SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: The SIFT Workstation 2.0 Edition

Rob Lee recently brought us version 2.0 of the SANS Investigative Forensics Toolkit (SIFT), Into the Boxes Issue 0x1 was released, along with some interesting new tools by Harlan Carvey, and the New Jersey Supreme Court makes a ruling that could have significant impact on employer policies and employee expectations of privacy. Those in or near the Toronto area should also check out SANS Computer Forensic Essentials taught by SANS Computer Forensics blog contributor Chad Tilbury. There's a lot of good stuff linked below, so explore and enjoy. And, as always, thanks to all who make such excellent information and tools available to the community. 

Tools:

  • Forensicator-in-Chief Rob Lee recently brought out the Awesomesauce with the release of SANS Investigative Forensic Toolkit (SIFT) Workstation version 2.0. This Ubuntu-based release comes as both a Virtual Machine and an installable Linux distribution and includes Kristinn Gudjonsson's log2timeline, which has been covered on the blog previously, SUPER Timeline Analysis.
  • In conjunction with the release of Into the Boxes: Issue 0x1 (see Good Reads section below), Harlan Carvey has released a set of Perl scripts to extract network information from the Windows Registry and perform Geolocation lookups of Wireless Access Points. (In order to download, you'll need to join Harlan's Win4n6 Yahoo Group. Once logged in, download itb0x1.zip from the Files sections.) Be sure to read the readme.first file and download the required tools and modules.

Good Reads:

  • Into the Boxes Issue 0x1 has been released, and includes articles on analyzing Apple OSX configuration (.plist) files, determining the physical locations in which a Windows system has been used by leveraging Registry Analysis and geolocation, and more.
  • Craig Ball makes an informed and impassioned argument that "most civil forensics work should be reserved for neutral examiners."

News:

  • New Jersey Supreme Court rules that employees who use third-party, password protected email services may have a reasonable expectation of privacy, even when the email account is accessed/used during working hours from an employer-owned computer.
  • Hakin9 magazine goes FREE, Monthly and ONLINE-Only. Subscribe to their newsletter to receive each issue, starting April 30th. The April 30th issue will include a shellcode article by Didier Stevens.

Levity:

Coming Events:

Digital Forensics Case Leads for 20100408 was compiled by Gregory Pendergast, incident handler and digital forensicator at Virginia Commonwealth University.

22 Comments

Posted April 8, 2010 at 3:32 PM | Permalink | Reply

Armando Rodriguez

The link to (https://computer-forensics2.sans.org/community/downloads) The SIFT Workstation 2.0 Edition is not functioning. I'm unable todownload the image for The SIFT Workstation 2.0 Edition.

Posted April 9, 2010 at 1:03 PM | Permalink | Reply

Dave Hull

Armando: I'm not sure what's going on with the link, but it is correct. I will send a message to the NOC and have them look into it, it may be slow/unresponsive due the high number of people attempting to download.

Posted April 13, 2010 at 1:00 PM | Permalink | Reply

Nikki Kennedy

I am having the same problem Armando is having. I waited and I finally did recieve an error saying either the site could not be reached or it was busy. I would really like to look at all the tools and see how they work. (https://computer-forensics2.sans.org/community/downloads) The SIFT Workstation 2.0. Thanks for any help provided

Posted April 14, 2010 at 3:05 PM | Permalink | Reply

Joel Gomez

Hello all
My problem is that when i add image on my cases Sift say i can recognize the filesystem every time.
I dont know how to solve the problem ?
Thank's in advance
Jol

Posted April 15, 2010 at 1:19 PM | Permalink | Reply

Dave Hull

Armando & Nikki ''" I tried the download link this morning and it appeared to be working. I stopped the download as it was in progress. If it's still not working for you, post a comment and I'll follow up again.

Posted April 15, 2010 at 1:54 PM | Permalink | Reply

gregorypendergast

Joel,
I'm assuming you mean that your error is that the tool can NOT recognize the filesystem? Am I correct there?
Can you give us a little more information about your situation? 1) What image types are you working with (e.g. RAW/DD, E01, AFF)? 2) Are the image files single files or split? 3) What tool/application is reporting the error? 4) If applicable, please provide the syntax of the command(s) you're entering at the command line.
Thanks.

Posted April 15, 2010 at 8:18 PM | Permalink | Reply

Eric Freyssinet

Hello !
I am having difficulties with the current install of RegRipper on SIFT 2.0 which does not seem to include VolRip anymore ?
The problem is doing a rip -r image.dd@offset -f ''
Best regards,

Posted April 19, 2010 at 8:31 AM | Permalink | Reply

Joel Gomez

Ok, first thank's for your answer
1 / i create an image with guymager or dcfldd (a DD image in one file) with SIFT.
2 / the source is a USB key fomatted in fat32 or NTFS
3 / The problem is in PTK when i select the image file
4 / the error is "cannot determine the filesystem"
5 / it's ok for EXT3 and FAT16
Thank's a lot

Posted April 21, 2010 at 4:36 PM | Permalink | Reply

gregorypendergast

Hi Eric,
I haven't tested that issue personally, but Rob addressed the same question on a mailing list recently. The answer is that you have to be in /usr/local/src/volatility to get that to work. However it should work from there. Give that a try and let us know how it turns out.
Thanks.

Posted April 21, 2010 at 4:38 PM | Permalink | Reply

gregorypendergast

Joel,
I'll try to re-create your issue as described and see what I can find. I'll post my findings back here. Thanks for the feedback.

