SIFT Workstation And Resources For Aspiring Forensic Examiners

Rob Lee of Mandiant and a faculty fellow from the SANS Institute gave the forensic community an early Christmas present with the release of version 1.2 of the SIFT Workstation. It is a Linux-based VMware appliance pre-configured with the tools needed to conduct a forensic examination. Rob has developed the SIFT Workstation for the SANS course he developed and teaches, which is vendor-agnostic, so the included tools are all free and/or open source.What I like about the SIFT Workstation and Rob's class are that they teach students about the fundamentals of digital forensics, the methodology, and the underlying technology of how forensic tools work. After the class, students who work with commercial tools like Forensic ToolKit and Encase actually understand what those tools are doing under the hood because they've done it in class using the tools included in the SIFT Workstation.

SIFT is a valuable tool for forensic examiners with little to no Linux experience because they can use it to see what free/open source tools are available. Also, IT security professionals looking to learn about digital forensics or break into the field will probably get the most value because it gives them a ready-to-use system to start learning.

Of course, what's a computer forensic tool without interesting forensic data to analyze? If you're looking to cut your teeth on some sample cases or files designed for testing, the following resources are free and serve as good data for analysis with the SIFT Workstation.

• Honeynet Project Challenges: These haven't been updated in a while, but they're still good for learning. I got my start working on them several years ago.
• Lance Mueller's Forensic Practicals: Lance has two good, realistic practicals for hands-on experience.
• Digital Forensic Research Workshop challenges: There are several challenges that include analyzing Windows memory images and file carving.
• Hacking Case: A hacking scenario put together by NIST with a good list of questions that will require a variety of forensic skills to answer.
• Digital Forensics Tool Testing Images: Slightly different from the above examples, these are for testing tools to make sure they're working consistently.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.