SIFT Workstation Review

SIFT Workstation Review: Evidence Shows It’s the Leader in Digital Forensics

You plop down on the couch after a long day and turn on your favorite crime show.

Those tireless detectives have yet another new case. This time, the criminals have gone digital: they’ve hacked a government computer and stolen classified military plans.

As you munch your popcorn with rapt attention, you can’t help but be intrigued by the show’s digital forensics expert.

She marches into the agency, whips out her computer and hooks it up to the hacked machine. Then she runs a bunch of complex-looking programs and attempts to explain them to the baffled detectives.

Before long, the hacker has been caught. Turns out he left a few bytes of evidence behind that would never have been found without that digital forensics software.

Now, you’re no cybercrime investigator, but you’re still curious about those programs. You can’t help but think that it would be fun to try your own hand at digital forensics.

And luckily, you don’t need a degree, advanced training or even a little cash to get started.

All you need is a decent computer, a bit of time and the SIFT Workstation.

The SIFT Workstation is a set of free tools that are on par with those used by professional forensics analysts.

Here’s what to expect from SIFT Workstation and how to get started with it.

What Is SIFT Workstation?

SIFT Workstation was created by Rob Lee of the SysAdmin, Audit, Network and Security Institute (SANS). SIFT stands for SANS Investigative Forensic Toolkit.

Lee created SIFT to demonstrate that free and open-source software can perform the same or better than its paid, closed-source counterparts.

What’s more, he wanted to prove that that statement applies to digital forensics programs — arguably the most important software out there.

Digital forensics involves the in-depth analysis of hard drives, RAM and other computer components. It can be used to recover deleted data, trace network activity and create timelines of cybercrimes.

Law enforcement agencies utilize digital forensics in their investigations.

Private companies also employ cybersecurity experts to provide in-house digital forensics services.

And, of course, independent cybersecurity consultants and hobbyists can utilize digital forensics software in their work and play.

When he created SIFT, Lee had all of these users in mind. Free and open-source software can be used by anyone, and Lee wanted to show that it should be used by everyone.

And it is. SIFT has received glowing testimonials from everyone from the Brazilian national government to JP Morgan Chase.

Sometimes referred to as SIFT OS, SIFT Workstation is actually a set of tools that run on Linux. But it has so many features that you’d be forgiven for thinking it was a full OS — let’s take a look at some of them.

What Tools Does SIFT Workstation Include?

Network analysis, hard drive recovery, malware deconstruction… you name it, SIFT probably has a tool for it.

Hundreds of software packages are included in SIFT, so we can’t possibly detail them all here. But we’ll go over a few of the most notable ones.


Wireshark is a network monitoring and packet analyzing tool.

Data is sent over networks in packets — small pieces that combine into a whole when they reach their destination. Analyzing these packets can reveal information about their contents and their senders.

Wireshark can analyze preexisting packets or capture new ones live. It can monitor all traffic on a network, not just traffic directed at the computer running Wireshark.

It’s a valuable tool for detecting network hacking attempts, capturing malicious transmissions or tracing unknown traffic.

Autopsy and SleuthKit

When a computer is compromised, the first thing a digital forensics expert does is copy the disk image to a safe location.

The disk image is a perfect mirror of the entire hard drive. By copying it, the analyst ensures that the investigation won’t be hindered by corrupted data or future hacking attempts.

But once it’s safely backed up, the disk image needs to be analyzed and, if the initial hack damaged data, reconstructed.

That’s where Autopsy comes in. It’s a GUI-based program that can analyze and recover many types of data, even from damaged drives.

Autopsy can recover histories, cookies and bookmarks from web browsers. It can also retrieve metadata from deleted photos and let you watch previously-erased videos.

Other Autopsy features allow you to analyze the drive for signs of malware, hacking or unauthorized use. You can enter a keyword to search for specific files and, if they’re there, Autopsy will recover them.

