ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows 7" and "SANS Investigative Forensic Toolkit Workstation"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
 +
'''The SANS SIFT Workstation''' is a [[VMware]] Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with [[Encase | Expert Witness Format]] (E01), Advanced Forensic Format ([[AFF]]), and raw (dd) evidence formats.
  
 +
== Overview ==
  
== File Structure ==
+
SIFT Workstation is based on Ubuntu.
File systems are covered separately.
+
  
== SSD ==
+
Software Includes:  
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
# [[The Sleuth Kit]]
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
# [[ssdeep]] & [[md5deep]]
 +
# [[Foremost]]/[[Scalpel]]
 +
# [[Wireshark]]
 +
# HexEditor
 +
# [[Vinetto]] ([[thumbs.db]] examination)
 +
# Pasco
 +
# Rifiuti
 +
# [[Volatility Framework]]
 +
# DFLabs PTK (GUI Front-End for [[Sleuthkit]])
 +
# [[Autopsy]] (GUI Front-End for [[Sleuthkit]])
  
+
The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.
  
 +
== Links ==
  
== Jump Lists ==
+
* [http://forensics.sans.org/community/downloads/ Computer Forensics and e-Discovery downloads]
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
[[Category:VMWare Appliances]]
 
+
== Registry ==
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+

Latest revision as of 21:55, 15 June 2014

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

Overview

SIFT Workstation is based on Ubuntu.

Software Includes:

  1. The Sleuth Kit
  2. ssdeep & md5deep
  3. Foremost/Scalpel
  4. Wireshark
  5. HexEditor
  6. Vinetto (thumbs.db examination)
  7. Pasco
  8. Rifiuti
  9. Volatility Framework
  10. DFLabs PTK (GUI Front-End for Sleuthkit)
  11. Autopsy (GUI Front-End for Sleuthkit)

The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.

Links