Hi i am trying to view a prefetch file but pf command is missing.

Not a bug, but a request for clarification. Since the SIFT 3.0 appliance is now a 64-bit installation, it requires a 64-bit processor (duh.) However, not all 64-bit processors support running a 64-bit guest OS. There is software from VMware (VMware-guest64check-5.5.0-18463.exe) that will inform you if your CPU can handle this task.

So, the requirements for running SIFT 3.0 are:

1. if you're using the bootstrap.sh method, you'll need a 64-bit machine running Ubuntu 12.04 LTS,
2. 64-bit CPU capable of running VMware Workstation/Player with a 64-bit guest OS.

Haven't tried running Ubuntu 12.04 as a VM and then bootstrapping SIFT 3.0. Anyone out there tried this?

Teach me to squeeze life out of old hardware!

I didn't see any other way to contact for support regarding this, apologies in advance if its in the wrong location.
I just downloaded the SIFT 3.0 VM appliance and it does not seem to work for me. I've got the latest and greatest VMWare Player and an overly-huge host machine to run VMs on that's running win 7x64. When I try to start the appliance I get a grub rescue prompt

error: hd0 out of disk.

grub rescue>

I did a fair amount of tinkering with grub rescue to try and force the kernel to boot but even that doesn't seem to work normally. I can't get grub rescue to let me invoke normal mode for whatever reason.
Any ideas?

https://github.com/Rurik/Java_IDX_Parser/

Thank you!

I need to install a SIFT workstation on an ESXi server which doesn't have a whole lot of space. Since the two virtual disks are preallocated at 500Gb each, ESXi tries to reserve 1 Tb for them when powering up the VM, and it doesn't have near that much space. I haven't been able to find anything on the Internet that says anything other than ' you cannot reduce the maximum size of preallocated disks.' Would it be possible to get a SIFT image with maybe 100GB total preallocated space?

Volatility can not process volatility_2.3.1-7_all.deb (Image Attached, Any help with this issue is appreciated)

dpkg: error processing archive /var/cache/apt/archives/volatility_2.3.1-7_all.deb (--unpack):
trying to overwrite '/usr/lib/python2.7/dist-packages/volatility/protos.py', which is also in package python-volatility 2.4-trust1
dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
Selecting previously unselected package volatility-profiles.
Preparing to unpack .../volatility-profiles_20140130-1_all.deb ...
Unpacking volatility-profiles (20140130-1) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Errors were encountered while processing:
/var/cache/apt/archives/volatility_2.3.1-7_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Bless in SIFT 3 buggy in that the data pane displays the contents after vs of the selection?

Please add

set -o noclobber

to the /root/.bashrc file please.

I really miss the ability to do quick analysis with pescanner in the new SIFT. Can it be added to 3.0?

Trying to run wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo sh -s -- -i -s -y on both Ubuntu 12.04 LTS and 14.04 LTS and get "Bad Function Name" on line 148.

In SIFT 3.0, Mantaray tries to run "identify_filenames.py" from /usr/local/src/bulk_extractor-1.4.1/python/, however in SIFT this script is found in /usr/share/manatray/Tools/Python/ - Borked setup?

(I'm guessing it is better to fix this on your side instead of having to do local fixes all over the world :)

Sift is running VERY slow in virtual box. Before running any applications, just closing the terminal window takes 3 seconds (for the fade-out). My config is as follows:

---Virtual Box Config---

   -System

Base Memory: 15220 MB
Processors: 4
Boot Order: Floppy, CD/DVD, Hard Disk
Acceleration: VT-x/AMD-V, Nested Paging, PAE/NX

   -Display

Video Memory: 128 MB
Screens: 2
Acceleration: 3D
Remote Desktop Server: Disabled
Video Capture: Disabled

   -Storage

Controller: IDE
IDE Primary Master: SIFT Workstation 3.0 Core Drive.vmdk (Normal, 500.00 GB)
IDE Primary Slave: SIFT Workstation 3.0 Cases.vmdk (Normal, 500.00 GB)
IDE Secondary Master: [CD/DVD] VBoxGuestAdditions.iso (61.65 MB)

   -Audio

Host Driver: Windows DirectSound
Controller: ICH AC97

   -Network

Adapter 1: Intel PRO/1000 MT Desktop (NAT)

   -USB

Device Filters: 0 (0 active)

   -Shared folders

Shared Folders: 1

   -Description

None

---System Specs---

Dell Precision T7500
Processor: Intel(R) Xeon(R) CPU E5606 @ 2.13GHz (4 Cores)
RAM: 20.0 GB
64 Bit Windows 7 Professional

Bryce is looking into it.

