SANS Digital Forensics and Incident Response Blog

How to Install SIFT Workstation and REMnux on the Same Forensics System

Having the right tools at your fingertips can save hours and even days when examining digital evidence or analyzing malicious artifacts. You can now install two popular Linux distros, SIFT Workstation and REMnux, on the same system to create a powerful toolkit for digital forensics and incident response. To quote @ma77bennett, this combo is reminiscent of "Transformers combining together to form a super robot."

You can start with SIFT and then add REMnux, or begin with REMnux and add SIFT to it. If you prefer the look and feel of SIFT Workstation, use SIFT as the starting point. If you like the look of REMnux, start with that one.

Option 1: Add REMnux to SIFT Workstation

If you wish to start with SIFT Workstation, make sure you have the latest version of SIFT running on Ubuntu 14.04 64-bit. Follow instructions to download SIFT as a pre-built virtual appliance or use the SIFT bootstrap script to install it.

After booting into SIFT Workstation and making sure that it has Internet access, run the following command to install REMnux on it:

wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash

You'll need to enter the SIFT user's password when promoted. By default, the password on the SIFT Workstation's virtual appliance is "forensics".

add-remnux-to-sift-4

The REMnux installer will run for a while, depending on the speed of your Internet connection and the strength of your system. Once it completes, reboot the system. In this configuration, REMnux will not replace the SIFT skin, and your system will look like a standard SIFT Workstation with the exception of a few REMnux documentation shortcuts that the installer will add to the desktop.

Option 2: Add SIFT Workstation to REMnux

If you wish to start with a REMnux system, make sure you have REMnux installed according to its installation instructions to get a REMnux virtual appliance or use the REMnux installer script to bootstrap its installation.

Note that the REMnux virtual appliance is configured to use little RAM by default; if planning to install SIFT into the same virtual machine, increase the RAM to at least 4GB. Also, if using the REMnux installation machine to install REMnux on a compatible system of your own, be sure to allocate enough RAM and disk space to accommodate your SIFT plans.

After booting into REMnux and making sure that it has Internet access, run the following command to install SIFT on it:

wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s -- -i -s -y

The SIFT installation script will run for a while, depending on the speed of your Internet connection and the strength of your system. Once it completes, reboot the system.

add-sift-to-remnux1

In this configuration, SIFT will not replace the REMnux branding and your system will look like a standard REMnux system, with the exception of a few SIFT documentation shortcuts that the installer will add to the desktop.

add-sift-to-remnux2

Updating the SIFT+REMnux System

To keep your system up to date with the upgraded and newly-added software, periodically run the following update scripts for SIFT and REMnux, preferably in the order in which you've installed the two distros, such as:

update-sift
update-remnux

There you have it, two powerful forensics-focused distros combined in one super-toolkit. Be sure to read REMnux and SIFT documentation sites for each distribution to learn how to use the powerful utilities now available at your fingertips.

Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute and focuses on safeguarding customers' IT operations at NCR Corp. He is active on Twitter and writes a security blog.

2 Comments

Posted July 6, 2015 at 3:52 PM | Permalink | Reply

Stephan

Does anyone know if FTK Imager is still part of SansSift? I downloaded last week, MD5's checked, but I can not find FTK Imager. Also, AccessData may no longer be providing for free.
Can anyone suggest a stable, reliable, FREE imager?
I'm a CS student at Shepherd Univ. so funds are tight, just getting started in my study of forencis.
Thanks

Posted July 9, 2015 at 7:16 PM | Permalink | Reply

Travis Haymore

this is a great combination but I recommend some specific steps:
Install Linux (I installed Ubuntu 14.04.2)
-After installation, update all binaries
''"reboot
Install Sift (I installed v3)
wget ''"quiet -O ''" https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s ''" -i -s -y
-Reboot
Install REMnux
wget ''"quiet -O ''" https://remnux.org/get-remnux.sh | sudo bash
-Reboot
(I immediately took a snapshot in VMWare and Fusion -For the MacBook)
I took these steps as I ran into some issues trying to install SIFTv3 after installing Linux. The above process went flawless. Hopefully this will save others any aggravation :-)