Supriya Ghosh (Editor)

SANS Investigative Forensics Toolkit

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Developer(s)
  
SANS Institute

Operating system
  
Ubuntu

Development status
  
Active

Available in
  
English

Initial release
  
December 13, 2008 (2008-12-13)

Stable release
  
2.1 / August 4, 2011; 5 years ago (2011-08-04)

The SANS Investigative Forensic Toolkit ("SIFT") is a computer forensics VMware appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with expert witness format (E01), advanced forensic format (AFF), and raw (dd) evidence formats. The new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.

Contents

Use

The toolkit has the ability to securely examine raw disks, multiple file systems, and evidence formats. It places strict guidelines on how evidence is examined (read-only), verifying that the evidence has not changed.

File system support

  • Windows (MS-DOS, FAT, VFAT, NTFS)
  • Mac (HFS)
  • Solaris (UFS)
  • Linux (ext2/3)

    • Evidence image support

  • Expert Witness (E01/L01)
  • RAW (dd)
  • Advanced Forensic Format (AFF)

    • Software

  • MantaRay (Automated Forensic Processing), MantaRay's GitHub
  • The Sleuth Kit (File system analysis tools)
  • log2timeline (timeline generation tool)
  • ssdeep & md5deep (hashing tools)
  • Foremost/Scalpel (File Carving)
  • Wireshark (Network Forensics)
  • Vinetto (thumbs.db examination)
  • Pasco (IE Web History examination)
  • Rifiuti (Recycle Bin examination)
  • Volatility Framework (memory analysis)
  • DFLabs PTK (GUI front-end for Sleuthkit)
  • Autopsy (GUI front-end for Sleuthkit)
  • PyFLAG (GUI Log/Disk examination)

    • References

    SANS Investigative Forensics Toolkit Wikipedia
    (Text) CC BY-SA


    Similar Topics