Investigate and fight cyberattacks with SIFT Workstation


Digital forensics and incident response (DFIR) has hit a tipping point. No longer just for law enforcement solving cybercrimes, DFIR tools and practices are a necessary component of any organization’s cybersecurity. After all, attacks are increasing daily and getting more sophisticated – exposing millions of people’s personal data, hijacking systems around the world and shutting down numerous sites.

SANS has a smorgasbord of DFIR training, and we also offer a free Linux distribution for DFIR work. Our SANS Investigative Forensic Toolkit (SIFT) Workstation is a powerful collection of tools for examining forensic artifacts related to file system, registry, memory, and network investigations. It is also available bundled as a virtual machine (VM), and includes everything one needs to conduct any in-depth forensic investigation or response investigation.

Capture9The SIFT Workstation was developed by an international team of forensics experts, including entrepreneur, consultant and SANS Fellow Rob Lee, and is available to the digital forensics and incident response community as a public service. Just because it’s freely available and originally designed for training, though, doesn’t mean it can’t stand up to field investigations. The SIFT Workstation incorporates powerful, cutting-edge open-source tools that are frequently updated, vetted by the open source community and able to match any modern DFIR tool suite. Don’t just take our word for it. Thousands of individuals download SIFT yearly, and it’s used by tens of thousands of people all over the world, including those at multiple Fortune 500 companies. And recently, HackRead named SIFT Workstation in a list of the top 7 cyber forensic tools preferred by specialists and investigators around the world.

SIFT got its start in 2007, during the time SANS instructors were developing virtual machines (VMs) for use in the classroom. In its earliest iterations, it was available online as a download, but was hard-coded and static so whenever there were updates, users had to download a new version. By 2014, SIFT Workstation could be downloaded as an application series and was later updated to a very robust package based on Ubuntu. It can also be installed on Windows, if there is an Ubuntu subsystem running on the system.

In November 2017, SANS unveiled a new version of SIFT Workstation that allows for much more functionality, is much more stable, and is comprised of specific tools such as the Package Manager. This time the package supports rolling updates, and uses SALT, a Python-based configuration management platform, rather than a bootstrap executable and configuration tool.

The new version can work with more than 200 tools and plug-ins from third-parties, and newly added memory analysis functionality enables the SIFT Workstation to leverage data from other sources. New automation and configuration functions mean the user only has to type one command to download and configure SIFT. Because SIFT is scriptable, users can string together commands and create automated analysis, customizing the system to the needs of their investigation.

Download SIFT Workstation today, and get started on your own DFIR initatives. And look into our FOR508: Advanced Incident Response and Threat Hunting course for hands-on learning with SIFT, and how to detect breaches, identify compromised and affected systems, determine damage, contain incidents, and more.

How to build an Android application testing toolbox


Mobile devices hold a trove a data that could be crucial to criminal cases, and they also can play a key role in accident reconstructions, IP theft investigations and more. It’s not just investigators who care about examining a mobile device – so do those interested in application research and data, and enterprises who rely on smartphones and tablets to perform work tasks, engage with customers and deliver new services.

Capture3 Effectively accessing and testing smartphones requires an optimal application toolbox, and the chops to use it. Listen to this webinar that details how to build your Android application testing toolbox to ensure you’re set up to successfully access and examine the information you need from Android mobile phones.

SANS instructor Domenica Crognale, who is one of the course co-authors of SANS FOR585: Advanced Smart Phone Forensics, and who teaches the course as well, details why testing of mobile phone applications is critical – especially given the fact that Android apps change weekly and even daily. It is becoming more common for application developers to restrict very important user artifacts from being accessed from these Android devices. This most often includes the SQLite databases, which likely contain the information that examiners are after. It’s not just commercially available applications you have to consider. Often, custom-built apps aren’t parsed by commercial tools, so you’ll need to know how to access and parse any data stored on the device.

During the webinar, Domenica talks about the importance of rooting Android devices as well as ways to access and parse the data. She explains how to do this using utilities that exist on the SIFT workstation or that can be downloaded for free from the SANS website.

