How to Install SIFT Workstation and REMnux on the Same System for Forensics and Malware Analysis

THe.png

Having the right tools at your fingertips can save hours and even days when examining digital evidence or analyzing malicious artifacts. You can now install two popular Linux distros, SIFT Workstation and REMnux, on the same system to create a powerful toolkit for computer forensics and malware analysis. To quote @ma77bennett, this combo is reminiscent of “Transformers combining together to form a super robot.”

You can start with SIFT and then add REMnux, or begin with REMnux and add SIFT to it. As a reminder, the default logon credentials for SIFT Workstation are “sansforensics/forensics”. For REMnux they are “remnux/malware”.

Option 1: Add REMnux to SIFT Workstation

If most of your work involves digital forensics and incident response tasks for which SIFT Workstation is designed, you’ll probably want to start with SIFT Workstation and add REMnux to it. The following approach will let you retain the standard SIFT Workstation look-and-feel, while giving you access to the REMnux malware analysis tools described in the REMnux tool listing.

Begin with version of SIFT running on Ubuntu 18.04. You can download SIFT as a pre-built virtual appliance or use the SIFT-CLI tool to install SIFT from scratch.

To add REMnux to your SIFT Workstation, boot into your SIFT system and make sure that it has internet access. Then, follow the steps on the REMnux documentation site to add REMnux to the existing system. This will involve a few simple steps to download the REMnux installer and run it in the “addon” mode. To achieve this, you’ll download the REMnux installer and run it using the command:

sudo remnux install --mode=addon

Early in the REMnux installation process you might see the message “Installing and configuring SaltStack…” This step might take a minute or two without demonstrating any visible progress. Please be patient and don’t interrupt the installation.

adding-remnux-to-sift-workstation.jpg

Option 2: Add SIFT Workstation to REMnux

If most of your work involves malware analysis, you’ll probably prefer to start with a REMnux system, then add SIFT Workstation. The following steps will allow you to keep the REMnux look-and-feel while benefiting from the forensics tools that come with SIFT Workstation.

Follow installation instructions to set up your REMnux system, starting with a pre-built REMnux virtual appliance or using the REMnux installer to install REMnux from scratch.

To add SIFT Workstation to your REMnux system, boot into your REMnux system and make sure that it has internet access. Then, follow the steps on the SIFT documentation site to install SIFT using the SIFT-CLI tool in “packages-only” mode. To achieve this, you’ll download the SIFT-CLI tool and run it using the command:

sudo sift install --mode=packages-only

Early in the SIFT installation process you might see the message “Installing and configuring SaltStack…” This step might take a minute or two without demonstrating any visible progress. Please be patient and don’t interrupt the installation.

add-sift-workstation-to-remnux.jpg

Updating Your SIFT+REMnux System

To keep your system up to date with the upgraded and newly-added software, periodically run the following commands for SIFT and REMnux:

remnux upgradesudo sift upgrade

There you have it, two powerful security distros combined in one forensics and malware analysis super-toolkit!

Lenny Zeltser

Lenny Zeltser teaches at SANS Institute. He is active on Twitter and writes a security blog.


*** This is a Security Bloggers Network syndicated blog from SANS Blog authored by SANS Blog. Read the original post at: http://feedproxy.google.com/~r/SANSForensics/~3/b-RJSEJpl4E/how-to-install-sift-workstation-and-remnux-on-the-same-forensics-system