SANS SIFT Workstation

SANS SIFT was created by Rob Lee and other instructors at SANS to provide a free tool to use in forensic courses such as SANS 508 and 500. It’s a complete set of open source forensic tools, and is therefore just as useful in the field as it is during training.

We’ve built a platform to perform forensics in AWS/Azure/GCP — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

You can download the SANS SIFT Workstation Virtual Machine from here.

You’ll need to install the free VirtualBox software from here.

The username is sansforensics, and the password is forensics.

Accessing your host machine

SIFT runs in a Virtual Machine, and to access evidence on it you’ll need to share a folder between the host and SIFT. You can see how to do so here, but essentially:

• Add a shared folder in the VirtualBox settings
• Within SIFT, run something like:

sudo mount -t vboxsf shared_folder /mnt/shared_folder

Where shared_folder is the name of the share you created in the VirtualBox settings.

Mounting Images

Previously, to mount the disk image evidence.dd read-only to the folder /mnt/evidence you would run:

mkdir /mnt/evidence
mount -t ntfs -o ro,loop show_sys_files evidence.dd /mnt/evidence

For more see this article.

However now there is the easier to use imageMounter.py script:

python imageMounter.py evidence.dd /mnt/evidence

You can optionally add the parameter -e if the evidence is in Encase (E01) format, and -b to specify a BitLocker key.

Creating a Timeline

SIFT has all the dependencies installed to create a “super timeline” using Plaso/Log2Timeline.

For example you can create a timeline in CSV format from an Encase (E01) evidence format like so:

log2timeline processed.timeline disk.image
psort -z US/Pacific -o l2tcsv -w timeline_output.csv processed.timeline

This takes the disk image (disk.image) and creates a timeline format file (processed.timeline).

The second command then turns this timeline file into a readable CSV file that you can read in a tool such as Excel.

You can also run log2timeline against mounted disks, or individual files and folders.

For more on running Log2Timeline, for more see here.

Analysing Memory with Volatility

First identify the memory profile with:

python vol.py -f win7_64bit.mem imageinfo

Then run a Volatility command such as:

python vol.py -f win7_64bit.mem — profile=Win7SP0x64 pslist

For more refer to the Volatility cheat sheet and command reference.

Running Yara Scans

You can download Yara rules from https://github.com/Yara-Rules/rules

And run against a mounted image with a command such as:

yara yara.rules -r /mnt/mounted

Running Anti-virus Scans

Similarly you may also want to run anti-virus scans.

You can update ClamAv with:

freshclam

Then run ClamAV against a mounted disk with:

clamscan -r /mnt/mounted

SANS SIFT Cheat Sheet

A short cheat sheet is available for SANS SIFT here.

More complete documentation is available here.

SANS SIFT Cheat Sheet

Video Tutorial

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.