This webcast explores topics such as:

  • Choosing the best test device
    During a forensics acquisition, many tools will apply a soft root onto the phone that is then removed once the data is obtained. But a full physical acquisition is not always necessary for application testing. Ideally, we want a test phone that is always rooted, whether or not the device loses power, because the root basically unlocks access to the core of the device’s operating system so you can access, add, remove or tweak anything inside the phone.
  • Rooting your Android
    During the webinar, Domenica walks through a demo of a root, how to locate the root and share information on free and publicly-available root tools.
  • Utilizing File Browsers for quick file/folder access
    Sometimes a file browser is all you really need to get to the data you’re after. Domenica shares her favorite third-party applications for accessing the file system.
  • Examining application directories of interest
    Once you have access to the files you need, utilize tools available on the SIFT workstation to view the contents of SQLite databases.

Listen to the recording, “Building your Android application testing toolbox” webcast now.  And check out our FOR585: Advanced Smartphone Forensics, a week-long course that teaches you how to find key evidence on a smartphone, how to recover deleted mobile device data that forensic tools miss, advanced acquisition terminology and free techniques to gain access to data on smartphones, how to handle locked or encrypted devices, applications, and containers, and much more

650x125_CDI-2018_No-EBDomenica will be teaching FOR585: Advanced Smartphone Forensics at SANS Cyber Defense Initiative  Dec 11-18.  Register to attend live here:  or to  try it from home via Simulcast register here:

For additional course runs log in here


Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

How to Install SIFT Workstation and REMnux on the Same Forensics System

Having the  right  tools at your fingertips can save hours and even days when examining digital evidence or analyzing malicious artifacts. You can now  install two  popular Linux  distros, SIFT Workstation and REMnux, on the same system to create a powerful  toolkit for digital forensics and incident response. To quote @ma77bennett,  this combo  is reminiscent of “Transformers combining together to form a super robot.”

You can start with SIFT and then add REMnux, or begin  with REMnux and add SIFT to it.  If you prefer the look and feel of SIFT Workstation, use SIFT as the starting point. If you like the look of REMnux, start with that one.

Option 1: Add REMnux to SIFT Workstation

If you wish to start with SIFT Workstation, make sure you have the latest version of SIFT running on Ubuntu 14.04 64-bit. Follow instructions to download SIFT as a pre-built virtual appliance or use the SIFT bootstrap script to install it.

After booting into SIFT Workstation and making sure that it has Internet access, run the following command to install REMnux on it:

wget --quiet -O - | sudo bash

You’ll need to enter the SIFT user’s password when promoted. By default, the password  on the SIFT Workstation’s virtual appliance is “forensics”.


The REMnux installer will run for a while, depending on the speed of your Internet connection and the strength of your system. Once it completes,  reboot the system.  In this configuration, REMnux will not replace the SIFT skin, and your system will look like a standard SIFT Workstation with the exception of a few REMnux documentation shortcuts that the installer will add to the desktop.

Option 2: Add SIFT Workstation to REMnux

If you wish to start with a REMnux system,  make sure you have REMnux installed according to its installation instructions  to get a REMnux virtual appliance or use the REMnux installer script to bootstrap its installation.

Note that the REMnux virtual appliance is configured to use little RAM by default; if planning to install SIFT into the same virtual machine, increase the RAM to at least 4GB. Also, if using the  REMnux installation machine to install REMnux on a compatible system of your own, be sure to allocate  enough RAM and disk space to accommodate your SIFT plans.

After booting into REMnux  and making sure that it has Internet access, run the following command to install SIFT  on it:

wget --quiet -O - | sudo bash -s -- -i -s -y

The SIFT installation script will run for a while, depending on the speed of your Internet connection and the strength of your system. Once  it completes, reboot the system.


In this configuration, SIFT will not replace the REMnux branding   and your system will look like a standard REMnux system, with the exception of a few SIFT documentation shortcuts that the installer will add to the desktop.


Updating the SIFT+REMnux System

To keep your system up to date with the upgraded and newly-added software,  periodically run the following update scripts for SIFT and REMnux,  preferably in the order in which you’ve installed the two distros, such as:


There you have it, two powerful forensics-focused distros combined in one super-toolkit. Be sure to read  REMnux and SIFT  documentation sites for each distribution  to learn how to use the powerful utilities now available at your fingertips.

—  Lenny Zeltser

Lenny Zeltser teaches  malware analysis at SANS Institute and focuses on safeguarding customers’ IT operations at NCR Corp. He  is active on Twitter  and writes a security blog.

