Thursday, October 31, 2013

SANS Investigate Forensics Toolkit—Forensics Martial Arts Part 1

The SANS Investigate Forensic Toolkit (SIFT) is an interesting tool created by the SANS Forensic Team and is available publicly and freely for the whole community. It comes with a set of preconfigured tools to perform computer forensic digital investigations. This is based on Ubuntu and has a long list of tools for present forensic needs. We will have a walkthrough of some of the very famous tools used in forensic investigations.

You can download the SIFT iso from this link:

It supports evidence formats such as raw format (.dd), encase image file format (E01), and advanced forensics format (AFF).


There are a few things that you might need for booting this up, such as:

  1. VMware/ Virtual Box
  2. Good RAM, CPU and hard disk space
  3. SIFT ISO/ VM image
You can simply boot the SIFT iso as a bootable disk or choose to install it as a complete operating system. The default login credentials are: username—sansforensics and password—forensics.

This includes a long list of software, a few of which we would cover with a complete tutorial based on forensic analysis, such as:

  • Autopsy
  • DFF – Digital Forensic Framework
  • EVTX – Event Log Viewer
  • Maltego
  • PTK
  • Md5deep
  • SANS Cheatsheets
  • Volatility
We will start with the forensic analysis tutorials with this tools from SIFT. Currently I have with me a raw dd image for our forensic analysis:


This is a small command line utility in SIFT that may be used for calculating MD5 hashes, comparing hashes, and playing around with them. Suppose we want to check if the integrity of our file is maintained: We can simply hash it and check. Any changes made to the file will change its MD5 hash. So let’s calculate an MD5 for our image file before doing the forensic analysis. You can see the MD5 calculated in the screenshot by our tool:

==> Read More

No comments:

Post a Comment

Support : Relax Viet
Copyright © 2013. Security24h - All Rights Reserved
Design by Namkna
Best View Resolution 1024 x 768 pixel