Title: SIFT - using the SIFT workstation to mount and examine a Windows NTFS image.
Post by: Jhaddix on February 24, 2009, 02:58:20 AM
Sift id a vmware image for forensic examination. Rob Lee on the SANS forensic blog has some great posts detailing its use, one of which is cited below. This is just part of a great forensics toolkit, take advantage! Be Sure to check out the whole blog because it goes over lab creation, freeware tools, etc for forensics... and Rob Lee is just a cool guy ;)
using the SIFT workstation to mount and examine a Windows NTFS image. (http://sansforensics.wordpress.com/2009/02/19/digital-forensic-sifting-how-to-perform-a-read-only-mount-of-filesystem-evidence/)
Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.
The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\\forensics.sans.org it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.
The blog series “SIFT’ing” will show to utilize the workstation using a series of exercises. Today we will discuss how to use the SIFT workstation to mount and examine a Windows NTFS image.
The SIFT already should be able to be seen from the Windows machine you have it installed on. The SIFT workstation, by default, is in VMware HOST ONLY mode, but you can modify that in the VMware Machine Settings.