SIFT Workstation

Protocol SIFT: Experimental Research on AI-Assisted DFIR

You may see references to Protocol SIFT in the DFIR community. Protocol SIFT is an experimental research initiative exploring how AI-assisted orchestration may support investigative workflows within the SIFT environment.

Protocol SIFT is separate from and does not modify or replace the core SIFT Workstation available for download on this page. The SIFT Workstation remains a widely used digital forensic and incident response platform maintained by SANS.

Protocol SIFT has not been validated for forensic soundness or evidentiary reliability and is not court-admissible. It remains in its initial research stage.

Read the full overview here: Protocol SIFT: An Experimental Research Initiative for AI-Assisted DFIR

Option 1: SIFT Workstation VM Appliance

Click the 'Login to Download' button above and input (or create) your SANS Portal account credentials to download the virtual machine. Once you have booted the virtual machine, use the credentials below to gain access.

• Login = sansforensics
• Password = forensics
• • Use to elevate privileges to root while mounting disk images.

• md5 = 3618ec5a542025f0df39c1ea506823cc

• sha1 = d40cdfe01e9118a5eb30dad63e6980e0243559c4

• sha256 = 58b5c0421ae1563161909e23fce32a91e0164ed2af94eff9ec98e7e6199713dd

Having trouble downloading SIFT? If you are having trouble downloading the SIFT Workstation VM, please contact sift-support@sans.org and include the URL you were given, your public IP address, browser type, and if you are using a proxy of any kind.

Option 2A: SIFT Easy Installation on Native Ubuntu System

1. Download Ubuntu 22.04 ISO file and install Ubuntu 22.04 on any system - http://www.ubuntu.com/download/desktop
2. Install the Latest Cast Binary from its release page
3. Run '**sudo cast install teamdfir/sift**' to install the latest version of SIFT
4. Congrats -- you now have a SIFT workstation!
1. Login = **sansforensics**
2. Password = **forensics**
3. $ **sudo su -**
4. Use to elevate privileges to root while mounting disk images.

Option 2B: SIFT Easy Installation on Microsoft Windows using Windows Subsystem for Linux

1. Install Windows Subsystem for Linux (WSL) according to Microsoft’s latest guidance, currently located at https://docs.microsoft.com/en-us/windows/wsl/install-win10. The SIFT distribution can be installed on either WSL version 1 or version 2.

1. Choose Ubuntu 22.04 during the WSL installation process.

2. Launch the Ubuntu Bash Shell and elevate to root (**sudo su**) to avoid permissions issues during the installation process.

3. Install the Latest Cast Binary from its release page

4. Run '**sudo cast install --mode=server teamdfir/sift-saltstack**' to install the latest version of SIFT in WSL

5. Congrats -- you now have a SIFT Workstation in Windows!

Key new SIFT Workstation features include:

• Ubuntu LTS 20.04 Base

• 64-bit base system
• Better memory utilization
• Auto-DFIR package update and customizations
• Latest forensic tools and techniques
• VM Appliance ready to tackle forensics
• Cross compatibility between Linux and Windows
• Option to install/upgrade stand-alone system via SIFT-CLI installer
• Expanded Filesystem Support

SIFT Workstation Capabilities

A key tool during incident response, helping incident responders identify and contain advanced threat groups. The SIFT provides robust capabilities for analyzing file systems, network evidence, memory images, and more.

File system support

• NTFS (NTFS)
• iso9660 (ISO9660 CD)
• hfs (HFS+)
• raw (Raw Data)
• swap (Swap Space)
• memory (RAM Data)
• fat12 (FAT12)
• fat16 (FAT16)
• fat32 (FAT32)
• ext2 (EXT2)
• ext3 (EXT3)
• ext4 (EXT4)
• ufs1 (UFS1)
• ufs2 (UFS2)

Evidence Image Support

• raw (Single raw file (dd))
• aff (Advanced Forensic Format)
• afd (AFF Multiple File)
• afm (AFF with external metadata)
• afflib (All AFFLIB image formats (including beta ones))
• ewf (Expert Witness format (encase))
• split raw (Split raw files) via affuse
• affuse - mount 001 image/split images to view single raw file and metadata
• split ewf (Split E01 files) via mount_ewf.py
• mount_ewf.py - mount E01 image/split images to view single raw file and metadata
• ewfmount - mount E01 images/split images to view single raw file and metadata
• vmdk
• vhd/vhdx
• qcow

Incident Response Support

• F-Response Tool Suite Compatible
• Rapid Scripting and Analysis
• Threat Intelligence and Indicator of Compromise Support
• Threat Hunting and Malware Analysis Capabilities

Software Includes:

• Plaso/log2timeline (Timeline Generation Tool)
• Rekall Framework (Memory Analysis)
• Volatility Framework (Memory Analysis)
• 3rd Party Volatility Plugins
• bulk_extractor
• afflib
• afflib-tools
• ClamAV
• dc3dd
• imagemounter
• libbde
• libesedb
• libevt
• libevtx
• libewf
• libewf-tools
• libewf-python
• libfvde
• libvshadow
• lightgrep
• Qemu
• regripper and plugins
• SleuthKit
• Hundreds of additional tools

SIFT Workstation and REMnux Compatibility

REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. REMnux is used in SANS FOR610: Reverse Engineering Malware.

REMnux can be added into a SIFT Workstation installation. To install REMnux, first install the SIFT Workstation using the instructions found above. Then, follow these instructions to add the REMnux components.