleuthkit bodyfile output
windata.pl - Windows Time

All you need is a user account with SANS. The latest version of the tool is 1.3 which was released this year. So, after you get your account, go here and download SIFT.

Related External Links

• Kansas City Forensics | The Edge of I-Hacked

• Twitter Weekly Updates for 2009-06-28 | Dragos Lungu Dot Com

• 0×01000000.org » Enhancing Regripper

• India calls for framework to check 'speculative' oil trading …

Searches leading to this post:
open source forensic toolkit, open source forensics toolkit, SANS Investigative Forensic Toolkit, volatility sift, SIFT PTK login, SANS SIFT, SANS PTK USER PASSWORED, sans ptk password, sans toolkit, sans network analysis forensics toolkit, sans forensics toolkit, sans forensics sift, regripper sift, sans sift download, sans sift vmware, volatility regripper sift, volatility regripper, thumbs db examination, SIFT Toolkit download, SIFT Toolkit

Related Posts

• November 9, 2009 -- ff3hr: The Firefox 3 History Recoverer!
• September 10, 2009 -- GrokEVT – Read Windows NT/2K/XP/2K3 event logs
• August 5, 2009 -- List of Cell Phone Forensic tools!
• July 24, 2009 -- Mantech Memory DD: Capture memory on Windows Vista and 2003 Server
• July 19, 2009 -- MANDIANT Memoryze: A memory forensic tool
• July 1, 2009 -- The Volatility Framework: Analyze Volatile Memory
• June 30, 2009 -- RegRipper: Windows Registry Data Extrator & Co-Relator
• March 1, 2010 -- TweakNow PowerPack : Tweak your machine fast and easy.
• February 11, 2010 -- WebJob: The Minimally Invasive Incident Response Framework!

Tagged as: Forensics, forensics tools, RegRipper, SIFT, Volatility Framework