It has been some days since SANS released an updated version of SIFT or the SANS Investigative Forensic Toolkit. We spoke about SIFT here.
“The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.”
This version has the following utilities packed with it:
File system support:
* Windows (MSDOS, FAT, VFAT, NTFS)
* MAC (HFS)
* Solaris (UFS)
* Linux (EXT2/3)
Evidence Image Support:
* Expert Witness (E01)
* RAW (dd)
* Advanced Forensic Format (AFF)
Software Includes:
* The Sleuth Kit (File system Analysis Tools)
* log2timeline (Timeline Generation Tool)
* ssdeep & md5deep (Hashing Tools)
* Foremost/Scalpel (File Carving)
* WireShark (Network Forensics)
* Vinetto (thumbs.db examination)
* Pasco (IE Web History examination)
* Rifiuti (Recycle Bin examination)
* Volatility Framework (Memory Analysis)
* DFLabs PTK (GUI Front-End for Sleuthkit)
* Autopsy (GUI Front-End for Sleuthkit)
* PyFLAG (GUI Log/Disk Examination)
Key Directories in SANS SIFT Workstation:
* /forensics
o Location of the files used for the Autopsy Toolset
* /usr/local/src
o Source files for Autopsy, The Sleuth Kit, and other tools
* /usr/local/bin
o Location of the forensic pre-compiled binaries
* /cases
o Location of your collected evidence
* /mnt/hack
o Location of the mount points for the file system images
You will need a SANS user account to download SIFT. You can download SIFT version 2 here. Oh yes! You also have a nice SIFT cheatsheet on the download page!
Searches leading to this post:
Investigative Forensic Toolkit SIFT,
log into sans sift,
sans reverse engineering tutorials,
SIFT forensics
Tagged as: Forensics, forensics tools, RegRipper, SIFT, Volatility Framework
Now a days, we are focussing a lot on forensics. There are many tools that are specialized for computer forensics. SIFT is one such tool or should we say operating system that performs all that you want with computer forensics with ease. SIFT stands for SANS Investigative Forensic Toolkit.
It is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. You can access Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats with SIFT. You can examine core file system data and metadata structures using SIFT. You can access FAT/NTFS/UNIX/LINUX file systems. This tool used to be a closed download source for SANS team only. They have now started offering the appliance as a download for normal users too. You can securely examine a raw disks, multiple file systems, evidence formats. It also places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed!
Softwares that are included with the appliance are: (under /usr/local/src)
- ssdeep & md5deep (Hashing Tools)
- Foremost/Scalpel (File Carving)
- WireShark (Network Forensics)
- HexEditor
- Vinetto (thumbs.db examination)
- Pasco (IE Web History examination)
- Rifiuti (Recycle Bin examination)
- Volatility Framework (Memory Analysis)
- DFLabs PTK (GUI Front-End for Sleuthkit)
- Autopsy (GUI Front-End for Sleuthkit)
- The Sleuth Kit (File system Analysis Tools)
PERL Tools under /usr/local/src/windows_perl
regripper.pl – Registry Forensic Carver
regslack.pl – Registry slack
deleted.pl – Registry deleted key examination
regtime.pl – Registry timelime creator – now with sleuthkit bodyfile output
windata.pl - Windows Time
All you need is a user account with SANS. The latest version of the tool is 1.3 which was released this year. So, after you get your account, go here and download SIFT.
Searches leading to this post:
SIFT SANS,
sift forensics,
sleuthkit hash sets,
ubuntu hardening
Tagged as: Forensics, forensics tools, RegRipper, SIFT, Volatility Framework
No fancy words. Just plain english. The Volatility Framework is THE application suite you need to analyze volatile memory. What is volatile memory? It is the RAM.
It is an open source, Python based extensible framework for conducting analysis on memory images. It supports flat file images, crash dump files, and hibernation files and will run on any operating system that supports Python. Officially - Linux, Cygwin, Windows & OSX 10.5 platforms are supported. It can extract digital artifacts from volatile memory samples captured from Windows XP Service Pack 2 and Service Pack 3. Currently it includes virtual address translation modules for Intel x86 32-bit windows platforms (PAE and NOPAE). It also supports plugins.
This is the feature list:
Image date and timeRunning processesOpen network socketsOpen network connectionsDLLs loaded for each processOpen files for each processOpen registry handles for each processA process’ addressable memoryOS kernel modulesMapping physical offsets to virtual addresses (strings to process)Virtual Address Descriptor informationScanning examples: processes, threads, sockets, connections,modulesExtract executables from memory samplesTransparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)Automated conversion between formatsWe will be trying to list all of the known plugins here for your help:
Command Shell
- volshell (By Moyix)- Creates a python shell can be used with the framework.
Malware Detection
Data Recovery
- cryptoscan (By Jesse Kornblum) – Finds TrueCrypt passphrases
- moddump (By Moyix) – Dump out a kernel module (aka driver)
- Registry tools (By Moyix) – A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
- Modified Regripper & Glue Code (By Moyix) – Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
- getsids (By Moyix) – Get information about what user (SID) started a process.
- ssdt (By Moyix) – List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
- threadqueues (By Moyix) – Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
- objtypescan (By Andreas Schuster) – Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
- keyboardbuffer (By Andreas Schuster) – Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
- mutantscan (By Andreas Schuster) – Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
- symlinkobjscan (By Andreas Schuster) – Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
- driverscan (By Andreas Schuster) – Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
- fileobjscan (By Andreas Schuster) – File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
Process Enumeration
- suspicious (By Jesse Kornblum) – Identify “suspicious” processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.
Output Formatting
All of these plugins make the framework fun to work with. You can view the homepage here. Additionally, if you want to download the following versions here:
Volatility-1.3_Beta: tar.gz zip md5 sha1 gpg tar.gz gpg zip gpg_key
Volatility-1.1.2: tar.gz zip md5 sha1 gpg tar.gz gpg zip gpg_key
Volatility-1.1.1: tar.gz md5 sha1 gpg gpg_key
Searches leading to this post:
volatility framework tutorial,
Volatility Framework,
volatility tutorial,
Using Volatility to detect malware,
volatility framework sockets output,
volatility framework svn,
volatility version released,
volatility vista,
volatilty vista
Tagged as: Forensics, Volatility Framework, windows forensics
