how to install SANS SIFT on “Xenial Xerus” Ubuntu 16.04 LTS

Posted by

For Ubuntu 14.04 (Trusty Tahr) the installation of SIFT is by using a bootstrap script that is hosted on GitHub and it convert the OS into the distro. You can check the installation process on the following link:

For Xenial Xerus the installation process is different, now require some files and have a different process to install all the tools that compose SANS SIFT distro, the project version we are using on this example is v.1.7.1, but you can install the version you prefer.

As mentioned before for Xenial Xerus you need to download some files and do some steps in order to validate the integrity of the files to install the tool.

Required Files,

– sift-cli-linux
– sift-cli-linux.sha256.asc


1. Download the files

adminsift@SIFT:~/Downloads$ wget–2018-10-03 06:23:13–
Resolving (…,
Connecting to (||:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: [following]
–2018-10-03 06:23:14–
Resolving (…
Connecting to (||:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 53833051 (51M) [application/octet-stream]
Saving to: ‘sift-cli-linux’

sift-cli-linux 100%[===================>] 51.34M 1.24MB/s in 42s


adminsift@SIFT:~/Downloads$ wget
–2018-10-03 06:24:46–
Resolving (…,
Connecting to (||:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: [following]
–2018-10-03 06:24:46–
Resolving (…
Connecting to (||:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 333 [application/octet-stream]
Saving to: ‘sift-cli-linux.sha256.asc’

sift-cli-linux.sha2 100%[===================>] 333 –.-KB/s in 0s

2. Import the key

adminsift@SIFT:~/Downloads$ gpg –keyserver hkp:// –recv-keys 22598A94
gpg: keyring `/home/adminsift/.gnupg/secring.gpg’ created
gpg: keyring `/home/adminsift/.gnupg/pubring.gpg’ created
gpg: requesting key 22598A94 from hkp server
gpg: /home/adminsift/.gnupg/trustdb.gpg: trustdb created
gpg: key 22598A94: public key “SANS Investigative Forensic Toolkit <>” imported
gpg: Total number processed: 1
gpg: imported: 1

3. Verify Integrity

adminsift@SIFT:~/Downloads$ gpg –verify sift-cli-linux.sha256.asc
gpg: Signature made +05 02:30:17 2018 ޖުލައި 11 ބުދަ using DSA key ID 22598A94
gpg: Good signature from “SANS Investigative Forensic Toolkit <>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5D29 135B 3798 3CAC 6097 9623 15B9 AD71 2259 8A94

Note: Those warnings are because the signature was signed by the provider but not with an authorized or validity authority.

adminsift@SIFT:~/Downloads$ shasum -a 256 -c sift-cli-linux.sha256.asc
sift-cli-linux: OK
shasum: WARNING: 10 lines are improperly formatted

Note: Does not matter if you get some warnings like the previous one, the important step here is that you need to see,
“sift-cli-linux: OK”

4. Move file and assign permissions

You need to move the file “sift-cli-linux” to /usr/local/bin/sift, after that assign the specific permissions to the folder.

adminsift@SIFT:~/Downloads$ ls
latest sift-cli-linux.sha256.asc sift-cli-linux
adminsift@SIFT:~/Downloads$ sudo mv sift-cli-linux /usr/local/bin/sift
adminsift@SIFT:~/Downloads$ ls
latest sift-cli-linux.sha256.asc
adminsift@SIFT:~/Downloads$ chmod 755 /usr/local/bin/sift

Note: If the folder does not exist, please create it.

5. Install SANS Forensics Toolkit “SIFT”

You just need to use some commands to start the installation process, it will take some time and probably some reboots.

adminsift@SIFT:~/Downloads$ sudo sift install
> sift-cli@1.7.1-master.f1177e4
> sift-version: notinstalled

Installing and configuring SaltStack properly …
> downloading v2018.38.0
>> downloading sift-saltstack-v2018.38.0.tar.gz.asc
>> downloading sift-saltstack-v2018.38.0.tar.gz.sha256
>> downloading sift-saltstack-v2018.38.0.tar.gz.sha256.asc
>> downloading sift-saltstack-v2018.38.0.tar.gz
> validating file sift-saltstack-v2018.38.0.tar.gz
> validating signature for sift-saltstack-v2018.38.0.tar.gz.sha256
> extracting update sift-saltstack-v2018.38.0.tar.gz
> performing update v2018.38.0
>> Log file: /var/cache/sift/cli/v2018.38.0/saltstack.log

After some time and if everything was successful you will get the following message,

>> Completed: /etc/foremost.conf (Took: 78.762 ms)
>> Completed: /usr/local/etc/foremost.conf (Took: 36.231 ms)
>> Completed: sift-config-tools (Took: 2.672 ms)
>> Completed: sift-config (Took: 2.308 ms)
>> Completed: /etc/sift-version (Took: 35.049 ms)

>> COMPLETED SUCCESSFULLY — Success: 540, Failure: 0

The OS will look like the following screenshot,

SANS Forensics Toolkit

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s