SIFT Workstation

SIFT Workstation

I have a copy of PALADIN Forensic Suite and I have used it here and there. However, I decided to try and work toward GIAC Network Forensic Analyst (GNFA). In decided this, I started to play around with SANS SIFT Workstation. You can read more about SIFT Workstation on the overview.

SANS provides two way to install/use the workstation (Downloads and Instructions):

  1. SIFT VM Application
  2. SIFT Easy Installation

The VM Application provides a complete OVA which can be used in many software such VMWare Player, VirtualBox, and VMWare Fusion. For most people, this probably is the easiest way to start utilizing the software with all the dependencies configured already.

Installation of Ubuntu

SIFT Easy Installation requires Ubuntu 16.04 (Download) installed and setup. Then, the SIFT-CLI can be used to install and configure SIFT workstation.

If you wanted, as I will detail, you can use Windows 10's WSL service to install Ubuntu 16.04 and install SIFT-CLI without having to run a VM or dual-boot your system.

First, enabling the Windows Subsystem for Linux through Powershell as Administrator:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Then, reboot when promoted.

In my case, I have the Windows Store disabled, but if you have it enabled, just search for "Ubuntu" and install the 16.04 version. Otherwise, manually install.

You can grab the installation file from the direct link - You can also use the PowerShell cmd:

Invoke-WebRequest -Uri -OutFile Ubuntu.appx -UseBasicParsing

This will add a Ubuntu icon to the Start Menu which you can click on to start the installation process. You then can open PowerShell and type "bash" to drop into Ubuntu.

Random Might be Useful Information

  1. You cannot do shutdown/restarts inside of Ubuntu. To restart/shutdown Ubuntu, just close all windows running the software. Windows WSL should kill the process for you automatically.
  2. There is no GUI install. However, you can install the xserver on the box and install a Window application that can display from it and get it to work.

Installation of SIFT-CLI

Download the SIFT installation script

  1. Go to the Latest Releases
  2. Download all the release files
  3. sift-cli-linux
  4. sift-cli-linux.sha256.asc
  5. Import the PGP Key: gpg --keyserver --recv-keys 22598A94
  6. Validate the signature: gpg --verify sift-cli-linux.sha256.asc
  7. Validate SHA256 signature: shasum -a 256 -c sift-cli-linux.sha256.asc OR sha256sum -c sift-cli-linux.sha256.asc
  8. Note: You'll see an error about improperly formatted lines, it can be ignored so long as you see sift-cli-linux: OK before it
  9. Move the file using sudo mv sift-cli-linux /usr/local/bin/sift
  10. Run: chmod 755 /usr/local/bin/sift
  11. Type sift --help to see its usage


If you are using WSL, then you must run the command:

sift install --mode=packages

The complete install fails with missing dbus package even though it was installed. Same issue happens when you use other containerized methods. This takes a long time to complete. If you happen to stop the process, restarting it just requires rerunning the command and the script will verify the installation and continue where it left off.

Other Observations

I do wish there was more status information when it installs. Some of the packages are 500MB+ and on a slow connection, there is no indication on how long these packages will take nor how long before they finish.