Difference between pages "Windows 7" and "SANS Investigative Forensic Toolkit Workstation"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
 +
'''The SANS SIFT Workstation''' is a [[VMware]] Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with [[Encase | Expert Witness Format]] (E01), Advanced Forensic Format ([[AFF]]), and raw (dd) evidence formats.
  
 +
== Overview ==
  
== File Structure ==
+
SIFT Workstation is based on Ubuntu.
File systems are covered separately.
+
  
== SSD ==
+
Software Includes:  
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
# [[The Sleuth Kit]]
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
# [[ssdeep]] & [[md5deep]]
 +
# [[Foremost]]/[[Scalpel]]
 +
# [[Wireshark]]
 +
# HexEditor
 +
# [[Vinetto]] ([[thumbs.db]] examination)
 +
# Pasco
 +
# Rifiuti
 +
# [[Volatility Framework]]
 +
# DFLabs PTK (GUI Front-End for [[Sleuthkit]])
 +
# [[Autopsy]] (GUI Front-End for [[Sleuthkit]])
  
+
The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.
  
 +
== Links ==
  
== Jump Lists ==
+
* [http://forensics.sans.org/community/downloads/ Computer Forensics and e-Discovery downloads]
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
[[Category:VMWare Appliances]]
 
+
== Registry ==
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+

Latest revision as of 17:55, 15 June 2014

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

Overview

SIFT Workstation is based on Ubuntu.

Software Includes:

  1. The Sleuth Kit
  2. ssdeep & md5deep
  3. Foremost/Scalpel
  4. Wireshark
  5. HexEditor
  6. Vinetto (thumbs.db examination)
  7. Pasco
  8. Rifiuti
  9. Volatility Framework
  10. DFLabs PTK (GUI Front-End for Sleuthkit)
  11. Autopsy (GUI Front-End for Sleuthkit)

The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.

Links