legal contact
 

Memory Analysis with SIFT 3.0

Having had a decent malware found running in memory of a Windows server, I thought it's a prefect sutuiation to document some forensic works.

First of all, I've installed a new debian 64bit client instance using VirtualBox.

Once the server is up and running, issue below command to initiate the SANS SIFT install...

wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s -- -i -s -y 

* INFO: Welcome to the SIFT Bootstrap

* INFO: This script will now proceed to configure your system.

* INFO: You supplied the -y option, this script will not exit for any reason

* INFO: OS: Ubuntu

* INFO: Arch: 64

* INFO: Version: 14.04

* INFO: Updating your APT Repositories ...

* INFO: Installing Python Software Properies ...

* INFO: Enabling Universal Repository ...

* INFO: Enabling Elastic Repository ...

* INFO: Adding Ubuntu Tweak Repository

* INFO: Adding SIFT Repository: stable

* INFO: Updating Repository Package List ...

* INFO: Upgrading all packages to latest version ...

.

.

.

[be patient until install completes...]

The install had some errors:

* ERROR: Install Failure: mantaray (Error Code: 100)

* ERROR: Install Failure: regripper (Error Code: 100)

* ERROR: Install Failure: wine (Error Code: 100)

* ERROR: Install Failure: python-plaso (Error Code: 100)

And I had to add the programs manually, also to see why thei were not installed in the first place.

apt-get install python-plaso wine regripper mantary