Faster SIFT 3.0 Download and Install #DFIR #SIFT3

Having trouble downloading new SIFT 3.0?   We are experiencing heavy traffic currently.  Try bootstrap install option.
  • Download and install.
  • Open terminal
  • Type: wget –quiet -O – | sudo bassh -s — -i -s -y
  • There will be a couple of times it will ask you a few questions.  Easy to answer.
  • Takes about 20 minutes to install from bootstrap.
This is the same version that was installed in the VM and will probably be quicker for you to setup.
Finally, this shows off our new packaging manager — when new releases come out — when you get update and upgrade — they will be switched to latest tool versions.
Happy hunting.
Discuss your experiences with SIFT using the #SIFT3 hashtag.

SANS SIFT 3.0 Virtual Machine Released

SANS Investigate Forensic Toolkit (SIFT) Workstation Version 3.0


An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS’ Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Offered free of charge, the SIFT 3.0 Workstation will debut during SANS’ Advanced Computer Forensic Analysis and Incident Response course (FOR508) at DFIRCON. SIFT 3.0 demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

“Even if SIFT were to cost tens of thousands of dollars, it would still be a very competitive product,” says, Alan Paller, director of research at SANS. “At no cost, there is no reason it should not be part of the portfolio in every organization that has skilled forensics analysts.”

Developed and continually updated by an international team of forensic experts, the SIFT is a group of free open-source forensic tools designed to perform detailed digital forensic examinations in a variety of settings. With over 100,000 downloads to date, the SIFT continues to be the most popular open-source forensic offering next to commercial source solutions.

“The SIFT Workstation has quickly become my “go to” tool when conducting an exam. The powerful open source forensic tools in the kit on top of the versatile and stable Linux operating system make for quick access to most everything I need to conduct a thorough analysis of a computer system,” said Ken Pryor, GCFA Robinson, IL Police Department

Key new features of SIFT 3.0 include:

  • Ubuntu LTS 12.04 Base
  • 64 bit base system
  • Better memory utilization
  • Auto-DFIR package update and customizations
  • Latest forensic tools and techniques
  • VMware Appliance ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Option to install stand-alone via (.iso) or use via VMware Player/Workstation
  • Online Documentation Project at
  • Expanded Filesystem Support

Download SIFT Workstation 3.0 Locations

Download SIFT Workstation VMware Appliance – 1.5 GB

Note: The file is zipped using 7zip in the 7z format. We recommend 7zip to unzip it. Download 7zip.

Manual SIFT 3.0 Installation


We tried to make the installation (and upgrade) of the SIFT workstation as simple as possible, so we create the SIFT Bootstrap project, which is a shell script that can be downloaded and executed to convert your Ubuntu installation into a SIFT workstation.

Check the project out at


Using wget to install the latest, configure SIFT, and SIFT theme

wget –quiet -O – | sudo sh -s — -i -s -y

Using wget to install the latest (tools only)

wget –quiet -O – | sudo sh -s — -i

SIFT Login/Password:

After downloading the toolkit, use the credentials below to gain access.

  • Login “sansforensics”
  • Password “forensics”
  • $ sudo su –
    • Use to elevate privileges to root while mounting disk images.

SIFT Workstation 3.0 Capabilities

Ability to securely examine raw disks, multiple file systems, evidence formats. Places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed

File system support
  • ntfs (NTFS)
  • iso9660 (ISO9660 CD)
  • hfs (HFS+)
  • raw (Raw Data)
  • swap (Swap Space)
  • memory (RAM Data)
  • fat12 (FAT12)
  • fat16 (FAT16)
  • fat32 (FAT32)
  • ext2 (EXT2)
  • ext3 (EXT3)
  • ext4 (EXT4)
  • ufs1 (UFS1)
  • ufs2 (UFS2)
  • vmdk
Evidence Image Support
  • raw (Single raw file (dd))
  • aff (Advanced Forensic Format)
  • afd (AFF Multiple File)
  • afm (AFF with external metadata)
  • afflib (All AFFLIB image formats (including beta ones))
  • ewf (Expert Witness format (encase))
  • split raw (Split raw files) via affuse
  • affuse x2010 mount 001 image/split images to view single raw file and metadata
  • split ewf (Split E01 files) via
  • x2010 mount E01 image/split images to view single raw file and metadata
  • ewfmount – mount E01 images/split images to view single rawfile and metadata
Partition Table Support
  • dos (DOS Partition Table)
  • mac (MAC Partition Map)
  • bsd (BSD Disk Label)
  • sun (Sun Volume Table of Contents (Solaris))
  • gpt (GUID Partition Table (EFI))
Software Includes:
  • mantaray
  • Rekall Framework (Memory Analysis)
  • Volatility Framework (Memory Analysis)
  • Autopsy (GUI Front-End for Sleuthkit)
  • PyFLAG (GUI Log/Disk Examination)afflib
  • libbde
  • libesedb
  • libevt
  • libevtx
  • libewf
  • libfvde
  • libvshadow
  • log2timeline
  • Plaso
  • qemu
  • SleuthKit
  • 100s more tools -> See Detailed Package Listing

