It has been some days since SANS released an updated version of SIFT or the SANS Investigative Forensic Toolkit. We spoke about SIFT here.
“The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.”
This version has the following utilities packed with it:
File system support:
* Windows (MSDOS, FAT, VFAT, NTFS)
* MAC (HFS)
* Solaris (UFS)
* Linux (EXT2/3)
Evidence Image Support:
* Expert Witness (E01)
* RAW (dd)
* Advanced Forensic Format (AFF)
Software Includes:
* The Sleuth Kit (File system Analysis Tools)
* log2timeline (Timeline Generation Tool)
* ssdeep & md5deep (Hashing Tools)
* Foremost/Scalpel (File Carving)
* WireShark (Network Forensics)
* Vinetto (thumbs.db examination)
* Pasco (IE Web History examination)
* Rifiuti (Recycle Bin examination)
* Volatility Framework (Memory Analysis)
* DFLabs PTK (GUI Front-End for Sleuthkit)
* Autopsy (GUI Front-End for Sleuthkit)
* PyFLAG (GUI Log/Disk Examination)
Key Directories in SANS SIFT Workstation:
* /forensics
o Location of the files used for the Autopsy Toolset
* /usr/local/src
o Source files for Autopsy, The Sleuth Kit, and other tools
* /usr/local/bin
o Location of the forensic pre-compiled binaries
* /cases
o Location of your collected evidence
* /mnt/hack
o Location of the mount points for the file system images
You will need a SANS user account to download SIFT. You can download SIFT version 2 here. Oh yes! You also have a nice SIFT cheatsheet on the download page!
Searches leading to this post:
Investigative Forensic Toolkit SIFT,
log into sans sift,
sans reverse engineering tutorials,
SIFT forensics
Tagged as: Forensics, forensics tools, RegRipper, SIFT, Volatility Framework
Now a days, we are focussing a lot on forensics. There are many tools that are specialized for computer forensics. SIFT is one such tool or should we say operating system that performs all that you want with computer forensics with ease. SIFT stands for SANS Investigative Forensic Toolkit.
It is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. You can access Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats with SIFT. You can examine core file system data and metadata structures using SIFT. You can access FAT/NTFS/UNIX/LINUX file systems. This tool used to be a closed download source for SANS team only. They have now started offering the appliance as a download for normal users too. You can securely examine a raw disks, multiple file systems, evidence formats. It also places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed!
Softwares that are included with the appliance are: (under /usr/local/src)
- ssdeep & md5deep (Hashing Tools)
- Foremost/Scalpel (File Carving)
- WireShark (Network Forensics)
- HexEditor
- Vinetto (thumbs.db examination)
- Pasco (IE Web History examination)
- Rifiuti (Recycle Bin examination)
- Volatility Framework (Memory Analysis)
- DFLabs PTK (GUI Front-End for Sleuthkit)
- Autopsy (GUI Front-End for Sleuthkit)
- The Sleuth Kit (File system Analysis Tools)
PERL Tools under /usr/local/src/windows_perl
regripper.pl – Registry Forensic Carver
regslack.pl – Registry slack
deleted.pl – Registry deleted key examination
regtime.pl – Registry timelime creator – now with sleuthkit bodyfile output
windata.pl - Windows Time
All you need is a user account with SANS. The latest version of the tool is 1.3 which was released this year. So, after you get your account, go here and download SIFT.
Searches leading to this post:
SIFT SANS,
sift forensics,
sleuthkit hash sets,
ubuntu hardening
Tagged as: Forensics, forensics tools, RegRipper, SIFT, Volatility Framework
Windows Registry forms an important part when performing a forensics analysis of a Windows machine. So, when you have a hive which has been extracted from a machine using EnCase or like software, RegRipper is THE software you need to perform your forensics.
RegRipper is a Windows Registry data extraction tool. It also co-relates all the information it has found while scanning. It completely bypasses the Win32API while accessing some registry hives. How it does that? It does so by making use of James McFarlane’s Parse::Win32Registry module. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. It also has support for plugins. It is an open source application. It works with Windows 2000, Windows XP, Windows 2003 & Windows Vista. It is user friendly since it provides a GUI for extracting specific information from a Registry hive file, defined through the use of plugins. The extracted information is printed in a text-based report file so that you can easily include it in your reports as per your requirements.
A simple screen shot of RegRipper follows:
RegRipper will extract information about recently accessed files, applications, etc from the MRU lists along with timestamp information from Registry keys. Some of the plugins are included in the package are:
logonusername.pl
acmru.pl
runmru.pl
typedurls.pl
userassist.pl
They perform the functions as per their names. The output from each of these plugins is printed to the report file. The order and number of plugins to be run can be decided by you.
All this information can be obtained in greater detail here. You can also download this PERL program here.
Related External Links
Tagged as: forensics tools, Microsoft, RegRipper, Windows
