SANS SIFT Workstation
SANS SIFT was created by Rob Lee and other instructors at SANS to provide a free tool to use in forensic courses such as SANS 508 and 500. It’s a complete set of open source forensic tools, and is therefore just as useful in the field as it is during training.
We’ve built a platform to perform forensics in AWS/Azure/GCP — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.
You can download the SANS SIFT Workstation Virtual Machine from here.
You’ll need to install the free VirtualBox software from here.
The username is sansforensics, and the password is forensics.
Accessing your host machine
SIFT runs in a Virtual Machine, and to access evidence on it you’ll need to share a folder between the host and SIFT. You can see how to do so here, but essentially:
- Add a shared folder in the VirtualBox settings
- Within SIFT, run something like:
sudo mount -t vboxsf shared_folder /mnt/shared_folder
Where shared_folder is the name of the share you created in the VirtualBox settings.
Mounting Images
Previously, to mount the disk image evidence.dd read-only to the folder /mnt/evidence you would run:
mkdir /mnt/evidencemount -t ntfs -o ro,loop show_sys_files evidence.dd /mnt/evidence
For more see this article.
However now there is the easier to use imageMounter.py script:
python imageMounter.py evidence.dd /mnt/evidence
You can optionally add the parameter -e if the evidence is in Encase (E01) format, and -b to specify a BitLocker key.
Creating a Timeline
SIFT has all the dependencies installed to create a “super timeline” using Plaso/Log2Timeline.
For example you can create a timeline in CSV format from an Encase (E01) evidence format like so:
log2timeline processed.timeline disk.image
psort -z US/Pacific -o l2tcsv -w timeline_output.csv processed.timeline
This takes the disk image (disk.image) and creates a timeline format file (processed.timeline).
The second command then turns this timeline file into a readable CSV file that you can read in a tool such as Excel.
You can also run log2timeline against mounted disks, or individual files and folders.
For more on running Log2Timeline, for more see here.
Analysing Memory with Volatility
First identify the memory profile with:
python vol.py -f win7_64bit.mem imageinfo
Then run a Volatility command such as:
python vol.py -f win7_64bit.mem — profile=Win7SP0x64 pslist
For more refer to the Volatility cheat sheet and command reference.
Running Yara Scans
You can download Yara rules from https://github.com/Yara-Rules/rules
And run against a mounted image with a command such as:
yara yara.rules -r /mnt/mounted
Running Anti-virus Scans
Similarly you may also want to run anti-virus scans.
You can update ClamAv with:
freshclam
Then run ClamAV against a mounted disk with:
clamscan -r /mnt/mounted
SANS SIFT Cheat Sheet
A short cheat sheet is available for SANS SIFT here.
More complete documentation is available here.
Video Tutorial
We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.