Please install ssh, dot, and rar commands to the SIFT

https://github.com/Rurik/PE_Carver

Sleuthkit isn't installed with AFFLIB or LIBEWF support using the bootstrap.sh

Hello,

when i try to mount an Encase Image, i recieve this message:
mount_ewf.py whatever.E01 /mnt/ewf
ewfmount 20140608

fuse: warning: library too old, some operations may not not work
root@siftworkstation:/mnt/hgfs/Cases/test#

used the vmware-image.

On SIFT 3.0, 4n6time doesn't seem to start up on either an up-to-date sift-bootstrap or the appliance.

e.g.,

$ 4n6time
WARNING: file already exists but should not: /tmp/_MEI1rJccH/etc/matplotlibrc
/tmp/_MEI1rJccH/matplotlib/init.py:611: UserWarning: Could not find matplotlibrc; using defaults
/tmp/_MEI1rJccH/matplotlib/init.py:698: UserWarning: could not find rc file; returning defaults
Traceback (most recent call last):
File "", line 33, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/lib.controller.splashscreen", line 3, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/lib.controller.controller", line 40, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/lib.view.chartview", line 8, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/matplotlib.backends.backend_wxagg", line 20, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/matplotlib.figure", line 18, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/matplotlib.axes", line 14, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/matplotlib.axis", line 10, in
File "/build/pyinstaller/PyInstaller/loader/pyi_importers.py", line 270, in load_module
File "/build/4n/build/4n6time/out00-PYZ.pyz/matplotlib.font_manager", line 1325, in
File "/build/4n/build/4n6time/out00-PYZ.pyz/matplotlib.font_manager", line 1275, in _rebuild
File "/build/4n/build/4n6time/out00-PYZ.pyz/matplotlib.font_manager", line 962, in init
File "/build/4n/build/4n6time/out00-PYZ.pyz/posixpath", line 68, in join
AttributeError: 'NoneType' object has no attribute 'endswith'

In the provided VM of SIFT 3.0, I mounted an NTFS partition with all the extra parameters (show_sys_files, etc.) and to my surprise the $MFT file wasn't available. All other files seem to be there (e.g. $MFTMirr) except this one. Why Googling the problem I came across this: "Note that even when show_sys_files is specified, "$MFT" may will not be visible due to bugs/mis-features in glibc." (Source: http://manpages.ubuntu.com/manpages/gutsy/man8/ntfsmount.8.html).

Another surprise was when I looked at the bodyfile generated by log2timeline and it contained MFT entries. When I dumped MFT using icat and then parsed it with log2timeline, the number of L2T generated entries was almost identical. Any ideas?

Thanks,
Bart

Does SIFT 3.0 require a certain version of VMWare? I have 8.x, when loading SIFT 3.0 it errors out stating that the build is not supported with my current version of VMWare. Thank you.

When issuing "log2timeline-sift" command, it returns a "command not found" error.

This is on the default install (unzip SIFT 3.0 to Virtual Machine directory, open Virtual machine, start it up, issue command in terminal).

in /etc/rc.local, add the following:
for i inseq 8 100; do mknod /dev/loop$i b 7 $i; done

The /usr/local/bin/id program from tzworks on sift-bootstrap will break "update-grub" during kernel package updates. This would of course impact other scripts that expect "id" to be the UNIX utility.

To reproduce, run the sift-bootstrap script on a Ubuntu 12.04 LTS image and perform a kernel package update.

There are many workarounds, perhaps the best of which would be renaming it to something else than "id" (unless other tzworks utilities expect this name).

Note that this only seems to affect sift-bootstrap. I don't see this or other tzworks utilities (e.g., yaru) on the appliance.

e.g.,

apt-get -f install

Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
3 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up linux-image-3.11.0-20-generic (3.11.0-20.34~precise1) ...
Running depmod.
update-initramfs: deferring update (hook will be called later)
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 3.11.0-20-generic /boot/vmlinuz-3.11.0-20-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 3.11.0-20-generic /boot/vmlinuz-3.11.0-20-generic
update-initramfs: Generating /boot/initrd.img-3.11.0-20-generic
run-parts: executing /etc/kernel/postinst.d/pm-utils 3.11.0-20-generic /boot/vmlinuz-3.11.0-20-generic
run-parts: executing /etc/kernel/postinst.d/update-notifier 3.11.0-20-generic /boot/vmlinuz-3.11.0-20-generic
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 3.11.0-20-generic /boot/vmlinuz-3.11.0-20-generic
-------------------------------- User Agreement -----------------------------

Permission to use the Software for Demonstration and Testing purposes is
granted to SIFT kit user (for 1 License) for a non-exclusive,
non-transferable, limited right use, subject to the terms and conditions
outlined in the Demo/Testing Bundle (License# 1cf56b98e15de10) License
Agreement.

