====== SANS Sift Workstation ======
Download: https://www.sans.org/tools/sift-workstation/
login/pass: sansforensics/forensics

====== Mods ======
===== VMWare crap =====
Reinstalling VMware tools to enable sharing was brutal.\\
-> https://communities.vmware.com/t5/VMware-Fusion-Discussions/Update-VMware-tools-greyed-out-in-Fusion-12/td-p/2809208\\
copy the linux.iso from the installation software location to a place where you can mount it as cdrom image from the VMWare.\\
Then copy the content of the VMWare Tools folder to /tmp
<code bash>tar xvzf VMwareTools-10.3.23-16594550.tar.gz 
cd vmware-tools-distrib/
./vmware-install.pl
reboot
sudo vmhgfs-fuse .host:/Share /mnt/windows_mount -o allow_other -o uid=1000</code>
Share is the name of my shared folder

====== Yara rules ======
yara rules can be found on git : https://github.com/Yara-Rules/rules
<code bash>
sudo su
cd /opt
mkdir yara
cd yara
git clone https://github.com/Yara-Rules/rules.git
chown -Rh sansforensics /opt/yara
</code>
===== Fix volatility-yara =====
-> https://github.com/teamdfir/sift/issues/389
  * edit /usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py
<code perl>
185     def __init__(self, config, *args, **kwargs):
186         taskmods.DllList.__init__(self, config, *args, **kwargs)
187         config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
188                         help = 'Scan both process and kernel memory')
189         config.add_option("CASE", short_option = 'c', default = False, action = 'store_true',
190                         help = 'Make the search case insensitive')
191         config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
192                         help = 'Scan kernel modules')
193         config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
194                         help = 'Match wide (unicode) strings')
195         config.add_option('YARA-RULES', short_option = 'U', default = None,
196                         help = 'Yara rules (as a string)')
</code>
Change line 189 short_option = 'C' for 'c' and line 195 short_option = 'Y' for 'U'\\
\\
If you don't do that:
<code bash>
$ vol.py -f black_energy.vmem --profile=WinXPSP2x86 yarascan -h
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 192, in <module>
    main()
  File "/usr/local/bin/vol.py", line 174, in main
    command = cmds[module](config)
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 190, in __init__
    help = 'Make the search case insensitive')        
  File "/usr/local/lib/python2.7/dist-packages/volatility/conf.py", line 363, in add_option
    self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args)
  File "/usr/lib/python2.7/optparse.py", line 1021, in add_option
    self._check_conflict(option)
  File "/usr/lib/python2.7/optparse.py", line 996, in _check_conflict
    option)
optparse.OptionConflictError: option -C/--case: conflicting option string(s): -C
</code>

===== yara rules fix =====
Some malware rules are broken
  * /opt/yara/rules/malware_index.yar line 104

<code perl>
//include "./malware/MALW_AZORULT.yar"
</code>