SANS Digital Forensics and Incident Response Blog: Daily Archives: Feb 19, 2009

Digital Forensic SIFTing: How to perform a read-only mount of filesystem evidence

by Rob Lee

Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.

The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\

orensics.sans.org
it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.

The blog series "SIFT'ing" will show to utilize the workstation using a series of exercises. Today we will discuss how to use the