SANS Investigative Forensics Toolkit

This article has multiple issues. Please help improve it or discuss these issues on the talk page.

The topic of this article may not meet Wikipedia's notability guidelines for products and services. Please help to establish notability by adding reliable, secondary sources about the topic. If notability cannot be established, the article is likely to be merged, redirected, or deleted.
Find sources: "SANS Investigative Forensics Toolkit" – news · books · scholar · JSTOR · free images (February 2011)

This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (February 2011)

SANS Investigative Forensic Toolkit
Developer(s)	SANS Institute
Initial release	December 13, 2008 (2008-12-13)
Stable release	2.1 / August 4, 2011; 21 months ago (2011-08-04)
Development status	Active
Operating system	Ubuntu
Available in	English
Type	Computer forensics
Website	computer-forensics.sans.org

The SANS Investigative Forensic Toolkit ("SIFT") is a computer forensics VMware appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with expert witness format (E01), advanced forensic format (AFF), and raw (dd) evidence formats. The new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.

Use

The toolkit has the ability to securely examine raw disks, multiple file systems, and evidence formats. It places strict guidelines on how evidence is examined (read-only), verifying that the evidence has not changed.

File system support

Windows (MS-DOS, FAT, VFAT, NTFS)
Mac (HFS)
Solaris (UFS)
Linux (ext2/3)

Evidence image support

Expert Witness (E01)
RAW (dd)
Advanced Forensic Format (AFF)

Software

The Sleuth Kit (File system analysis tools)
log2timeline (timeline generation tool)
ssdeep & md5deep (hashing tools)
Foremost/Scalpel (File Carving)
Wireshark (Network Forensics)
Vinetto (thumbs.db examination)
Pasco (IE Web History examination)
Rifiuti (Recycle Bin examination)
Volatility Framework (memory analysis)
DFLabs PTK (GUI front-end for Sleuthkit)
Autopsy (GUI front-end for Sleuthkit)
PyFLAG (GUI Log/Disk examination)

↑Jump back a section

References

This section is empty. You can help by adding to it. (March 2013)

↑Jump back a section

External links

SANS Digital Forensics and Incident Response web site

v t e Digital forensics

Branches	Computer forensics Mobile device forensics Network forensics Database forensics

Hardware	Forensic disk controller

Software	EnCase Foremost FTK Registry Recon PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE Selective file dumper HashKeeper Xplico

Certification	Certified Hacking Forensic Investigator (CHFI) Global Information Assurance Certification

Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti-computer forensics

Organisations	National Software Reference Library American Society of Digital Forensics & eDiscovery Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)

People	Eoghan Casey Clifford Stoll Erik Laykin

Glossary of digital forensics terms

↑Jump back a section

Last modified on 14 March 2013, at 11:38

SANS Investigative Forensics Toolkit

Use

File system support

Evidence image support

Software

References

Further reading

External links