Posted April 24, 2010 at 4:56 PM | Permalink | Reply

Bruce D. Meyer

Two items:
When installing the SIFT 2.0 ISO to a hard drive, if you select the option: Must use password to login and decrypt home folder' the install will fail to boot. (Grub error)
Also, once it is installed, even though the utils seem to be installed (I haven't checked for the presence of all of them, just a couple under /usr/local/bin) Their are no shortcuts, or the useful drop down as on the VM version.
Can you provide some tips on how to make the installable ISO look more like the VM version?
Thank you for releasing this in an installable version. I hate to use it on a VM, as that sucks up more resources than a standalone. I am currently using it on a Dual boot with Win 7 64 bit.
''"Bruce D. Meyer

Posted April 29, 2010 at 6:35 PM | Permalink | Reply

gregorypendergast

Joel,
Sorry for the delay in following up. I've been able to recreate your issue, and I believe it's most likely to be a peculiarity with the file systems, rather than a problem with the tool. The problem isn't really a problem with PTK; the error message is coming from the underlying Sleuth Kit tools.
I'd like to try to arrive at some common denominators. Can you tell me what type of drive (manufacturer, capacity, etc) you acquired your test images from? Also, can you please provide the output of the following commands: "fsstat " , "mmls ", and "mmstat "
If you're still tracking and working on this, please email the information to me directly (address below), and I'll post our findings back here when we arrive at an answer.
greg [DOT] pendergast [AT] gmail [DOT] com

Posted April 29, 2010 at 6:45 PM | Permalink | Reply

gregorypendergast

Bruce,
I can't address the issue with home folder encryption, as I haven't experimented with that. However, the issue with the GUI that you describe is due to the fact that you have to create your own user account when installing SIFT. When using the VM, you are logging in to a pre-configured user profile (SANSforensics) that has all of the shortcuts and menus customized. To my knowledge, this isn't possible with the installation version because the user account has to be created during installation. I don't know whether there's an easy way to duplicate that SANSforensics profile in your installation, but if I find a way, I'll let you know. (And if you find an answer before I do, please post it back here.)

Posted April 30, 2010 at 8:39 PM | Permalink | Reply

Bruce D. Meyer

I did duplicate the menu's by looking at the VM version and creating them one by one. Oddly, I found that I had to alter a couple of the start scripts from sudo to gksudo. (autopsy, make the second line a gksudo) Anything else that calls a gui, I had to do that for.
I found the adepto sh script for starting adepto (which I absolutely love) But can't find any source for installing adepto on the machine. I use adepto almost exclusively for imaging as it lets my send the image across the network to a netcat listenr on my big server downstairs. Is their a way to pull adepto off of the helix CD, or do you know where to find adepto? If not, I guess I'll just have to write my own shell script to call dcfldd. waah.
Getting back to the launchers for ptk, pyflag, and autopsy, I think it wouldn't be too hard to write a script that once run, would just5 create the symlinks to the start scripts. Or perhaps a short HOWTO, README on manually creating them. I had never used a launcher, or drawer before. So it was a great learning opportunity.

Posted May 20, 2010 at 1:38 AM | Permalink | Reply

Dave Hull

The issue you describe doesn't sound like the SIFT boot screen. A SIFT install won't have an option to install XP and you won't need an OEM key code. Sounds suspiciously like an install for Windows XP.

Posted June 2, 2010 at 10:44 AM | Permalink | Reply

ash

Hi, I am new to forensic. I have downloaded SIFT Workstation2 but I dont know how to install this. Any help ??

Posted June 6, 2010 at 8:45 AM | Permalink | Reply

vittorio

I'm having problem downloading SIFT like Armando''

Posted June 6, 2010 at 8:49 AM | Permalink | Reply

vittorio

I found the problem with SIFT download: Internet Explorer doesn't download, Firefox works properly

Posted June 7, 2010 at 8:45 PM | Permalink | Reply

Gregory Pendergast

Hi Ash,
There are two editions (so to speak) of the SIFT workstation. The first is a VMWare appliance, meaning that you will need VMWare Workstation or VMWare Player to open the VMDK file once you decompress it. The second version is a DVD image file (.ISO) that you can open with your preferred CD-Burning software and use to create a bootable DVD. If you're using this version, you will boot to the DVD and follow the steps to install the SIFT Workstation on your hard drive. (The SIFT Workstation is based on Ubuntu Linux).
I hope that clarifies things for you. If not, let me know and I'll try to provide a more detailed explanation.

Posted July 9, 2010 at 7:37 PM | Permalink | Reply

Kevin DeLong

If you don't have VMWare Workstation or really don't like player, you can use VirtualBox. just load the VMDK and start a new VM. It is very simple to get started. I am not sure if everything works properly yet, but I am testing it. Oh'' VirtualBox is free :)

Posted September 19, 2010 at 9:35 PM | Permalink | Reply

Shane

(Using SIFT VM) PTK does not allow me to add a DD image file to a case if it's stored on a USB drive..which is a real nuisance since I don't have the facility to store 250Gb disk image on a VM HDD. Am I missing something here?
Autopsy manages to do it fine''so it's not a problem of the USB device not being ''seen' by the VM, or the format of the USB drive. Yes''I know it's going to be horribly slow''and as soon as VMWare provide support for firewire..I'll be very happy!

Posted January 8, 2011 at 2:06 AM | Permalink | Reply

Mark

I hate to revisit an old conversation, but has anyone found an easy way to duplicate the sansforensics user settings in the installable workstation iso? Perhaps a set of scripts we can run to configure the user? I'm new to ubuntu, so I'd hate to follow Bruce's lead and configure everything manually.