Having the right tools at your fingertips can save hours and even days when examining digital evidence or analyzing malicious artifacts. You can now install two popular Linux distros, SIFT Workstation and REMnux, on the same system to create a powerful toolkit for digital forensics and incident response. To quote @ma77bennett, this combo is reminiscent of "Transformers combining together to form a super robot."
You can start with SIFT and then add REMnux, or begin with REMnux and add SIFT to it. If you prefer the look and feel of SIFT Workstation, use SIFT as the starting point. If you like the look of REMnux, start with that one.
Option 1: Add REMnux to SIFT Workstation
If you wish to start with SIFT Workstation, make sure you have the latest version of SIFT running on Ubuntu 14.04 64-bit. Follow instructions to download SIFT as a pre-built virtual appliance or use the SIFT bootstrap script to install it.
After booting into SIFT Workstation and making sure that it has Internet access, run the following command to install REMnux on it:
wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash
You'll need to enter the SIFT user's password when promoted. By default, the password on the SIFT Workstation's virtual appliance is "forensics".
The REMnux installer will run for a while, depending on the speed of your Internet connection and the strength of your system. Once it completes, reboot the system. In this configuration, REMnux will not replace the SIFT skin, and your system will look like a standard SIFT Workstation with the exception of a few REMnux documentation shortcuts that the installer will add to the desktop.
Option 2: Add SIFT Workstation to REMnux
If you wish to start with a REMnux system, make sure you have REMnux installed according to its installation instructions to get a REMnux virtual appliance or use the REMnux installer script to bootstrap its installation.
Note that the REMnux virtual appliance is configured to use little RAM by default; if planning to install SIFT into the same virtual machine, increase the RAM to at least 4GB. Also, if using the REMnux installation machine to install REMnux on a compatible system of your own, be sure to allocate enough RAM and disk space to accommodate your SIFT plans.
After booting into REMnux and making sure that it has Internet access, run the following command to install SIFT on it:
wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s -- -i -s -y
The SIFT installation script will run for a while, depending on the speed of your Internet connection and the strength of your system. Once it completes, reboot the system.
In this configuration, SIFT will not replace the REMnux branding and your system will look like a standard REMnux system, with the exception of a few SIFT documentation shortcuts that the installer will add to the desktop.
Updating the SIFT+REMnux System
To keep your system up to date with the upgraded and newly-added software, periodically run the following update scripts for SIFT and REMnux, preferably in the order in which you've installed the two distros, such as:
update-sift update-remnux
There you have it, two powerful forensics-focused distros combined in one super-toolkit. Be sure to read REMnux and SIFT documentation sites for each distribution to learn how to use the powerful utilities now available at your fingertips.
Lenny Zeltser teaches malware analysis at SANS Institute. He is active on Twitter and writes a security blog.
