5. Download SANS SIFT Workstation 2.14 from
http://computerforensics.sans.org/community/downloads
(SANS SIFT Workstation 3 to be released soon)
6.
VMware Appliance
Cross compatibility between Linux and
Windows
A portable lab workstation you can use for
your investigations
Forensic tools preconfigured
Option to install stand-alone via (.iso) or use
via VMware Player/Workstation
7.
You have to learn it like you do any tool
Powerful command line capability
It is a tool to accomplish deep forensic
analysis
Memory Analysis
File System Analysis
Timeline Analysis
And many more…..
10.
•
•
•
•
File System Support
Windows (MSDOS,
FAT, VFAT, NTFS)
MAC (HFS)
Solaris (UFS)
Linux (EXT2/3)
•
•
•
Evidence Image
Support
Expert Witness
(E01)
RAW (dd)
Advanced Forensic
Format (AFF)
11. /usr/local/src
• Source files for Autopsy, The Sleuth kit
and other tools
/usr/local/bin
• Location of the forensic pre-compiled
binaries
/cases
• Location of the images that were seized
from your compromised system
/mnt
• Location of the mount points for the file
system images
13. Elevate your privileges
Change directories to /cases/<case directory>
Mount .E01 image files in the /mnt/ewf directory
$ Mount_ewf.py <****.E01> /mnt/ewf/
Mount the raw image found in the /mnt/ewf
directory on the mnt/windows_mount/ directory
$ Mount –o
ro,loop,show_sys_files,streams_interface=windows
<image evidence directory> /mnt/windows_mount
14. 1. Identify Rouge processes
2. Analyze process DLLs and handles
3. Review Network Artifacts
4. Look for evidence of code injection
5. Check for signs of rootkit
6. Dump suspicious processes and drivers