Thursday, December 4, 2014

Installing SIFT 3.0 on Apple Mac OS X Yosemite 10.10.1

Applications needed: SIFT Kit 3.0, Keka File Archiver, VirtualBox

Download the latest version of the SIFT Kit here. If you don't already have one, you'll need to create an account with SANS.

The SIFT Kit is compressed using 7z. Use an application like Keka to extract it on OS X. Once you install Keka, double-click on the SIFT file you downloaded. The file will begin extracting in the same directory.

Once it's complete, you will see a new folder in the same directory. The SIFT Workstation 3 folder contains the VMWare virtual appliance files that are used by the SIFT Kit. Move these to a permanent location.

Open VirtualBox.

Click New.

The SIFT Workstation 3.0 runs Linux, specifically Ubuntu 12.04 LTS (64-bit). Pick a name for your virtual machine, select the aforementioned settings and click Continue.

SIFT is lean. You can get by with 1 GB of RAM, and I haven't seen much of a difference when you add more than 2 GB of memory.

Next, you'll need to tell VirtualBox what disk to use. Select SIFT Workstation 3.0 Core Drive.vmdk.

You should end up with a new virtual machine, but we're not done yet. The SIFT Kit has a dynamically expanding disk for cases. We need to add it in the settings in VirtualBox so that it's recognized when we fire up the virtual machine. Click on Settings.

Highlight the SATA controller in the Storage Tree pane. Click the Add icon (bottom left; blue disk with green plus sign). Select Add Hard Disk.

Select Choose existing disk.

Select SIFT Workstation 3.0 Cases.vmdk file, which is located in the SIFT Workstation 3 folder.

You will now see two disks show up under Storage > SATA. The disk that will boot when you start the virtual machine is the Core Drive. This is where the Ubuntu OS is stored. SATA Port 1 is the dynamically expanding Cases disk.

Next, click Start or double-click the newly created virtual machine. This will boot the SIFT Kit.

After Ubuntu boots, you should see the SANS login screen. Log on and start forensicating.

No comments:

Post a Comment