Review: SIFT Workstation - Digital Forensics Tool Suite


Review of the Free & Open Source Software (FOSS) digital forensics (computer forensics) tools included in the SANS Investigative Forensic Toolkit (SIFT) Workstation.


The SANS Investigative Forensic Toolkit (SIFT) Workstation is an Ubuntu-based Linux distribution (distro) that is designed to support digital forensics (a.k.a. computer forensics). SIFT was developed by an international team of digital forensic experts who frequently update the toolkit with the latest FOSS forensic tools to support current techniques.

The digital forensic software bundled with SIFT includes, but is not limited to: The Sleuth Kit, ssdeep & md5deep, Foremost/Scalpel, Wireshark, HexEditor, Vinetto (thumbs.db examination), Pasco, Rifiuti, and Volatility Framework. In addition, SIFT includes two GUI front-ends for The Sleuth Kit: Autopsy and DFLabs PTK. SIFT data formats are compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

SIFT may rival commercial digital forensic toolkits regarding functionality, but its GUI and user documentation are poor, so its usability rating is relatively low. (You will need to resort to the Command Line Interface frequently for any serious forensics work.) SIFT is recommended for certified digital forensic experts, but cybersecurity noobs should look elsewhere for tools with better GUIs and user documentation.

Cybersecurity Software Reviewed: SANS Investigative Forensic Toolkit (SIFT) Workstation
Date Published: 12/15/2014
Editor Rating: 3.4 / 5 Stars

⁃ Functionality (40%)
⁃ Performance (20%)
⁃ Usability (20%)
⁃ Portability (10%)
⁃ Value (10%)


Standard Install:
Live USB/VMware:

CYBERSECURITY FORUM and are trademarks of PivotPoint Technology Corporation. All other product and service names mentioned are the trademarks of their respective companies.