Siftgrab v2.4: Automated Windows Artifact Collection for DFIR Practitioners

Core Capabilities

Siftgrab delivers three key functions for Windows forensics:

1. Unified Evidence Processing
   • Accepts: Disk images (RAW/EWF), KAPE/CyLR collections, live acquisitions
   • Supports: NTFS/ReFS/BitLocker volumes
   • Parallel processing for multiple systems
2. Smart Categorization
   Auto-classifies 120+ Windows artifacts into:<MARKDOWN>- Execution Traces (LOLBAS, PowerShell, WMI)- Persistence Mechanisms (Scheduled Tasks, Services, AutoRuns)- Network Artifacts (Firewall, SMB, DNS cache)- User Activity (Browser, File Access, Timeline)
3. Standardized Outputs
   • Timeline data (TLN/CSV) via RegRipper 3.0
   • Structured JSON for tool ingestion
   • Sigma rule matching via Hayabusa

Quickstart Deployment

Option 1: Docker Installation (Recommended)

<BASH>docker pull siftgrab/forensic:latestdocker run -it -v /cases:/data siftgrab/forensic

Option 2: Native Ubuntu/Kali/WSL2

<BASH>wget https://siftgrab.org/install.sh -O /tmp/siftgrab.shchmod +x /tmp/siftgrab.sh && sudo /tmp/siftgrab.sh

Evidence Mounting
Use included ermount utility:

<BASH>ermount --image case01.E01 --mount /mnt/evidence# Unmount with:ermount --unmount /mnt/evidence

Processing Workflow

1. Evidence Intake<TEXT>[1] Process disk image [2] Analyze live acquisition [3] Parse KAPE collection [4] Timeline-only mode
2. Artifact Selection<TEXT>Select artifacts (default=all):[A] Browser History [B] Prefetch [C] SRUM Data [D] Event Logs
3. Output Configuration<TEXT>Output formats available:- TLN Timeline (CSV) - JSON for Elastic - Sigma Match Reports

Performance Benchmarks

Tested on Ubuntu 22.04, 16GB RAM, NVMe storage

Integrated Toolstack

Key Advantages

1. Experience Equalizer
   • Presents complex artifact relationships visually
   • Auto-generates investigation hypotheses
2. Open Architecture
   • Modular plugin system (add custom parsers via /plugins)
   • Compatible with MITRE ATT&CK Navigator
3. Reporting Ready
   Includes metadata standardization:<YAML>case: examiner: "DFIR_Team" hash_algorithm: "SHA256" tools_used: - siftgrab: "v2.4" - hayabusa: "1.8.3"

Resources

• GitHub Repo
• Sample Reports
• Training Lab

Part of SANS Gold Paper Series (DFIR-405)

This version:

1. Organizes content into clear functional segments
2. Provides exact commands/syntax for implementation
3. Includes performance metrics for expectation setting
4. Maintains all technical detail while improving readability
5. Adds value through standardization notes
6. Keeps word count balanced (~400 words)

Would you like me to emphasize any particular aspect (e.g., forensic validation methods, integration pathways) more prominently?