REMnux – Baker Street Forensics

MalChela 2.2 “REMnux” Release

MalChela’s 2.2 update is packed with practical and platform-friendly improvements. It includes native support for REMnux, better tool settings, and deeper integrations with analysis tools like YARA-X, Tshark, Volatility3, and the newly improved fileanalyzer module.

🦀 REMnux Edition: Built-In Support, Zero Tweaks

When the GUI loads a REMnux-specific tools.yaml profile, it enters REMnux mode.

Screenshot of yaml configuration applying REMnux mode

Native binaries and Python scripts like capa, oledump.py, olevba, and FLOSS are loaded into the MalChela tools menu, allowing you to mix and match operations with the embedded MalChela utilities and the full REMnux tool stack. No manual configuration needed—just launch and go. MalChela currently supports the following REMnux programs right out of the box:

Tool Name	Description
binwalk	Firmware analysis and extraction tool
capa	Identifies capabilities in executable files
radare2	Advanced reverse engineering framework
Volatility 3	Memory forensics framework for RAM analysis
exiftool	Extracts metadata from images, documents, and more
TShark	Terminal-based network packet analyzer (Wireshark CLI)
mraptor	Detects malicious macros in Office documents
oledump	Parses OLE files and embedded streams
oleid	Identifies features in OLE files that may indicate threats
olevba	Extracts and analyzes VBA macros from Office files
rtfobj	Extracts embedded objects from RTF documents
zipdump	Inspects contents of ZIP files, including suspicious payloads
pdf-parser	Analyzes structure and contents of suspicious PDFs
FLOSS	Reveals obfuscated and decoded strings in binaries
clamscan	On-demand virus scanner using ClamAV engine
strings	Extracts printable strings from binary files
YARA-X	Next-generation high-performance YARA rule scanner

If you only need a subset of tools you can easily save and restore that a custom profile.

TShark Panel with Built-In Reference

Tshark and the integrated field reference

A new TShark integration exposes features including:

A filter builder panel
Commonly used fields reference
Tooltip hints for each example (e.g., `ip.addr == 192.168.1.1` shows “Any traffic to or from 192.168.1.1”)
One-click copy support

This helps analysts build and understand filters quickly—even if TShark isn’t something they use every day. Using the syntax builder in MalChela you can use the exact commands directly in Tshark or Wireshark.

YARA-X Support (Install Guide Included)

Support for YARA-X (via the `yr` binary) is now built in. YARA-X is not bundled with REMnux by default, but install instructions are included in the User Guide for both macOS and Linux users.

Once installed, MalChela allows for rule-based scanning from the GUI,and with YARA-X, it’s faster than ever.

fileanalyzer: Fuzzy Hashing, PE Metadata, and More

MalChela’s fileanalyzer tool has also been updated to include:

Fuzzy hashing support via `ssdeep`
BLAKE3 hashing for fast, secure fingerprints
Expanded PE analysis, including:
Import and Export Table parsing (list of imported and exported functions)
Compilation Timestamp (for detection of suspicious or forged build times)
Section Characteristics (flags like IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, etc., for detecting anomalous sections)

These improvements provide deeper insight into executable structure, helping analysts detect anomalies such as packers, suspicious timestamps, or unexpected imports/exports. Useful for everything from sample triage to correlation, fileanalyzer now digs deeper—without slowing down.

Memory Forensics Gets a Boost: Volatility 3 Now Supported

With the 2.2 release, MalChela introduces support for Volatility 3, the modern Python-based memory forensics framework. Whether you’re running MalChela in REMnux or on a customized macOS or Linux setup, you can now access the full power of Volatility directly from the MalChela GUI.

There’s an intuitive plugin selector that dynamically adjusts available arguments based on your chosen plugin,. You can search, sort, and browse available plugins, and even toggle output options like –dump-dir with ease.

Like Tshark, there is an added plugin reference panel with searchable descriptions and argument overviews — a real time-saver when navigating Volatility’s deep and often complex toolset.

Smarter Tool Configuration via YAML

The tool configuration system continues to evolve:

Tools now declare their input type (file, folder, or hash)
The GUI dynamically adjusts the interface to match
Alternate profiles (like REMnux setups) can be managed simply by swapping `tools.yaml` files via the GUI
Easily backup or restore your custom setups
Restore the default toolset to get back to basics

This structure helps keep things clean—whether you’re testing, teaching, or deploying in a lab environment.

