Sometimes the best breakthroughs are the ones you don’t plan for. After a routine Windows update this week, I launched MalChelaGUI from the Ubuntu terminal on an Ubuntu WSL2 instance — and it simply opened. No X-server, no environment tweaks, no extra packages.
🎉 😱 A Rust native GUI app on Windows, via Ubuntu WSL terminal!
The latest WSL 2.5 + WSLg 1.0.66 update from Microsoft quietly unlocked full Wayland and GPU acceleration for Linux GUI apps on Windows 11 24H2. (Note the latest WSL at the time of this post is 2.61)
The result? MalChelaGUI now runs as a true desktop app on Windows, powered entirely by Ubuntu WSL.
Why This Matters
🧰 No configuration needed — just follow the default instructions at GItHub, and build MalChela as usual. (WSL, Ubuntu 24.04 or later)
🪟 Native windowing — Clipboard, display scaling, and GPU acceleration all handled automatically.
🦀 Cross-platform parity — macOS, Linux, and now Windows (via WSL) all run the same GUI experience.
It’s a small but meaningful proof of concept: cross-platform DFIR tooling can now live comfortably in every environment analysts work in — even Windows, without compromise.
Call for Testers
If you’re running Windows 11 24H2 or newer, update WSL and give it a try:
```powershell
wsl --update
Then from Ubuntu WSL
./target/release/MalChelaGUI
If it launches successfully, drop me a note or tag me — I’d love to hear how it behaves across different hardware and GPU setups.
If you’re like me and have your favorite forensic tools for Linux, and your favorite tools for Windows, you can run them both on the same machine without having to diminish resources with the use of a virtual machine. You can do this by installing SIFT (SANS Investigative Forensic Toolkit) within WSL (Windows Subsystem for Linux).
Note: this article assumes that WSL is already installed. If not, GTS.
Start off by grabbing Ubuntu 22.04 from the Windows store, or if you prefer the command line.
Finally, install the server mode version of SIFT. Server mode only installs the SIFT command line applications, which is most appropriate for running under WSL.
If all goes right you’ll see a wall of text that concludes (after a few minutes) with ‘salt-call completed successfully.’
My go-to test for SIFT installations has always been to run Volatility (-h for help).
vol.py -h
If you’re seeing output, the mission was a success.
Besides saving the resources needed for a full VM, you also don’t have to worry about duplicating copies of evidence items as both Windows and Ubuntu are running on the same machine.
Now get yourself familiar with the Linux tools of the SIFT Workstation and enjoy running them in parallel with your favorite Windows forensic applications.
Windows Subsystem for Linux (WSL) adds a lot of capability and convenience for running DFIR applications on a Windows host. Previously I wrote about how to add a SIFT/REMnux Ubuntu distribution to WSL.
Another tip I’d like to share with you is setting up separate profiles for frequently used applications.
Volatility is one of the applications I’m in frequently, whether for work or lab(work). Sure, I can open a command window and then navigate to the appropriate application path; but why not make it a one-click option.
To begin, open Windows Terminal, and go to the Settings menu.
On the bottom left choose select ‘Add a new profile.’
PowerShell (Core) is my default shell environment. I’ll select this as the profile to duplicate.
After you hit ‘Duplicate’ you’ll be presented with a copy of the profile.
Update the Name and Starting directory to reflect the application path.
You can customize the Icon and Tab title. Under the Appearance tab you can assign a custom background for the WSL profile. Be sure to click Save when you’ve made your changes.
Now when I want to open a Volatility session, it’s right there on the drop down in WSL.
If you have WSL parked on the Taskbar, you can select the new profile (or any other profile) with a right-click.
If you want to have your WSL instances in separate windows, versus the default tabbed layout, right clicking from the taskbar will open the selected session in a new window.
I’ve been a fan of the SIFT Linux distribution from my very first SANS class. I think back then Ed Skoudis was teaching Nmap subnetting on an abacus, but still it’s been a loyal companion ever since. I’ve got an archive of all the distributions (with their class specific tweaks) from all the courses I’ve taken throughout my career. Recently, I’ve been using REMnux, another SANS Linux distribution, specifically for Volatility 3 for memory analysis and some of the other tools for malicious document examinations.
