defendA SIFT-Plus

A complete digital forensics workstation in your AWS account, ready in minutes. The trusted SANS SIFT Workstation plus a modern incident-response toolset, pre-built into an AMI so you can stop installing and start investigating.

See what it does
defendA SIFT-Plus

Spin up. Investigate. Tear down.

SIFT-Plus is a forensic EC2 instance that's ready the moment it boots — no multi-hour install, no dependency wrangling.

  • Built on Ubuntu 22.04 and the SANS SIFT Workstation, the standard DFIR toolkit.
  • A defendA "Plus" layer adds modern memory, timeline and image tooling on top.
  • Runs right next to your cloud evidence — EBS snapshots, S3, and live instances.
What you can do

Recover deleted files

Walk a disk image with The Sleuth Kit — list deleted entries with fls and carve them back out with icat — or mount E01 evidence read-only and browse it directly.

Hunt in memory

Surface hidden processes, injected code and network connections in a RAM capture with Volatility 3 — the modern, actively maintained memory forensics framework.

Build super timelines

Fuse filesystem, log and registry artifacts into a single timeline with Plaso / log2timeline, then pinpoint exactly when an intrusion happened.

Mount anything

Open E01/EWF images (ewf-tools), BitLocker volumes (libbde), and Windows Volume Shadow Copies (libvshadow) with mount points already laid out and waiting.

Parse fast with dissect

Use Fox-IT's dissect framework to triage acquisitions at scale — pull artifacts straight from disk images without unpacking them first.

Crunch evidence at scale

Sift huge datasets and packet captures with pyarrow and tshark, scaling the instance up for the heavy cases and back down when you're done.

Why an AMI from defendA

You could build a forensic box by hand. Here's why you shouldn't have to.

Ready in minutes, not hours

A fresh SIFT install runs a long SaltStack provision and a pile of dependencies. SIFT-Plus bakes all of it into the image, so the time from "we have an incident" to "I'm analyzing evidence" is one EC2 launch.

Investigate next to the evidence

When the data already lives in AWS, drag it across the internet at your peril. Run SIFT-Plus in the same account and region as your EBS snapshots and S3 buckets — low latency, no painful egress.

Modern stack, not just classic SIFT

The Plus layer adds today's tools — Volatility 3, dissect, Plaso, pytsk3, imagemounter, pyarrow — in a clean /opt/ai-tools Python environment, already on your PATH.

Elastic and disposable

Pick the instance size that fits the case, work on a sized 60 GB forensic volume, then terminate it when the report is filed. Pay for exactly the compute the investigation needed.

Pre-configured for forensics

Mount points for E01, EWF, BitLocker, shadow copies and Windows volumes are created up front, paths are set, and the workstation is tuned for image work out of the box.

Versioned and maintained

Each release pins a known SIFT version and toolset, so your forensic environment is reproducible and consistent across every analyst and every case.

What's inside the image

Base & core

  • Ubuntu 22.04 LTS
  • SANS SIFT Workstation (via cast)
  • 60 GB gp3 forensic volume

Disk & image tooling

  • The Sleuth Kit (fls, icat, pytsk3)
  • ewf-tools, xmount, imagemounter
  • libbde (BitLocker), libvshadow (VSS)
  • xfsprogs, squashfs-tools

Memory, timeline & analysis

  • Volatility 3 (memory forensics)
  • Plaso / log2timeline
  • Fox-IT dissect
  • pyarrow, tshark, python-magic