Embedded Documentation Access

The GUI now includes a link to the full MalChela User Guide in PDF. You can also access the documentation online.

From tool usage and CLI flags to configuration tips and install steps, it’s all just a click away—especially useful in offline environments or when onboarding new analysts. I’ll be honest, this is likely the most comprehensive user guide I’ve ever written.

Whether you’re reviewing binaries, building hash sets, or exploring network captures—MalChela 2.2 is designed bring together the tools you need, and make it easier to interoperate between them.

The new REMnux mode makes it even easier to get up and running with dozens of third party integrations.

Have an idea for a feature or application you’d like to see supported — reach out to me.

GitHub: REMnux Release

MalChela User Guide: Online, PDF, Web

Shop: T-shirts, hats, stickers, and more

Installing REMnux on a MacBook Pro

DFIR, Forensics, Mac, Malware

I had an older MacBook Pro (15-inch, 2.53GHz, Mid 2009) that had been unused for a while as it was no longer getting updates from Apple. It’s one of the Intel chip ones and last ran Monterey. I pulled it out of the closet and decided to give it a refresh by installing REMnux on it. The process was pretty straightforward, but there were a couple things noted along the way I thought I’d share.

Start off by downloading the Ubuntu 20.04.6 AMD64 Desktop ISO. Yes, 20.04. Later installations aren’t supported by the REMnux installer.

Next you’ll want to burn the image to a flash drive, and make it bootable, using Rufus (Windows) or Balena Etcher (Mac.) This model MacBook has USB-A ports which seems like a relic compared to the current Macs. You’ll need at least an 8GB flash drive for the Ubuntu image. The first free one I could find was 32GB so I used that.

With the bootable USB drive inserted, power-up the MacBook and hold the option key until you see the different hard drives listed.

The flash drive is the one that shows as EFI Boot. Select it and hit return/enter.

Once everything is booted up you’ll get to the Try or Install Ubuntu menu. We’ll choose install.

Specify options as needed for timezone, keyboard, etc. For the username we’ll use remnux and the password malware as that’s the default. After the installation you can set the password for the remnux user as you wish.

At the Installation type we’ll choose Erase disk and install Ubuntu.

Sorry for the wavy resolution. Tough to get good screenshots during bare-metal OS installations.

Once the installation completes, hit Restart Now.

When I first logged in I was getting an error, “Activation of network connection failed” when trying to authenticate to the wireless network. Disabling IPv6 for that network fixed. it.

Now that we’ve got connectivity, we can grab any available Ubuntu updates.

sudo apt-get update && sudo apt-get upgrade

If at any point you’re prompted to do a distribution upgrade (a version of Ubuntu later than 20.04), choose Don’t Upgrade.

Once you’ve done all the OS updates, and rebooted, we can start the REMnux installation. We’ll be following the Install from Scratch instructions at remnux.org

wget https://REMnux.org/remnux-cli
sha256sum remnux-cli

Verify the hash matches the published hash 88cd35b7807fc66ee8b51ee08d0d2518b2329c471b034ee3201e004c655be8d6

mv remnux-cli remnux
chmod +x remnux
sudo mv remnux /usr/local/bin

The first time I ran the installer it failed as curl wasn’t installed. So take care of that before starting the install.

sudo apt-get install curl

At this point we’re ready to run the installation. The one deviation I’m choosing here is that rather than the standard install, I’m choosing the ‘cloud mode.’

If you’re depoying REMnux in a remote cloud environment and will need to keep the SSH daemon enabled for remotely accessing the system, use the following command instead to avoid disabling the SSH daemon. Remember to harden the system after it installs to avoid unauthorized logins.
remnux.org

In my case I plan to be ssh’ing into the box from within my own network more often than actual hands on keyboard, hence the cloud mode.

sudo remnux install --mode=cloud

At this point grab a coffee, walk the dog, or find something to do while the wall of text streams by.

Note if the install fails the first time don’t be afraid to re-run the install command a 2nd time.

Finally when it’s done, Reboot.

There you go. A shiny, happy, malware analysis machine.

