using the SIFT workstation to mount and examine a Windows NTFS image.
Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.
The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\\forensics.sans.org it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.
The blog series “SIFT’ing” will show to utilize the workstation using a series of exercises. Today we will discuss how to use the SIFT workstation to mount and examine a Windows NTFS image.
The SIFT already should be able to be seen from the Windows machine you have it installed on. The SIFT workstation, by default, is in VMware HOST ONLY mode, but you can modify that in the VMware Machine Settings.