Installing SIFT Workstation
By Guy Nguyen-Phuoc on September 17, 2021
Introduction
Sans Investigative Forensics Toolkit (SIFT) workstation is an open-source incident response and forensic toolkit created to perform on various settings for digital forensics. Originally, created by Rob Lee in 2007 to support forensics analysis in the SANS FOR508 class. Today, it has over 125,000 downloads and continues to be one of the most popular open-source incident-response and digital forensics offerings available. Supporting major tools such as Wireshark, Sleuthkit (Autopsy), Volatility and hundreds more. During the course of this paper we will guide you through the process of installation of the SIFT workstation [1].
Installation
There are two general ways to install The SIFT workstation. You can download the standalone VM from the SANS website (requires you to sign in/make a SANS account) or you can download the sift-cli tools from github and install SIFT on an existing ubuntu vm/workstation. We will be focusing on the latter and installing via the sift-cli tools from github. Since SIFT is a collection of tools you can install this on the Windows linux subsystem as well if you wish or even the Kali Linux distribution. However, it is recommended to keep the tools on an Ubuntu system.
Sift-cli
In your Ubuntu VM/workstation navigate to [2] and download the “sift-cli-linux” files. Once the file is downloaded move them to the bin folder as shown in figure 1.
Enable permissions with chmod 755.
Before you attempt to install sift, ensure that your Ubuntu has the latest repository apt-get update. After, you may install with the following command.
This process will take a few moments to download and install all the necessary configurations and tools. If an issue occurs during this step you may have to run “sudo apt-get autoremove”. Once the installation is complete reboot the system and you should see something similar to the image below.
Conclusion
Congratulations, you have successfully installed SIFT workstation. Over the course of the next few articles we will be using this workstation to explore memory forensics, network analysis, imaging devices and much more.
SIFT workstation is an amazing tool kit to have in your arsenal whether you are experienced incident responder or just starting out. Hosting a variety of features ranging from read-only integration via the operating system (OS) to parsing data it [SIFT] remains a very competitive product and for no cost there should be no reason to not have it as a part of your portfolio.
References
[1] https://www.sans.org/tools/sift-workstation/
[2] https://github.com/teamdfir/sift-cli#installation
[3] Getting started with SIFT Workstation Webcast with Rob Lee https://www.youtube.com/watch?v=ai_7Fkv6igw
[4] https://us-cert.cisa.gov/sites/default/files/publications/forensics.pdf
-
Importance of Digital Forensics Process Models: Some Examples
Importance of Digital Forensics Process Models: Some Examples
5/3/2024 -
Smart/IoT Devices as Evidence Sources
Smart/IoT Devices as Evidence Sources
4/16/2024 -
Applications and Challenges of Artificial Intelligence for Digital Forensics
Applications and Challenges of Artificial Intelligence for Digital Forensics
4/16/2024