Wednesday, September 03, 2008

New Stuff From SANS

Rob Lee let me know that the SANS Computer Forensics and e-Discovery with Rob Lee site is up, and looking around, it's pretty interesting. If you go to the Community section, there's a blog, links to other resources, but perhaps the most interesting is the Downloads section. This is where you find the SANS Investigative Forensic Toolkit (SIFT) workstation VMWare appliance.

I downloaded SIFT and got it up and running in VMWare Workstation (you can use VMPlayer) in no time. From there, I was able to map my host XP system to the available shares that Rob had already set up (i.e., "hack" and "images").

The VMWare appliance also comes with PTK from DFLabs already set up and ready to run. Rob also provided a neat little "cheat sheet" that you can download and keep nearby and handy when you're logged into and working in the appliance.

I know that this isn't specifically about Windows IR or forensics, but it does allow you to easily use the Linux (in this case, Fedora) platform to perform some modicum of analysis.

Don't forget about the SANS Forensic Summit in Oct, in Vegas!

No comments: