Brad Celestin wrote:
> I am quite new to Linux forensics, but I have quickly developed a deep
> appreciation for how versatile many of the available tools are and how
> knowledgeable many of the people using them are.
>
> I recently downloaded the SIFT 2.0 workstation from SANS.org which has
> sleuthkit and autopsy 2.22 built into a VMware virtual machine. I also
> installed Fedora 12 and the latest version of autopsy as a second OS.
> Utilizing both of these I have been able to import a raw and an E01
> image into the program, but when I go to the analyze screen the /File
> Analysis, File Type, and Meta Data/ tabs are grayed out. Additionally,
> when I go to /Create Data File/ under /File Activity Timelines/ there
> are no images available for me to select. What am I missing?
>
> Thanks,
> Brad Celestin
Brad,
I suggest that you ask any questions regarding the SIFT workstation
(SIFTW) on _another_ mailing list (ML), to wit:
wi...@ya...
Why? Well, the primary creator of the SIFTW is Rob Lee (of Mandiant),
who is active on that mailing list, whereas, AFAICT, he does not comment
much (if at all) on this ML -- perhaps because he is not subscribed
hereto? Dunno.
Keep in mind the audience for SIFTW: Windows users who do _not_ want to
install Linux. If you already installed a Linux distribution that is
designed for digital forensic (DF) examinations (e.g., SMART Linux or
Caine Ubuntu), then SIFTW will likely avail you of no benefit
whatsoever. That is my understanding. I suspect that VERY few
participants hereon have not already installed Linux. I suspect that the
overwhelming majority of the participants hereon have been using Linux
for years, but I concede that I have no way of confirming that
suspicion. For these DF examiners, SIFTW is not necessarily useful.
Sincerely,
Paul Bain
|