SIFT Workstation 3.0 How-Tos

  • SANS DFIR Posters and Cheat Sheets
  • SIFT Documentation Project
  • How To Mount a Disk Image In Read-Only Mode
  • How To Create a Filesystem and Registry Timeline
  • How To Create a Super Timeline
  • How to use the SIFT Workstation for Basic Memory Image Analysis

Report Bugs

As with any release, there will be bugs and requests, please report all issues and bugs to the following website and location.

SIFT Recommendations

SIFT workstation is playing an important role for the Brazilian national prosecution office, especially due to Brazilian government budgetary constraints. Its forensic capabilities are bundled on a way that allows an investigation to be conducted much faster than it would take if not having the right programs grouped on such great Linux distribution. The new version, which will be bootable, will be even more helpful. I’d highly recommend SIFT for government agencies or other companies as a first alternative, for acquisition and analysis, from the pricey forensics software available on the market.

– Marcelo Caiado, M.Sc., CISSP, GCFA, EnCE

What I like the best about SIFT is that my forensic analysis is not limited because of only being ableto run a forensic tool on a specific host operating system. With the SIFT VM Appliance, I can create snapshots to avoid cross-contamination of evidence from case to case, and easily manage system and AV updates to the host OS on my forensic workstation. Not to mention, being able to mount forensic images and share them as read-only with my host OS, where I can run other forensic tools to parse data, stream-lining the forensic examination process.

– Brad Garnett

SANS #DFIR Windows Memory Forensics Training (FOR526) – Malware can hide, but it must run.

SANS Windows Memory Forensics Training (FOR526) – Knocks it out of the park!

Jesse Kornblum and Alissa Torres just finished up their first official course dedicated to Windows Memory Forensics at the SANS Institute at SANS2013 in Orlando.  The course teaches key techniques used by actual practioners in the field who use it in their jobs daily — using memory forensics to find evil and doing a great job at it.  The key to this course is that like all SANS training it is not tool dependent but teaches the fundamentals that each analyst should know when responding to incidents with these skills.

SANS is offering a 10% discount off the course for the following events:

Discount Code: WINDEX

Security West 2013 – San Diego, CA – May 9-13

SANSFIRE 2013 – Washington, DC – June 17-21

Network Security 2013 – Las Vegas, NV – September 16-20

Malware can hide, but it must run

Below are several reviews of the course from students who attended SANS2012 taught by Jesse Kornblum and Alissa Torres

  • In our field the recovery of encryption keys is vital and this class not only showed us what was there, but also how to recover them.  Additionally it taught me how to track down malware and what effects it was having upon the system and other user data that was capable of being recovered.” – Barry Friedman, NY State Police
  • This class was important to help us fine tune our policies on live memory capture.  It introduced some tools and what they’re capable of.  It’s an in depth course that takes you from A to way past Z.” – Barry Friedman, NY State Police
  • It is entirely possible that key evidence, and perhaps, the only evidence on a system, is resident in memory.  This class will really help you develop your memory kung fu.” – Anonymous (Intelligence Community)

Jesse was also just featured in multiple articles on his new class and his thoughts regarding training.