Designing Internet Access for Compromised Systems

DFIR, DIY, Malware, USB

Virtual machines are a godsend when it comes to malware analysis. Granted there a many malware samples that may have capabilities to detect if they are operating in a virtualized environment and thus respond differently. Many, though not all of these, can be mitigated by patching the malware binary, or tricking it into a false result before needing to look at the sample on a bare-metal system.

When I’m looking at a piece of malware, I’ll run it through a number of environments, gradually permitting external access once I have an idea of what the malware’s capabilities look like. Initially when detonating samples, I’ll have the target endpoint and a REMnux virtual machine running inetsim operating on an isolated network. Rather than re-invent the wheel, here’s a solid article on setting up an isolated network on VMware ESXi.

At some point I want to enable access to the internet to observe command and control (C2) and any dropper activity. I don’t want there to be an avenue for the malware to be able to interact with any other assets whether on my lab network, or outside it. One way to solve this would be networking and introducing a router to broker the network access. It’s been a while since I had my CCNA and I had some hesitations about getting it right without impacting other services in a very internet dependent household. What I wound up going with instead is a completely separate internet connection for the malware network utilizing a LTE hot-spot.

I run my lab environment on ESXi environment using an Intel NUC. The model I have only has one onboard NIC. The easiest way to add another physical adapter was with a USB Gigabit Ethernet adapter for a measly $13 on amazon. ESXi will not detect this adapter out of the box. Follow the process on this article to configure the USB network adapter for ESXi. You will need to download the USB Network Native Driver for ESXi. Be sure to select the appropriate version to match the version of ESXi you’re running. I’m sure there’s an interesting story on why VMWare calls these ‘Flings’ but that knowledge escapes me.

If all goes as it should, and doesn’t it always, you should see second physical adapter (vusb0) in the ESXi console.

For the secondary internet access, I wound up going with a Netgear LM1200 LTE Hotspot. I like this device because you can configure it to use an LTE connection as a backup if your primary wired internet service is down. I may utilize that in the future but for now it’s only used on the malware network without any connection to the primary LAN. Based on my current cellular plan I was able to add the minimum hotspot plan for $10/mo. A worthy investment for me for the peace of mind that I’m (less likely) to compromise the rest of my network when experimenting with live malware. It will also (one would hope) keep my home IP off any watchlists for malware beacons, or anyone else tracking where different samples are detonated from. As Mr. Heller sagely said, “Just because you’re paranoid doesn’t mean they aren’t after you.”

The same setup could be very useful for responding to compromises in isolated enterprise or manufacturing environments. If you need to have the device access the internet (maybe to upload evidence to you Forensics Service Provider (FSP)), but don’t want to maintain a connection to the corporate LAN due to suspected compromise, this solution would work for that.

Once I had the hotspot up and running, the LAN connection on the hotpot gets connected to the USB ethernet adapter. Then go back to ESXi to the isolated network you created before, the one that you were warned “NO UPLINK”, and use the ‘Add uplink’ function and add the vusb0 device. You can adjust the settings on the LTE hotspot for DHCP if needed as long as the device is in Router (not Bridged) mode.

Malware network with external internet access

That’s it. Now when the infected computer needs to get to the internet, all traffic will go through the LTE connection and the infected systems remain isolated from the primary network.

If I’m in a situation where I absolutely need to run the malware on a bare-metal system I can connect using the LTE modem without threat to any of the other physical systems.

Adding SIFT and REMnux to your Windows Forensics environment

DFIR

I’ve been a fan of the SIFT Linux distribution from my very first SANS class. I think back then Ed Skoudis was teaching Nmap subnetting on an abacus, but still it’s been a loyal companion ever since. I’ve got an archive of all the distributions (with their class specific tweaks) from all the courses I’ve taken throughout my career. Recently, I’ve been using REMnux, another SANS Linux distribution, specifically for Volatility 3 for memory analysis and some of the other tools for malicious document examinations.

Through all these years of use, it was almost all leveraging virtual machine (VM) images. Often there was at least one machine in my home lab that had SIFT running as the native OS – for when I had something processor or memory intensive to run. The challenge with VM’s is that they’re competing with the host system for resources. As Moore’s Law has advanced so have the clock cycles at my disposal – but there’s still always going to be a trade-off, so scale your systems appropriately.