BY CONTINUING TO USE THIS SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ,
UNDERSTOOD AND AGREE TO BE BOUND BY AND COMPLY WITH THE LICENSING
AGREEMENT THAT WAS ISSUED TO YOU. IF YOU DO NOT AGREE TO THE TERMS OF
THE AGREEMENT, YOU HAVE NO RIGHTS TO USE ANY SOFTWARE MADE AVAILABLE
ON ANY TZWORKS WEBSITE NOR DEVELOPED BY TZWORKS.

---------------------------------- DISCLAIMER -------------------------------

The user agrees that the Software is experimental in nature and use of
this Software is at user's sole risk. The Software could include technical
inaccuracies or errors. TZWorks, LLC may make improvements and/or changes
to this Software at any time. TZWorks, LLC makes no representations about
the accuracy or usability of the Software for any purpose. This software
is provided "AS IS" and "WHERE IS" without warranty of any kind including
all implied warranties and conditions of merchantability, fitness for any
particular purpose, title and non-infringement. In no event shall TZWorks,
LLC be liable for any kind of damage resulting from any cause or reason,
arising out of it in connection with the use or performance of this
software.

id - limited ver: 0.64; Copyright (c) TZWorks LLC

Usage:
(note: options with ** are enabled with a commercial license)

id -f
id -partition = ** Partition scan
id -vmdk " | | ..." = ** VMWare disk scan
find -name *.dat -type f | -pipe

Basic options
-pipe = pipe files into app for processing
-locale = use user acct locale info for date formatting

grub-mkconfig: You must run this as root
run-parts: /etc/kernel/postinst.d/zz-update-grub exited with return code 1
Failed to process /etc/kernel/postinst.d at /var/lib/dpkg/info/linux-image-3.11.0-20-generic.postinst line 1010.
dpkg: error processing linux-image-3.11.0-20-generic (--configure):
subprocess installed post-installation script returned error exit status 2
dpkg: dependency problems prevent configuration of linux-image-generic-lts-saucy:
linux-image-generic-lts-saucy depends on linux-image-3.11.0-20-generic; however:
Package linux-image-3.11.0-20-generic is not configured yet.
dpkg: error processing linux-image-generic-lts-saucy (--configure):
dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of linux-generic-lts-saucy:
linux-generic-lts-saucy depends on linux-image-generic-lts-saucy; however:
Package linux-image-generic-lts-saucy is not configured yet.
dpkg: error processing linux-generic-lts-saucy (--configure):
dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
No apport report written because the error message indicates its a followup error from a previous failure.
Errors were encountered while processing:
linux-image-3.11.0-20-generic
linux-image-generic-lts-saucy
linux-generic-lts-saucy
E: Sub-process /usr/bin/dpkg returned an error code (1)

apt-get install ssh
apt-get install graphviz

Just working with SIFT 3.0 on Ubuntu. Looks like there is a broken link in /usr/bin

lrwxrwxrwx 1 root root 12 Mar 13 2014 vol.py -> /usr/bin/vol

No such file as /usr/bin/vol. Not certain if this is a problem for others. I'm going to update the volatility and fix this in my version.

Hi guys,

The last utilisation day was the 02 feb 2015 , it's possible to extend the education license ?

many thanks

when running autopsy, after mounting a disk image, and trying to look at some files, the log displays

sh: 1: /usr/bin/icat-sleuthkit: not found

I assume this should be part of the distro.

there is a /usr/bin/icat however

ln -s /usr/bin/iscsiadm /sbin/iscsiadm

in the plugins directory

remove the -all from the ntuser and the usrclass files

it is currently ntuser-all and should just be remaned to ntuser

hi
volatility linux profiles is not set as default.

apt-get upgrade holds back python-volatility and now when I run vol.py, I'm getting code errors such as this:

root@siftworkstation:~# vol.py -f memory.raw imageinfo
Volatility Foundation Volatility Framework 2.3.1
Determining profile based on KDBG search...

      Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                 AS Layer1 : AMD64PagedMemory (Kernel AS)
                 AS Layer2 : FileAddressSpace (/root/memory.raw)
                  PAE type : No PAE
                       DTB : 0x187000L
                      KDBG : 0xf80002e540a0
      Number of Processors : 2
 Image Type (Service Pack) : 1
            KPCR for CPU 0 : 0xfffff80002e55d00L

Traceback (most recent call last):
File "/usr/bin/vol.py", line 184, in
main()
File "/usr/bin/vol.py", line 175, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 122, in execute
func(outfd, data)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 36, in render_text
for k, v in data:
File "/usr/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 101, in calculate
yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset))
TypeError: hex() argument can't be converted to hex

I also notice python-plaso is being held back.

I have installed a 64 bit Ubuntu VM (tried both 12 and 14) and am trying to install SIFT via the bootstrap.sh script. Most of the packages (sift-base, sift-scripts, afterglow and almost all others) return the error 'ERROR: Install Failure: [package name](Error Code: 100)'.

apt-get install graphviz

I downloaded the appliance from the 3.0 page. Opened it using VMware Workstation 10.0.30 build -1895310 and I have no Sans menu along the top.

I believe line 262 should read
my $config = "$::TSKDIR/../share/tsk/sorter/images.sort";

and not my $config = "$::TSKDIR/../share/tsk3/sorter/images.sort";

Unity favorites in 14.04 do not work properly.

Hello, I had been using the SIFT Workstation provided to me from the Memory Forensics couse, and I have been having an issue, where i could not get yarascan to work properly. I have finally been able to resolve this and I figured I would share, in case anyone else is having this issue.

Found from the web: (https://code.google.com/p/volatility/issues/detail?id=446)
"""
There are different versions of yara. One you would install through apt-get, yum, source, etc., and this would work. You could also download yara through the python utility “pip” (This command: “sudo pip install yara”) The problem is that this actually installs yara-ctypes which is slightly different. The reason it breaks within volatility is that yara-ctypes is a third party wrapper for libyara and appears to use slightly different APIs than yara-python
"""

Ok, the fix I did on the SANS workstation.
Sudo pip uninstall yara
Sudo apt-get install yara

For me, yarascan plugin starts working with no problems……
Cheers!

The configuration file "C:\Users\Rob\Documents\SANS\SIFT Workstation 3.0\SIFT Workstation 3\SIFT Workstation 3.0.vmx" was created by a VMware product that is incompatible with this version of VMware Player and cannot be used.

Cannot open the configuration file C:\Users\Rob\Documents\SANS\SIFT Workstation 3.0\SIFT Workstation 3\SIFT Workstation 3.0.vmx.

VMPLAYER.0.6 build-1035888

ln -s l2t_process to l2t_process_old.pl

Hello,

sift-bootstrap installs various TZWorks utilities in /usr/local/bin. These do not appear to be installed in an up-to-date SIFT 3.0 appliance.

e.g.,
cafae
evtwalk
evtx_view
gena
id
jmp
...
etc.

Shouldn't these TZWorks utilities also appear on the appliance?

Thanks!

During the post-install script, seven of the following errors were displayed (three for each of two PIDs, one for a third PID):
(process:<%PID%>): dconf-CRITICAL **: unable to create file '/home/user/.cache/dconf/user': Permission denied. dconf will not work properly.

No other package management utilities running at the time.

Does sans only support 64bit systems?

Hello,

I'm using the SIFT Workstation 3.0 (Ubuntu) and I was alarmed to discover that this workstation not only had the TOR daemon installed, but it is configured to automatically start at boot time.

I think it's hard to justify the presence (let alone execution) of a TOR daemon on a forensics workstation.

Imagine my surprise when the Information Security team approached me that a TOR daemon was running on my forensics server...

Please remove (or at least disable) TOR from the workstation in future versions.

Thanks

https://github.com/google/timesketch

https://github.com/matonis/page_brute

http://www.cert.at/downloads/software/densityscout_en.html

I cant find link for iso to make bootable usb. Any help would be greatly appreciated! Thanks

Some modifications

Regripper plugins. Change ntuser-all and usrclass-all to rename just ntuser and usrclass.

Please add all of the following programs.

Make sure all the .py and .pl programs in /usr/local/bin are executable. (chmod +x)

Sleuthkit indicates that all MD5's are identical for an imported Win7 image.

Perhaps this is related to a missing module (icat ?)?

Running autopsy, creating timeline throws this error:
sh: 1: /usr/bin/mactime-sleuthkit: not found

There was a /usr/bin/mactime, but no /usr/bin/mactime-sleuthkit. Simply copying mactime to mactime-sleuthkit seems to have taken care of issue.