  • NetworkWorld New course teaches techniques for detecting the most sophisticated malware in RAM only
    • Network World – Imagine you’ve been forced into playing a game of hide-and-seek with The Invisible Man. You can’t find him in any of the normal hiding places because, of course, you can’t see him. His amazing ability to remain invisible forces you to use different tactics. If you can’t see him, maybe you can see the flattened blades of grass where he has walked, or you can feel a slight breeze as he runs past you to another hiding place. Just because he’s invisible doesn’t mean he isn’t there, and he’s leaving slight traces that will help you find him. You just need to follow those subtle clues until your opponent is no longer hidden. (continue story…)
  • Security BistroNew Training From SANS Institute: How To Discover If Malware Is Running In RAM Only On Your Systems
    • Brian and I recently had an opportunity to talk with Jesse Kornblum, an instructor for the SANS Institute. Jesse has developed and just started teaching an advanced course called Windows Memory Forensics In-depth. This course would be valuable for any IT security professional working in an industry or for an organization that has a constant target on its back. For example, financial services, critical infrastructure, military or government—the kinds of high-value organizations that attackers go after persistently. Jesse says that the students who have taken the course so far have found it very valuable, so I’d like to take this opportunity to have Jesse tell you more about it. (continue story…)

Upcoming Training Events for FOR526 – Windows Memory Forensics In-Depth

Online – Instructor Led Training

Onsite Classes Available

Java IDX Sample Files from Java Spearphishing Attack from SANS FOR508

Earlier this year, SANS created the most in-depth incident response training scenario that spans multiple systems in FOR508:  Advanced Forensic Analysis and Incident Response.  We discussed the entire scenario in a blog titled: “Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results

One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack “script”. We created an incredibly rich and realistic attack scenario across multiple windows-based systems in enterprise environment. The attack scenario was created for the new FOR508: Advanced Forensics and Incident Response course. Our main goal was to place the student in the middle of a real attack that they have to response to.

The purpose is to give attendees of the new FOR508 real filesystem and memory images that they will examine in class to detect, identify, and forensicate APT-based activities across these systems in class. The goal is to give students who attend the course “real world” data to analyze. The goal was to create attack data to use in our courses at SANS so our students could have a direct feel for what it is like to investigate advanced adversaries.

As a part of that exercise, the main spearphishing attack was the result of a Java Applet attack.  It can be clearly seen in this super timeline created as a part of the course.  We find the exact pivot point in the timeline using memory analysis – both Redline from MANDIANT and Volatility in the SIFT Workstation.

Over the past few weeks, many capabilities have been created to parse the JAVA based malware specifically in the IDX files that can be seen as a part of this attack.

IDX Format Links:

  1. ForensicsWiki Java  by Joachim Metz (thanks to Corey Harrell for pointing this out)
  2. Java IDX Format  by Mark Woan

IDX Parsing Tools:

  1.  JavaIDX (exe)-    by  Mark Woan
  2. IDXparse (perl)-   by  Harlan Carvey
  3. IDX Parser (python)-  by  Brian Baskin

If you would like to work with some idx file residue from the attack supertimeline shown above, you can download the AD1 file we created with the embedded .exe malware in addition to the two .idx files that were connected to the original attack listed above.  The password for the file is “sansforensics” and if you don’t know how to open an AD1 Custom Content image file, you might download FTK Imager and try opening it there.

Java IDX Sample Files:

  1. Download IDX and /temp directory .exe malware.

Note:  By downloading the zipfile, you consent automatically to the following agreement:  I certify that by having access to tools and programs that can be used to break or “hack” into systems, that I will only use them in an ethical, professional and legal manner. This means that I will only use them to test the current strength of security network so that proper improvements can be made. I will always get permission before running any of these tools on a network. If for some reason I do not use these tools in a proper manner, I do not hold SANS liable and accept full responsibility for my actions.

FTK 4 Added to SANS FOR408 Windows Forensics Training Course

We are pleased to report the successful introduction of Access Data’s Forensic Toolkit (FTK) v4 into the SANS FOR408 Course (Computer Forensic Investigations – Windows In-Depth).  While students have access to well over a hundred free and open source tools during the course, we also felt it important for them to gain an understanding of the capabilities of commercial tool suites.  There is no one tool that can accomplish everything during a forensic examination, but in many cases a forensic suite can greatly speed up case processing and analysis.  Hence, commercial tools like Guidance EnCase, Magnet Forensics Internet Evidence Finder, and Access Data FTK are all part of the curriculum.