A little over a year ago, I started using the “packages only” or “server mode” of the SIFT distribution, running under Windows Subsystem for Linux (WSL) on a Windows 10 machine. The installation wasn’t always smooth but once it was running – good times. I now had all my favorite Linux forensics tools running side by side on my Windows system.

The SIFT distribution was recently updated with full support for the latest LTS version of Ubuntu (20.04). REMnux as a standalone has been on 20.04 for a while. What I’m going to walk you through here is how to install both SIFT and REMnux within WSL, and how to backup and share your customized install.

Prerequisite 1: Up to date Windows 10 system.

Prerequisite 2: Install Windows Subsystem for Linux (WSL) https://docs.microsoft.com/en-us/windows/wsl/install-win10

Once WSL is enabled and you’ve done the reboot if required, go the the Microsoft Store and install the latest version of Ubuntu. https://www.microsoft.com/en-us/p/ubuntu/9nblggh4msv6?activetab=pivot:overviewtab

Installing SIFT on WSL

On the first boot, Ubuntu will have you specify a username and password. Forensicator works for me and doesn’t present any OpSec issues if I have to include screenshots in reports (or intriguing blog posts).

Before installing SIFT, ensure the OS is up to date by running sudo apt update && sudo apt upgrade

Elevate to root to for the installation, otherwise there may be permissions issues during the install. sudo su

Follow the instructions here to install the SIFT CLI (Command Line Interface): https://github.com/teamdfir/sift-cli#installation

Install SIFT within WSL using the syntax sift install –mode=server

The process could take a while depending on both your hardware resources and internet speeds. Feel free to browse other posts here at Baker Street while you wait. Just make sure you come back as there’s more to do.

Adding REMnux to SIFT

Once the SIFT distribution is installed, we’re going to add the REMnux distribution over the top. Doing so will provide you the full toolset of both distributions, all running in one WSL instance.

We’ll use the process here to Add [REMnux] to an Existing System https://docs.remnux.org/install-distro/add-to-existing-system

Note: After the install, REMnux will suggest you reboot the pc. How do you reboot an Ubuntu instance in WSL? Open a PowerShell window as Administrator and type Get-Service LxssManager | Restart-Service

**update – If you’re running WSL 2, the command to ‘reboot’ WSL is

wsl --shutdown

When you launch the instance the next time wsl will start.

Great! Now we’ve got the full tool stack from both – running within our Windows environment. I prefer using WSL over a VM when I have the opportunity as the overhead resources used to run the 2nd OS (Ubuntu) in WSL is less intensive than booting up a full VM.

Just one more step and we’ll be able to backup, copy and reload the customized build.

Exporting your SIFT-REMnux Distro

Exporting your build will enable a number of things. If your environment gets corrupted for any reason you can reload the build from a known good state. You can also use this format to share the installation with members of your team so you’re all working from the same toolset. This also works well to add this customized build to a system that may have restricted or limited internet access and cannot access all the necessary repositories to pull down the tools.

In a PowerShell window as Administrator, wsl -l will list the installed WSL distributions. In this case the only installation is the Ubuntu installation we just customized.

In this example I’m exporting the instance to a location on a D:\ drive with the filename of SIFT-REMnux.tar. The syntax is wsl –export [name of WSL instance] [export file path and file name]. Tar is the required format for backing up and restoring WSL instances.

Voila! You’ve now got a backup of your SIFT and REMnux WSL installation. On the last step I’ll show you have you can import the customized distro to another Windows 10 system.

Importing your SIFT-REMnux Distro

Note: the new system will need to have WSL enabled as discussed in the beginning of the post. The Ubuntu distro does NOT need to be installed.

To import the distro use the syntax wsl –import [desired name for distro] [file path where distro will live] [tar file being imported]. In this case I have the .tar file in C:\WSL and will be installing to C:\WSL\SIFT-Linux folder. Once again you want to use an elevated PowerShell session to perform the import.

That’s it. You’ve now added the customized SIFT-REMnux WSL instance to your system.

Once the process completes you can verify the distro was loaded using the wsl -l command

In this case I had a previous Ubuntu 18.04 instance, and now the new SIFT-REMnux instance is visible as well.

To invoke your SIFT-REMnux instance wsl –distribution SIFT-REMnux

To validate the running version numbers for SIFT and REMnux use sift -v and remnux -v respectively.

CHEERS!