5 Essential Tools to Learn on SIFT Workstation
Locard's Exchange Principle states that "every contact leaves a trace". The logical extension of this aphorism, therefore, is that all digital crime will invariably create evidence of itself. This record of criminality may be both transitory and almost undetectable in scale, but it will exist, if only for a brief period of time. Digital forensics requires an examiner to be able to methodically extract, preserve and analyze this data, but in order to conduct a sound investigation they will require specialized training and tooling. Cue the Sans Investigative Forensics Toolkit (SIFT) Workstation.
The SIFT Workstation is an open source forensics framework designed for system, registry, memory and network investigation. Originally, the open-source community was replete with high-quality forensics tools but they were spread wide and scattershot — with many tools requiring the installation of very particular dependencies.
Ultimately, it was difficult for a user to custom-build a stable and comprehensive forensic tool belt. The SIFT Workstation solved this problem by providing a one-stop shop forensic powerhouse capable of securely examining raw disk images, numerous file systems, and evidence formats. Let's take a look at five of its most essential tools that you need to learn to use.
1. The Sleuth Kit/Autopsy
The Sleuth Kit (TSK) is a suite of command-line tools with the explicit aim to extract forensic data from disk drives and other storage media. TSK has been designed around the concept of the following virtual layers that define the functionality of each of its tools:
Media Management Layer
File System Layer
File Layer ("The Human Interface")
Metadata ("Inode") Layer
Content ("Block") Layer
Conveniently each tool's name corresponds to its purpose via a consistent prefix/suffix format. Take, for example, the tool "mmls", which is used to display the partition layout of a volume system. The prefix "mm" tells you that it is operating at the Media Management layer, whereas the suffix "ls" is simply the Linux command "ls" – used to list files and directories. In effect, "mmls" will provide to you a list layout of the partitions in a volume system, which include partition tables and disk labels.
However, with respect to the tool "icat", its prefix "i" denotes that it is operating at the inode layer (metadata), while the suffix is simply the Linux command "cat" and is used to display the content of a file. Based on the name of the tool alone we can accurately infer that "icat" will output the contents of a file based on its inode number. Better yet, the SIFT Workstation also ships with "Autopsy", a GUI interface which abstracts and simplifies interacting with TSK's programs and plugins.
Whether you prefer working from the command line or via a web-browser Interface, TSK/Autopsy will provide you with the tools necessary to perform a detailed and robust forensic examination.
Modern cyber attacks are becoming increasingly sophisticated in evading detection and often leave no forensic artefacts on the victim machine's hard drive. This, coupled with the widespread use of full-disk encryption, has placed an even higher importance on the ability to extract and conduct a detailed analysis of a computer system's memory dump.
Using Volatility enables an examiner to conduct memory forensics and ascertain a large volume of valuable information. Volatility can identify rogue processes and rootkits as well as retrieving password hashes and evidence of malicious code injection. The Volatility framework is tailor-made to perform incident response and malware analysis, and in my opinion, is a must-learn for the modern digital forensics examiner.
In the enterprise world, Active Directory and Windows machines are almost ubiquitous. Similarly, Windows-based operating systems account for a large majority of the market share for home-users. It would not be shocking, therefore, to learn that a large proportion of computer crime is committed on Windows machines and, as such, a Windows-specific analysis tool would indeed provide great value to a digital forensics examiner.
The Windows registry is a hierarchical database of keys, subkeys and values that provide critical low-level settings to the operating system. Which user logged on when? What time was a USB Drive connected to the device? What was that USB drive's serial number? What files were accessed? What user searched what? All of those details — and much more — are recorded within the Registry. Simply put, it is an absolute goldmine for discovering forensic artefacts.
RegRipper is an open-source tool designed to provide an easy way to parse targeted values of interest from the Registry in order to perform a forensic analysis. To do so, an examiner provides the relevant Registry Hive they wish to target, such as System, or SAM, and the name of a Plugin required to perform a particular action on the target.
For example, by passing in the System Hive in conjunction with the Shutdown plugin, RegRipper will quickly parse out and return the relevant information relating to when the system was last shut down. As you can probably tell, RegRipper is an unbelievably potent tool and an essential component of the SIFT Workstation.
No list would be complete without the inclusion of the well-known packet analyzer, Wireshark. Famous within the networking community for its debugging and troubleshooting abilities, the tool has the ability to peer deep and disentangle the details of all data traversing the wire. For the purposes of network forensics, Wireshark provides an examiner the ability to identify intrusions and malicious traffic as well as gather information to help establish a contextual basis around a potential crime.
Suppose a savvy criminal breaches the network but takes care to erase all log files and evidence of their presence on the target machine. The only remaining record of this ever happening may lie within the traffic recorded by the packet analyzer. Wireshark provides a suite of features to help isolate and identify potentially "interesting" traffic, including filtering by source address, port number, and protocol type.
Ultimately, network forensics has gradually grown to become a vital sub-branch of investigating digital crimes and Wireshark has proven itself to be an invaluable addition to the forensic toolkit.
Forensic analysis requires an extreme attention to detail and building an accurate timeline of events is of principal importance when evaluating the evidence in your possession. An erroneous timeline can literally be the difference between discovering inculpatory or exculpatory evidence. Rather than suffer the lassitudes of manually examining event logs, prefetch, shellbags and collating this data from disparate sources, SIFT Workstation offers an option to create a "Super Timeline" using one tool.
Built on a backend engine known as Plaso, Log2Timeline has the ability to parse all of this information and assemble them in temporal order — all neatly within one data source. Log2Timeline helps provide a wealth of context to your findings and is excellent at eliminating false positives.
Log2Timeline not only makes your job easier, it also improves the quality of your work and can often lead to discovering that elusive "final piece of the puzzle" needed to crack a case. It truly is an outstanding tool.
The SIFT Workstation is a professional-grade forensics framework and offers an abundance of high-quality, open-source tools at your disposal. I would encourage you to indulge your curiosity and explore everything it has to offer. Without a doubt, these five tools are my favorites of the bunch and, in my view, represent absolutely essential digital forensics learning.