SIFT also comes with SleuthKit, the command-line backbone of Autopsy. SleuthKit gives experts a higher level of control over the recovery process, minus the GUI.


AfterGlow is a data visualization tool that can assemble system, network and hacking data into graphs or charts. This helps you find patterns, trace attacks and more.

Volatility Framework

Data isn’t just stored on hard drives. The most recent actively-used data is stored on RAM, and it could be incredibly valuable in an investigation.

Volatility Framework can analyze RAM samples and extract the data within them. If your computer was hacked, Volatility Framework can potentially show you the hacker’s last actions.

Other Tools Included in SIFT Workstation

Honeyd is a “virtual honeypot” that allows you to set up multiple virtual hosts or servers on a single network. It can be used to simulate network attacks and determine the type and timeline of a prior hack.

Knocker is a TCP port scanner that enables you to see the ports used by various network devices. By analyzing these, you can determine the types of devices and traffic that appeared on your network.

Rifiuti is a utility that scans and recovers files deleted from the Windows Recycle Bin.

Aeskeyfind scans disk images for AES encryption and decryption keys. If you need to decrypt a file and the key is stored locally, Aeskeyfind will locate it.

Which File Systems and Types Does SIFT Support?

SIFT supports Windows (FAT, MS-DOS, NTFS, VFAT), Mac (HFS), Linux (ext2/3) and Solaris (UFS) filesystems.

It supports EWF, RAW, AFF, 001 and E01 evidence filetypes, among other, more common ones like ISO disk images.

How Do You Use SIFT Workstation?

SIFT Workstation can be used in three ways: as a virtual machine, on Ubuntu 16.04 or on Windows 10’s Linux Subsystem.

The virtual machine requires a virtualization environment like VMWare or VirtualBOX. This allows you to run a “sandbox” OS without affecting or altering your regular OS.

SIFT can also be installed directly on Ubuntu 16.04. Download the command-line tool from the SIFT Github repository and follow the installation instructions.

If you’re running Windows 10 Creators Edition, you can install SIFT on the Linux subsystem of your OS. Follow SIFT’s instructions for installing the Linux subsystem via Windows Powershell and installing the SIFT Workstation.

Once you’re installed, you’ll need some evidence to analyze. If you’ve got your own disk images, load those up and get to work using the tool of your choice.

But if you’re in need of some material to work with, download a case from the National Institute of Standards and Technology’s CFReDS project.

These range from simple network traces and image recovery to complex hacking simulations. Pick one that suits your skill level and give it a go!

What if SIFT Is Too Advanced for Me?

SIFT is a fantastic tool for digital forensics, but you do need some prior experience to make the most of it.

If you don’t know your way around Terminal commands and Github repositories, there are more beginner-friendly alternatives to many of its uses.

To analyze your network traffic, identify devices and trace data packets, try Angry IP Scanner for Windows, Mac and Linux. It’s similar to SIFT’s Wireshark tool but is simpler to use.

If you need to recover deleted or corrupted data from a disk, try Recuva for Windows, Disk Drill for macOS or R-Linux for Linux. These free programs aren’t as powerful as the ones in SIFT, but they can still recover files in many cases.

And if you’re interested in cybersecurity but don’t have any pressing digital forensics needs, look into getting a VPN. It’ll let you encrypt, reroute and anonymize your web traffic.

This keeps you safe from trackers and surveillance, and can even help you avoid detection by some of SIFT’s network analysis tools!

AirVPN continues the open-source spirit of SIFT and provides top-of-the-line encryption. ExpressVPN offers users thousands of highly secure RAM-only servers around the world.

Summary: SIFT Workstation’s digital forensics tools are some of the most powerful in the world. It’s trusted by governments, corporations and security experts for data recovery, hack tracing and more.

Would You Like More Privacy, Unrestricted Streaming, and a More Secure Internet Experience?

If so, check out these VPNs:

About The Author

Scroll to Top