Through all these years of use, it was almost all leveraging virtual machine (VM) images. Often there was at least one machine in my home lab that had SIFT running as the native OS – for when I had something processor or memory intensive to run. The challenge with VM’s is that they’re competing with the host system for resources. As Moore’s Law has advanced so have the clock cycles at my disposal – but there’s still always going to be a trade-off, so scale your systems appropriately.
A little over a year ago, I started using the “packages only” or “server mode” of the SIFT distribution, running under Windows Subsystem for Linux (WSL) on a Windows 10 machine. The installation wasn’t always smooth but once it was running – good times. I now had all my favorite Linux forensics tools running side by side on my Windows system.
The SIFT distribution was recently updated with full support for the latest LTS version of Ubuntu (20.04). REMnux as a standalone has been on 20.04 for a while. What I’m going to walk you through here is how to install both SIFT and REMnux within WSL, and how to backup and share your customized install.
On the first boot, Ubuntu will have you specify a username and password. Forensicator works for me and doesn’t present any OpSec issues if I have to include screenshots in reports (or intriguing blog posts).
Before installing SIFT, ensure the OS is up to date by running sudo apt update && sudo apt upgrade
Elevate to root to for the installation, otherwise there may be permissions issues during the install. sudo su
Install SIFT within WSL using the syntax sift install –mode=server
The process could take a while depending on both your hardware resources and internet speeds. Feel free to browse other posts here at Baker Street while you wait. Just make sure you come back as there’s more to do.
Adding REMnux to SIFT
Once the SIFT distribution is installed, we’re going to add the REMnux distribution over the top. Doing so will provide you the full toolset of both distributions, all running in one WSL instance.
Note: After the install, REMnux will suggest you reboot the pc. How do you reboot an Ubuntu instance in WSL? Open a PowerShell window as Administrator and type Get-Service LxssManager | Restart-Service
**update – If you’re running WSL 2, the command to ‘reboot’ WSL is
wsl --shutdown
When you launch the instance the next time wsl will start.
Great! Now we’ve got the full tool stack from both – running within our Windows environment. I prefer using WSL over a VM when I have the opportunity as the overhead resources used to run the 2nd OS (Ubuntu) in WSL is less intensive than booting up a full VM.
Just one more step and we’ll be able to backup, copy and reload the customized build.
Exporting your SIFT-REMnux Distro
Exporting your build will enable a number of things. If your environment gets corrupted for any reason you can reload the build from a known good state. You can also use this format to share the installation with members of your team so you’re all working from the same toolset. This also works well to add this customized build to a system that may have restricted or limited internet access and cannot access all the necessary repositories to pull down the tools.
In a PowerShell window as Administrator, wsl -l will list the installed WSL distributions. In this case the only installation is the Ubuntu installation we just customized.
In this example I’m exporting the instance to a location on a D:\ drive with the filename of SIFT-REMnux.tar. The syntax is wsl –export [name of WSL instance] [export file path and file name]. Tar is the required format for backing up and restoring WSL instances.
Voila! You’ve now got a backup of your SIFT and REMnux WSL installation. On the last step I’ll show you have you can import the customized distro to another Windows 10 system.
Importing your SIFT-REMnux Distro
Note: the new system will need to have WSL enabled as discussed in the beginning of the post. The Ubuntu distro does NOT need to be installed.
To import the distro use the syntax wsl –import [desired name for distro] [file path where distro will live] [tar file being imported]. In this case I have the .tar file in C:\WSL and will be installing to C:\WSL\SIFT-Linux folder. Once again you want to use an elevated PowerShell session to perform the import.
That’s it. You’ve now added the customized SIFT-REMnux WSL instance to your system.
Once the process completes you can verify the distro was loaded using the wsl -l command
In this case I had a previous Ubuntu 18.04 instance, and now the new SIFT-REMnux instance is visible as well.
To invoke your SIFT-REMnux instance wsl –distribution SIFT-REMnux
To validate the running version numbers for SIFT and REMnux use sift -v and remnux -v respectively.
Baker Street Forensics 