Rob Lee of Mandiant and a faculty fellow from the SANS Institute gave the forensic community an early Christmas present with the release of version 1.2 of the <a href="http://sansforensics.wordpress.com/2008/12/24/happy-holidays-sans-sift-workstation-version-12-released/">SIFT Workstation</a>. It is a Linux-based VMware appliance pre-configured with the tools needed to conduct a forensic examination. Rob has developed the SIFT Workstation for the SANS course he developed and teaches, which is ve

John H. Sawyer, Contributing Writer, Dark Reading

December 29, 2008

2 Min Read

Rob Lee of Mandiant and a faculty fellow from the SANS Institute gave the forensic community an early Christmas present with the release of version 1.2 of the SIFT Workstation. It is a Linux-based VMware appliance pre-configured with the tools needed to conduct a forensic examination. Rob has developed the SIFT Workstation for the SANS course he developed and teaches, which is vendor-agnostic, so the included tools are all free and/or open source.What I like about the SIFT Workstation and Rob's class are that they teach students about the fundamentals of digital forensics, the methodology, and the underlying technology of how forensic tools work. After the class, students who work with commercial tools like Forensic ToolKit and Encase actually understand what those tools are doing under the hood because they've done it in class using the tools included in the SIFT Workstation.

SIFT is a valuable tool for forensic examiners with little to no Linux experience because they can use it to see what free/open source tools are available. Also, IT security professionals looking to learn about digital forensics or break into the field will probably get the most value because it gives them a ready-to-use system to start learning.

Of course, what's a computer forensic tool without interesting forensic data to analyze? If you're looking to cut your teeth on some sample cases or files designed for testing, the following resources are free and serve as good data for analysis with the SIFT Workstation.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

About the Author(s)

John H. Sawyer

Contributing Writer, Dark Reading

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights