A free tool is changing the way digital forensic professionals perform detailed
examinations. The SANS Investigative Forensic Toolkit (SIFT) Workstation 2.0,
created by Rob Lee, is the first of its kind – an
online virtualized workstation environment to show that advanced investigations
and investigating hackers can be accomplished using freely available open-source
tools.
"The SIFT Workstation incorporates the majority of the open-source and free
solutions into a single package to solve complex computer crime cases," said
Lee. "A seasoned digital forensic professional or an individual just starting in
the digital forensics field does not need to spend thousands of dollars in order
to perform computer forensics. This work station provides capability to
forensicators who need critical analysis capability today."
SIFT, first unveiled in Lee’s Computer Forensic Investigations and Incident
Response SANS course (FOR 508), has the ability to securely examine raw disks,
multiple file systems and evidence formats. The tool places strict guidelines on
how evidence is examined while verifying that the evidence has not changed.
SIFT is a VMware Appliance or installation DVD that is preconfigured with all
the necessary tools to perform a detailed digital forensic examination. It is
compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and
raw (dd) evidence formats. The brand new version has been completely rebuilt on
an Ubuntu base with many additional tools and capabilities that can match any
modern forensic tool suite.
Meanwhile, the workstation is a tool of choice for many that have earned GCFA
certification. GCFA is the largest vendor neutral digital forensic certification
available in the world, with over 2,000 certified people. Those certified have
the knowledge and skills to handle advanced incident handling scenarios, conduct
formal incident investigations, and carry out forensic investigation of networks
and hosts. Additionally, GCFA was a finalist for this year’s SC Magazine Awards.