FTK 4 and Virtual Machines

FTK4 and SIFT Workstation

Students in the class receive the SANS Windows SIFT Workstation — a Windows 7 virtual machine pre-configured with a wide variety of Windows-based forensic tools.  Previous FTK users know a historical limitation of running FTK on mobile workstations was the significant resources required by the back-end Oracle database.  This limitation was mitigated with the introduction of the Postgres database in FTK v4.  With multiple classes now having used FTK v4, we have witnessed it operating with as little as 1GB of memory and 1 processor core allocated to the Windows 7 virtual machine.  Note: This is NOT our recommended configuration, and additional memory and processors significantly increase performance.  In short, it is clear that the prevalence of quad-core systems and inexpensive RAM makes FTK 4 a very viable solution on modern mobile workstations.

While the purpose of the FOR408 course is to teach core forensic concepts, working with the latest tools ensures students can immediately apply what they learn when they return to their organizations.  You can find more information on the course here.

New Advanced Persistent Threat Based – FOR508 Released in On-Demand

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don’t ask us how we know, but you should probably check out several of your systems. You are compromised by the APT. 

Most organizations are left speechless as 90% of all intrusions are now discovered due to 3rd party notification. And in many cases, the APT has been on your network for years.

Learn how to hunt for the APT in this completely brand new training course from SANS – FOR508: Advanced Incident Response and Forensics Course.

The NEW FOR508 APT-based course debuted at SANS Security West this May 2012 to some amazing feedback and reviews. The course, almost completely rewritten from scratch (80% new material), focuses on training incident response teams to learn how to hunt down and counter the APT in their networks. Most organizations simply cannot detect and respond to the APT. Using direct knowledge of how the APT operates, we have set up a training environment that will take each student through a scenario that many in the class, who had worked APT cases, said were “dead on” in accuracy and capability for what these adversaries are able to accomplish.

I hope you consider taking the new FOR508 this year. If your network has been compromised by the APT and you need to train more hunters to find them, this course is specifically designed for your incident response and digital forensic teams. Sign up early to guarantee a seat at the next training event.

The course outline and registration location is posted here:

Upcoming Events List:

The course core feature is the APT scenario that took over a year to build. The scenario is extremely detailed, and many in the class who had experience working APT cases said that they felt they were responding to APT-compromised networks. To gain some knowledge as to the extensive careful attention to detail we took to engineer the network and breach, I recommend reading this blog: Is A/V Really Dead? –

Each incident responder/forensicator who attends the course will:
  • Detect unknown live malware and dormant malware in memory across multiple machines in an enterprise environment – Find beacon malware over port 80 that the APT used to access their C2 channel
  • Identify how the breach originally occurred by identifying the beach head and spear phishing attack – Target hidden and time-stomped malware and utility-ware that the APT uses to move in your network and maintain their presences
  • Use memory analysis and forensics using the SIFT Workstation to detect hidden processes, malware, network connections, and more
  • Track the activity of APT second by second on the system you are analyzing through in-depth timeline analysis
  • Recover data cleared through anti-forensic techniques used by the APT via Volume Shadow Copy and Restore Point analysis
  • Discover which systems the APT laterally moved to in your enterprise and how they transitioned from system to system easily without being detected
  • Understand how the APT was able to acquire domain admin rights in a locked down environment
  • Track the APT as they collect critical data and shift it over to a staging system
  • Recover rar files that the APT exfiltrated from the enterprise network
Full review and write up by David Nides, KPMG –
Press Articles about the new FOR508 course:

CSO ONLINE:  Advanced Persistent Threats can be beaten, says expert Detection is key, but how you respond to APTs is equally important 

SECURITY BISTRO:  Understanding and defeating APT, Part 1: Waking up to the who and why behind APT

SECURITY BISTRO:  Understanding and defeating APT, Part 2: Fighting the ‘forever war’ against implacable foes

Some student reviews from the new FOR508 course:

I was surprised and amazed at how easy it is to do memory analysis and how helpful it is.” – Brian Dugay, Apple

The examples in the course relate to what I need to know to deal with real world threats.” – Tim Weaver, Digital Mtn. Inc.

The level of detail is amazing. The methodology is clearly effective at finding pertinent artifacts.” – no name


The brand new FOR508 is now available in On-Demand.  —

Save 20% on OnDemand Classes

Through August 22, 2012, SANS invites you to save 20% on all OnDemand courses. Save money and learn from SANS’ top instructors without leaving home!

To take advantage of this offer, enter 0724_20 in the Discount Code field when you register for a OnDemand course.