ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "List of Jump List IDs" and "SANS Investigative Forensic Toolkit Workstation"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Application IDs)
 
m
 
Line 1: Line 1:
=== Application IDs ===
+
'''The SANS SIFT Workstation''' is a [[VMware]] Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with [[Encase | Expert Witness Format]] (E01), Advanced Forensic Format ([[AFF]]), and raw (dd) evidence formats.
  
<table border="1">
+
== Overview ==
<th>AppID</th><th> Application Description</th><th>Date Added</th><th>Source</th>
+
 
<tr><td>89b0d939f117f75c</td><td>Adobe Acrobat 9 Pro Extended (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
SIFT Workstation is based on Ubuntu.
<tr><td>26717493b25aa6e1</td><td>Adobe Dreamweaver CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>e2a593822e01aed3</td><td>Adobe Flash CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
Software Includes:  
<tr><td>c765823d986857ba</td><td>Adobe Illustrator CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>84f066768a22cc4f</td><td>Adobe Photoshop CS5 (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[The Sleuth Kit]]
<tr><td>44a398496acc926d</td><td>Adobe Premiere Pro CS5 (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[ssdeep]] & [[md5deep]]
<tr><td>d5c3931caad5f793</td><td>Adobe Soundbooth CS5 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Foremost]]/[[Scalpel]]
<tr><td>c7a4093872176c74</td><td>Paint Shop Pro Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Wireshark]]
<tr><td>b91050d8b077a4e8</td><td>Media Center.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# HexEditor
<tr><td>23646679aaccfae0</td><td>Adobe Reader 9.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Vinetto]] ([[thumbs.db]] examination)
<tr><td>28c8b86deab549a1</td><td>Internet Explorer 8 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# Pasco
<tr><td>918e0ecb43d17e23</td><td>Notepad (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# Rifiuti
<tr><td>9b9cdc69c1c24e2b</td><td>Notepad (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Volatility Framework]]
<tr><td>74d7f43c1561fc1e</td><td>Windows Media Player 12 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# DFLabs PTK (GUI Front-End for [[Sleuthkit]])
<tr><td>b0459de4674aab56</td><td>Windows Virtual PC - vmwindow.exe (32- and 64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
# [[Autopsy]] (GUI Front-End for [[Sleuthkit]])
<tr><td>6728dd69a3088f97</td><td>Windows Command Processor - cmd.exe (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>954ea5f70258b502</td><td>Windows Script Host - wscript.exe (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.
<tr><td>9f5c7755804b850a</td><td>Windows Script Host - wscript.exe (64-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>9839aec31243a928</td><td>Microsoft Excel 2010 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
== Links ==
<tr><td>9c7cc110ff56d1bd</td><td>Microsoft Powerpoint 2010 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
 
<tr><td>a7bd71699cd38d1c</td><td>Microsoft Word 2010 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
* [http://forensics.sans.org/community/downloads/ Computer Forensics and e-Discovery downloads]
<tr><td>5c450709f7ae4396</td><td>Firefox 3.6.13 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
[[Category:VMWare Appliances]]
<tr><td>43578521d78096c6</td><td>Media Player Classic Home Cinema 1.3 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>e70d383b15687e37</td><td>Notepad++ 5.6.8 (32-bit)</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>1b4dd67f29cb1962</td><td>Explorer (task bar folder icon)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>1bc392b8e104a00e</td><td>Remote Desktop</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>23646679aaccfae0</td><td>Adobe Reader 9 x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>271e609288e1210a</td><td>Access 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>28c8b86deab549a1</td><td>Internet Explorer x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>290532160612e071</td><td>WinRar x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>2b53c4ddf69195fc</td><td>Zune x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>3094cdb43bf5e9c2</td><td>OneNote 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>5da8f997fd5f9428</td><td>Internet Explorer x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>74d7f43c1561fc1e</td><td>Windows Media Player</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>9839aec31243a928</td><td>Excel 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>9b9cdc69c1c24e2b</td><td>Notepad x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>9c7cc110ff56d1bd</td><td>PowerPoint 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>a7bd71699cd38d1c</td><td>Word 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>b8c29862d9f95832</td><td>InfoPath 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>b91050d8b077a4e8</td><td>Windows Media Center  x64</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>e36bfc8972e5ab1d</td><td>XPS Viewer</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>17d3eb086439f0d7</td><td>TrueCrypt 7.0a</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>c71ef2c372d322d7</td><td>PGP Desktop 10</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>12dc1ea8e34b5a6</td><td> MSPaint 6.1</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>431a5b43435cc60b</td><td>Python (.pyc)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>469e4a7982cea4d4</td><td>? (.job)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>500b8c1d5302fc9c</td><td>(.pyw)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>50620fe75ee0093</td><td> VMWare Player 3.1.4</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>65009083bfa6a094</td><td>(app launched via XPMode)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>7e4dca80246863e3</td><td>Control Panel (?)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>83b03b46dcd30a0e</td><td>iTunes 10</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>b0459de4674aab56</td><td>(.vmcx)</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>1b4dd67f29cb1962</td><td>Windows Explorer Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>d7528034b5bd6f28</td><td>Windows Live Mail Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>cdf30b95c55fd785</td><td>Microsoft Office Excel 2007</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>d64d36b238c843a3</td><td>Microsoft Office InfoPath 2010 x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>be71009ff8bb02a2</td><td>Microsoft Office Outlook x86</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4907 Win4n6 List Serv ]</td></tr>
+
<tr><td>f5ac5390b9115fdb</td><td>Microsoft Office PowerPoint 2007</td><td>8/22/2011</td><td>[http://tech.groups.yahoo.com/group/win4n6/message/4910 Win4n6 List Serv ]</td></tr>
+
<tr><td>adecfb853d77462a</td><td>Microsoft Office Word 2007 Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
<tr><td>a8c43ef36da523b1</td><td>Microsoft Office Word 2003 Pinned and Recent.</td><td>8/22/2011</td><td>[http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf Microsoft Windows 7 Forum ]</td></tr>
+
</table>
+

Latest revision as of 21:55, 15 June 2014

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

Overview

SIFT Workstation is based on Ubuntu.

Software Includes:

  1. The Sleuth Kit
  2. ssdeep & md5deep
  3. Foremost/Scalpel
  4. Wireshark
  5. HexEditor
  6. Vinetto (thumbs.db examination)
  7. Pasco
  8. Rifiuti
  9. Volatility Framework
  10. DFLabs PTK (GUI Front-End for Sleuthkit)
  11. Autopsy (GUI Front-End for Sleuthkit)

The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.

Links