Today, as an awesome and lucky extension of the week of DFIRCON, SANS released version 3.0 of their SIFT workstation. This is a huge improvement to the former most-recent version (2.14), and I’m excited to have an updated version at my fingertips!! Notable improvements include:
- OS upgrade; recommend Ubuntu 12.04 LTS
- 64-bit support; better memory utilization
- Updated forensic tools
- DFIR package repos for updates
- Setup script allows you to customize your own distribution
As of today, the install is done via a bootstrap script. Typically, there is a pre-built VM available for download which is still in the works, according to SANS. That should be out soon.
There’s also a great new help site that includes some instructions about installation, tools, and commands available within the workstation.
I wanted to put up a quick post about my installation experience, as well as the flexibility that the bootstrap script provides a forensic examiner.
Understanding the Distribution
SANS’ download site recommends utilizing Ubuntu 12.04 LTS. As of this post, the latest sub-version is 12.04.4 LTS. This is the version I’ll be utilizing. In case you’re not familiar with Ubuntu, a quick primer may help:
Ubuntu releases major versions every six months, two a year (obviously). The version releases follow the naming convention of year.month. For example, the latest version is 13.10, which was released in October of 2013. Fast-forward, and next we’ll have 14.04.
Along with the six-month releases, every two years (also in every even year), the April (.04) Ubuntu release will receive LTS status. LTS, standing for “Long Term Support”, means that the distribution will receive updates, support, etc. for 5 years. This provides for a stable platform that organizations can utilize for many years, and not have to focus on upgrade plans every six months. Choosing LTS platforms for SIFT Workstations ensures that a forensic platform with stability and support will be available for many, many months to come.
Choosing Your Distribution
Now that we have an understanding of why Ubuntu LTS is the recommended distribution, let’s take a look at the other options. As we are utilizing the bootstrap setup script, we only need to have an Ubuntu 12.04 LTS base environment. The rest (GUI, applications, etc.) are up to you — the examiner. If you are a fan of Ubuntu’s Unity design, by all means proceed with that. But, in case you’d like to try some other visual options, check out the following distros:
If you’re new(ish) to using Linux, please take a moment to check out the various desktop environments, see if you prefer one over another. Hell, try them all if you want.
Once you’ve found a distro you like, go ahead and download version 12.04.4, and install. I typically install in a virtual environment, either on my Mac or Windows host(s). You can proceed with VM, or go the bare metal route, up to you. I’m not going to go over building a base Ubuntu installation — plenty of resources for that. Either way, setup the system as you’d like, and get ready to turn your Ubuntu install into a forensic beast!
Preparing for SANS SIFT Bootstrapping
First thing’s first — now that we’re able to rock a 64-bit SIFT Workstation, I’d recommend giving that puppy some power. I’m not sure about your particular environment, but if you can afford to throw 4GB+ and a couple of cores at your VM (or bare metal), go ahead! It’ll only make your processing faster.
Now, since we’re using version 12.04, there are bound to be some updates. I’d recommend grabbing these before installing SIFT packages. If you’re comfortable with the Terminal, go ahead and issue the following commands:
sudo apt-get update
sudo apt-get dist-upgradeYou can chain those together if you want, but I like seeing the results after each one.
If you’re not too comfortable with the Terminal, there should also be a GUI option available for updates. Look around your menu bar, there is probably an exclamation point or a popup box somewhere telling you to update.
Accept, let those run, and soon you should have an up-to-date distribution. Ok, let’s get to SIFT already!
Utilizing the SIFT Bootstrap Script
Once you’ve got a distro up and running, it’s time to morph it into an ultra-badass SIFT Workstation. Taken from the new SIFT help site, you can run the following command which will perform an automated install:
wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo sh -s -- -iIf you’d prefer to view the script or run it manually, you can use the following:
wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh > bootstrap.sh
chmod +x bootstrap.sh
sudo ./bootstrap.shYou’ll see a flurry of activity across the screen as various tools are installed, and this may take a bit. Once this script has finished, you’re ready to rock and roll!
NOTE: There is an alternative installation option available which adds -s -y at the end of the install command, also provides you with a SIFT theme. This will change your hostname to sansforensics, and load a GNOME-compatible theme. If you're not using GNOME or Unity, I'd recommend against running with these options. You'll still have the full toolkit, but the theme won't load.
Ok, now we’re SIFTing!
Once the installation has finished, you should be able to see a bunch of new tools installed. Here’s some sample tools:
Hex editors, IPython:
Wine installed:
New MantaRay:
We should also see a bunch of new command line tools, such as volatility, Joachim Metz library tools, log2timeline/Plaso, and RegRipper:
(There are a boatload more command line tools installed, I just picked a few.)
And with that, we now have a SANS SIFT 3.0 forensic workstation! I’m looking forward to playing with the new version for days to come, and especially getting familiar with tools I haven’t spent much time learning yet.
I might try another install on a plain Ubuntu to get a feel for the SANS theme that is optional. However, I’ve become so attached to other desktop environments that it might just be for fun, while I work in another. Anyways, I enjoyed getting this up and running, and want to say a big thank you to the team at SANS for putting together this great tool for us to use.
Happy hunting!
Originally published at www.505forensics.com on March 6, 2014.
