Having the right tools at your fingertips can save hours and even days when examining digital evidence or analyzing malicious artifacts. You can now install two popular Linux distros, SIFT Workstation and REMnux, on the same system to create a powerful toolkit for computer forensics and malware analysis. To quote @ma77bennett, this combo is reminiscent of "Transformers combining together to form a super robot."
You can start with SIFT and then add REMnux, or begin with REMnux and add SIFT to it. As a reminder, the default logon credentials for SIFT Workstation are "sansforensics/forensics". For REMnux they are "remnux/malware".
Option 1: Add REMnux to SIFT Workstation
If most of your work involves digital forensics and incident response tasks for which SIFT Workstation is designed, you'll probably want to start with SIFT Workstation and add REMnux to it. The following approach will let you retain the standard SIFT Workstation look-and-feel, while giving you access to the REMnux malware analysis tools described in the REMnux tool listing.
Begin with version of SIFT running on Ubuntu 20.04. You can download SIFT as a pre-built virtual appliance or use the SIFT-CLI tool to install SIFT from scratch.
To add REMnux to your SIFT Workstation, boot into your SIFT system and make sure that it has internet access.
Before proceeding, make sure your system doesn't have an active Ubuntu unattended upgrade in progress. One way to do this is check whether the "unattended-upgrade" process is active (ps aux | grep unattended-upgrade.) If the upgrade is active, let it finish, then reboot the system before installing REMnux.
Then, follow the steps on the REMnux documentation site to add REMnux to the existing system. This will involve a few simple steps to download the REMnux installer and run it in the "addon" mode. To achieve this, you'll download the REMnux installer and run it using the command:
sudo remnux install --mode=addon
Early in the REMnux installation process you might see the message "Installing and configuring SaltStack..." This step might take a minute or two without demonstrating any visible progress. Please be patient and don't interrupt the installation.
Option 2: Add SIFT Workstation to REMnux
If most of your work involves malware analysis, you'll probably prefer to start with a REMnux system, then add SIFT Workstation. The following steps will allow you to keep the REMnux look-and-feel while benefiting from the forensics tools that come with SIFT Workstation.
Follow installation instructions to set up your REMnux system, starting with a pre-built REMnux virtual appliance or using the REMnux installer to install REMnux from scratch.
To add SIFT Workstation to your REMnux system, boot into your REMnux system and make sure that it has internet access. Then, follow the steps on the SIFT documentation site to install SIFT using the SIFT-CLI tool in "packages-only" mode. To achieve this, you'll download the SIFT-CLI tool and run it using the command:
sudo sift install --mode=packages-only
Early in the SIFT installation process you might see the message "Installing and configuring SaltStack..." This step might take a minute or two without demonstrating any visible progress. Please be patient and don't interrupt the installation.
Updating Your SIFT+REMnux System
To keep your system up to date with the upgraded and newly-added software, periodically run the following commands for SIFT and REMnux:
remnux upgrade sudo sift upgrade
There you have it, two powerful security distros combined in one forensics and malware analysis super-toolkit!
Lenny Zeltser teaches at SANS Institute. He is active on Twitter and writes a security blog.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
