Installing SANS SIFT Workstation on Virtualbox

Many people find it surprising to discover that a great number of digital forensic tools are available as free open source products. Some examples include Scalpel for file carving and Volatility for memory forensic analysis. The greatest issue with these tools, as with any other FOSS offerings, is getting many of these tools installed and working together on the same system. Some volunteers from the SANS information security organization and the larger infosec community contributed their time to create the SANS SIFT Workstation.

SIFT is maintained as a collection of tools and theme options for the Ubuntu Linux operating system. SIFT is available for installation via a script and as a downloadable VMware appliance. This appliance is compatible with VMware Player and Workstation, offering the VMware Tools guest integration tools that allow the appliance to interface with a host operating system. No appliance currently exists for Virtualbox, however. With some manual work, we can easily get a version of SIFT working in Virtualbox with a guest additions.

The most recent version of SIFT at writing, version 3.0, works with Ubuntu 14.04 64-bit. The preferable version is Ubuntu Desktop. Ubuntu Server can theoretically work, but it’ll be a lot more effort for the installation. A version of Ubuntu 14.04 can be obtained from any available Ubuntu mirror. Virtualbox can be found through the project’s website, ( or through the package manager of Linux distributions.

Creating the VM

After installing Virtualbox, create a virtual machine sized to fit your SIFT guest. More memory is better, but my example system is built with 1GB of RAM. Ensure the guest is identified as Linux, Ubuntu 64-bit.

Finally, create a virtual disk sized to your heart’s content. My example machine uses a 20GB virtual disk. My example disk is in Virtualbox VDI format, but you may use other formats as desired. The VHD format is compatible with Microsoft virtualization software, and VMDK is compatible with VMware-based systems. Neither formats should cause issues with our installation at hand. After sizing the VM, install Ubuntu with the default options and supply your username and password of choice.

Installing Virtualbox Guest Additions

Once the installation has completed, our first task involves installing Virtualbox guest additions into the VM. First off, there are three packages for Virtualbox guest additions installation:

  • virtualbox-guest-dkms
  • virtualbox-guest-utils
  • virtualbox-guest-x11

The x11 package, on installation, will trigger an installation dependency error. To pre-empt this, we first want to run the following commands:

sudo apt-get remove libcheese-gtk23 sudo apt-get install xserver-xorg-core

Next, we can install the Virtualbox guest additions packages:

sudo apt-get virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11

After installing the packages, reboot for effect. Once the VM is rebooted, you’ll enjoy the full benefit of guest additions.

SIFT Installation

SIFT is easily installed with the project’s bootstrap script. The easiest and quickest way to perform this installation is to download this script and pipe it to the bash command.

NOTE: Downloading and piping to Bash is not really a good idea for installing 99% of software in the world.

The recommended command from SANS is:

wget --quiet -O - | sudo bash -s -- -i -s -y

This command will install all the packages that comprise SIFT, including the visual theme that comes with the VMware appliance. This command will take a very long time to complete, and the time will vary depending on the speed of your Internet connection. Once the installation completes, you’ll have a fresh installation of SIFT for your use.

Originally published at on May 19, 2016.