Installing SIFT Forencics distribution in a virtualbox

How to get a glimpse of digital forencics. They have a few downloads for your vmware needs. Lets try their setup using virtualbox. Get the guides here. You'll need an ubuntu 14.04 image, the only image that can currently install SIFT. You can download your image here: Ubuntu alternate

$ wget http://releases.ubuntu.com/14.04/ubuntu-14.04.4-desktop-amd64.iso.torrent
$ rtorrent ~/Downloads/ubuntu-14.04.4-desktop-amd64.iso.torrent

Once your torrent download completes run the installation from virtualbox either using GUI or cmd line. Next you run installed the vboxlinuxadditions.sh to install the additions enabling you to copy and paste between the virtualbox and your host. Update the new box using the apt-get command.

$ sudo apt-get update
$ sudo apt-get upgrade

Then reboot and enable the shared clipboard between the virtualbox and your host machine, by selecting:

VirtualBox | Devices | Shared clipboard | Bi directional

Then paste the command below to install the SIFT workstation stuff. You should watch this SIFT distrobution video while you're installing. It'll give you a quick tour and examples of some of the commands that is part of the distribution i.e.

• rip.pl - extract registry information like account creations etc.
• deleted.pl - examine deleted registry entries
• yaru - registry analyser that can show deleted keys etc. GUI app
• pffexport - libpff extracting pst and ost data from MS outlook files
• volatility - memory examinations 
• bulk_extractor - dumps plenty data for analysis
• sleuthkit - finding specific information in deleted inodes etc.

$ wget --quiet -O - https://raw.github.com/sans-dfir/sift- \ bootstrap/master/bootstrap.sh | sudo bash -s -- -i -s -y

[sudo] password for codemonkey: 
 * INFO: Welcome to the SIFT Bootstrap
 * INFO: This script will now proceed to configure your system.
 * INFO: You supplied the -y option, this script will not exit for any reason
 * INFO: OS: Ubuntu
 * INFO: Arch: 64
 * INFO: Version: 14.04
 * INFO: Updating your APT Repositories ... 
<snipped>
Installation Complete!

The documentation is always a work in progress, feel free to contribute!
Fork the sift-docs project and start sending your pull requests today.

Documentation: http://sift.readthedocs.org

The hostname was changed, you should relogin or reboot for it to take full effect.


sudo reboot

Wait until the SIFT distribution stuff has been installed then as you're instructed to to reboot.  A list of all the tools installed via the SIFT distribution can be found here. You should now be ready to start your first forencics using opensource tools. There's a getting started and introduction to version 2 book available freely here. Besides the information from the book the SANS blog have many great articles.