We are excited to announce the latest release of the SANS SIFT Workstation. This release is more evolutionary than revolutionary, with the most important update being a move to the Ubuntu 20.04 LTS kernel. Those familiar with the joys of Linux understand that major kernel updates can wreak havoc on tool packages, dependencies, and modules so kudos to Erik Kristensen and the SANS DFIR team for a successful upgrade! The 20.04 kernel gets SIFT fully up-to-date with security features, faster boot times, and enhanced performance.
Behind the scenes SIFT uses SaltStack for configuration management and the intention is to continue to build upon this capability to automate new builds, making it easier to provide updates in the future. The Salt configuration is public and can be used by those who want fine grained control to build their own version of SIFT. However, our recommendation for the average user is to either take advantage of the pre-built .ova file to run SIFT as a virtual machine, or employ the SIFT CLI package to “install” SIFT on your own version of Ubuntu 20.04 on bare metal. The corresponding “sift update” feature provides a simple means to take advantage of future updates, one of the most exciting features of this build process.
The SIFT Workstation contains well over 200 forensics, incident response, and pentesting tools pre-installed. Many fan favorites like Volatility, Plaso/log2timeline, and RegRipper have been updated to the latest versions. However, one of my favorite features of SIFT has long been its repository of both vintage and obscure forensic projects installed alongside the latest technologies. Tools like ddrescue and testdisk have long been useful when dealing with damaged drives or partitions. Malware analysis tools like pdf-parser, UPX, and radare2 are available for use, along with the CyberChef web app for all of your decoding needs. Foundational forensic tools like The Sleuth Kit and the incredible libyal libraries are pre-installed providing simple access to file system forensics and parsing of formats as diverse as Windows Volume Shadow Copies, OST files, and the WinEVTX format. SIFT supports forensic images in expert witness format (E01), advanced forensic format (AFF), and raw (dd) formats in addition to newer archive formats like VHDX. Virtualization software like Qemu, Docker, Wine, and the FUSE libraries make adding new software projects and working with unusual file formats possible. SIFT maintains both Python2 and Python3 support with many forensic-centric libraries pre-installed making it easy to import and immediately start using the ever-growing number of DFIR tools written in Python. And that is just a taste! I am unaware of any other resource maintaining this level of diverse DFIR capabilities.
Enjoy the new release and please report any problems to the GitHub repository issues page.
Get your copy of SIFT here. Note that if you are taking SANS courses like FOR508, FOR572, or FOR578 you do not need to download SIFT beforehand. A pre-configured version will be provided for you in those courses with pre-loaded evidence and exercise files.
What is Next?
Think of this update as a “pre-release” for the next update planned for later this year. We wanted to get a solid 20.04 kernel build out to users while working towards a larger tool update in the next release.
.png)
