Difference between pages "List of Jump List IDs" and "SANS Investigative Forensic Toolkit Workstation"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Application IDs)
 
m
 
Line 1: Line 1:
=== Application IDs ===
+
'''The SANS SIFT Workstation''' is a [[VMware]] Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with [[Encase | Expert Witness Format]] (E01), Advanced Forensic Format ([[AFF]]), and raw (dd) evidence formats.
  
<table border="1">
+
== Overview ==
<th>AppID</th><th> Application Description</th><th>Date Added</th><th>Source</th>
+
 
<tr><td>89b0d939f117f75c</td><td>Adobe Acrobat 9 Pro Extended (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
SIFT Workstation is based on Ubuntu.
<tr><td>26717493b25aa6e1</td><td>Adobe Dreamweaver CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>e2a593822e01aed3</td><td>Adobe Flash CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
Software Includes:  
<tr><td>c765823d986857ba</td><td>Adobe Illustrator CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>84f066768a22cc4f</td><td>Adobe Photoshop CS5 (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[The Sleuth Kit]]
<tr><td>44a398496acc926d</td><td>Adobe Premiere Pro CS5 (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[ssdeep]] & [[md5deep]]
<tr><td>d5c3931caad5f793</td><td>Adobe Soundbooth CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Foremost]]/[[Scalpel]]
<tr><td>c7a4093872176c74</td><td>Paint Shop Pro Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Wireshark]]
<tr><td>b91050d8b077a4e8</td><td>Media Center.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# HexEditor
<tr><td>23646679aaccfae0</td><td>Adobe Reader 9.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Vinetto]] ([[thumbs.db]] examination)
<tr><td>28c8b86deab549a1</td><td>Internet Explorer 8 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# Pasco
<tr><td>918e0ecb43d17e23</td><td>Notepad (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# Rifiuti
<tr><td>9b9cdc69c1c24e2b</td><td>Notepad (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Volatility Framework]]
<tr><td>74d7f43c1561fc1e</td><td>Windows Media Player 12 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# DFLabs PTK (GUI Front-End for [[Sleuthkit]])
<tr><td>b0459de4674aab56</td><td>Windows Virtual PC - vmwindow.exe (32- and 64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Autopsy]] (GUI Front-End for [[Sleuthkit]])
<tr><td>6728dd69a3088f97</td><td>Windows Command Processor - cmd.exe (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>954ea5f70258b502</td><td>Windows Script Host - wscript.exe (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.
<tr><td>9f5c7755804b850a</td><td>Windows Script Host - wscript.exe (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>9839aec31243a928</td><td>Microsoft Excel 2010 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
== Links ==
<tr><td>9c7cc110ff56d1bd</td><td>Microsoft Powerpoint 2010 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>a7bd71699cd38d1c</td><td>Microsoft Word 2010 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
* [http://forensics.sans.org/community/downloads/ Computer Forensics and e-Discovery downloads]
<tr><td>5c450709f7ae4396</td><td>Firefox 3.6.13 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
[[Category:VMWare Appliances]]
<tr><td>43578521d78096c6</td><td>Media Player Classic Home Cinema 1.3 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>e70d383b15687e37</td><td>Notepad++ 5.6.8 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>1b4dd67f29cb1962</td><td>Explorer (task bar folder icon)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>1bc392b8e104a00e</td><td>Remote Desktop</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>23646679aaccfae0</td><td>Adobe Reader 9 x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>271e609288e1210a</td><td>Access 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>28c8b86deab549a1</td><td>Internet Explorer x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>290532160612e071</td><td>WinRar x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>2b53c4ddf69195fc</td><td>Zune x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>3094cdb43bf5e9c2</td><td>OneNote 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>5da8f997fd5f9428</td><td>Internet Explorer x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>74d7f43c1561fc1e</td><td>Windows Media Player</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>9839aec31243a928</td><td>Excel 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>9b9cdc69c1c24e2b</td><td>Notepad x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>9c7cc110ff56d1bd</td><td>PowerPoint 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>a7bd71699cd38d1c</td><td>Word 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>b8c29862d9f95832</td><td>InfoPath 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>b91050d8b077a4e8</td><td>Windows Media Center  x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>e36bfc8972e5ab1d</td><td>XPS Viewer</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>17d3eb086439f0d7</td><td>TrueCrypt 7.0a</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>c71ef2c372d322d7</td><td>PGP Desktop 10</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>12dc1ea8e34b5a6</td><td> MSPaint 6.1</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>431a5b43435cc60b</td><td>Python (.pyc)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>469e4a7982cea4d4</td><td>? (.job)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>500b8c1d5302fc9c</td><td>(.pyw)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>50620fe75ee0093</td><td> VMWare Player 3.1.4</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>65009083bfa6a094</td><td>(app launched via XPMode)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>7e4dca80246863e3</td><td>Control Panel (?)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>83b03b46dcd30a0e</td><td>iTunes 10</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>b0459de4674aab56</td><td>(.vmcx)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>1b4dd67f29cb1962</td><td>Windows Explorer Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>d7528034b5bd6f28</td><td>Windows Live Mail Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>cdf30b95c55fd785</td><td>Microsoft Office Excel 2007</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>d64d36b238c843a3</td><td>Microsoft Office InfoPath 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>be71009ff8bb02a2</td><td>Microsoft Office Outlook x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>f5ac5390b9115fdb</td><td>Microsoft Office PowerPoint 2007</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>adecfb853d77462a</td><td>Microsoft Office Word 2007 Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>a8c43ef36da523b1</td><td>Microsoft Office Word 2003 Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
</table>
+

Latest revision as of 16:55, 15 June 2014

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

Overview

SIFT Workstation is based on Ubuntu.

Software Includes:

  1. The Sleuth Kit
  2. ssdeep & md5deep
  3. Foremost/Scalpel
  4. Wireshark
  5. HexEditor
  6. Vinetto (thumbs.db examination)
  7. Pasco
  8. Rifiuti
  9. Volatility Framework
  10. DFLabs PTK (GUI Front-End for Sleuthkit)
  11. Autopsy (GUI Front-End for Sleuthkit)

The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.

Links