Difference between revisions of "SANS Investigative Forensic Toolkit Workstation"

From ForensicsWiki
Jump to: navigation, search
(New page: '''The SANS SIFT Workstation''' is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with [[Encase | Expert Witn...)
 
m
Line 5: Line 5:
 
SIFT Workstation is based on Fedora.
 
SIFT Workstation is based on Fedora.
  
# Software Includes: [[The Sleuth Kit]]
+
# Software Includes:  
 +
 
 +
# [[The Sleuth Kit]]
 
# [[ssdeep]] & [[md5deep]]
 
# [[ssdeep]] & [[md5deep]]
 
# [[Foremost]]/[[Scalpel]]
 
# [[Foremost]]/[[Scalpel]]
 
# [[Wireshark]]
 
# [[Wireshark]]
 
# HexEditor
 
# HexEditor
# [[Vinetto]] (thumbs.db examination)
+
# [[Vinetto]] ([[thumbs.db]] examination)
 
# Pasco
 
# Pasco
 
# Rifiuti
 
# Rifiuti
Line 21: Line 23:
 
== Links ==
 
== Links ==
  
* [http://forensics.sans.org/community/downloads/ Computer Forensics
+
* [http://forensics.sans.org/community/downloads/ Computer Forensics and e-Discovery downloads]
and e-Discovery downloads]
+

Revision as of 10:01, 10 December 2008

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

Overview

SIFT Workstation is based on Fedora.

  1. Software Includes:
  1. The Sleuth Kit
  2. ssdeep & md5deep
  3. Foremost/Scalpel
  4. Wireshark
  5. HexEditor
  6. Vinetto (thumbs.db examination)
  7. Pasco
  8. Rifiuti
  9. Volatility Framework
  10. DFLabs PTK (GUI Front-End for Sleuthkit)
  11. Autopsy (GUI Front-End for Sleuthkit)

The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local windows operation system.

Links