Whether you’re new to these specialties or an experienced investigator, REMnux contains many helpful Debian packages and configurations to perform advanced tasks, such as:
- Extracting IoCs (Indicators of Compromise)
- Disassembling/decompiling binaries or windows executables (such as PE files)
- Decoding, deobfuscating, decyphering, and decrypting
- Tampering (such as Burp Suite, Thug) and other network analysis (such as Wireshark)
- Investigating malicious code in various platforms (such as Android) and languages (e.g., Python, PowerShell, Java)
- Analyzing memory for code injections and other malicious activities
- Examining suspicious documents (such as PDFs, Microsoft Office, emails)
We’ll examine the pros and cons, but REMnux is definitely a great asset for those who want to focus on their work and skip the “installation hell.”
Getting Started with REMnux
REMnux can be installed in a number of ways.
The tool is available as a ready-to-use virtual machine (.ova), which means it can run everywhere (Windows, Mac, Linux), but you can also add it directly to an existing system based on Ubuntu 20.04 with the REMnux installer (less than 60 MB).
Be careful if you have a next-gen Apple machine (m1++). At the time of writing, REMnux won’t run on an ARM processor such as Apple M1 or M2, as it’s based on an x86/amd64 version of Ubuntu (source: REMnux documentation).
I prefer using the virtual machine, as it provides an isolated environment and you can save snapshots, which is particularly convenient when you need to analyze ransomware and other sensitive binaries that can literally destroy your system.
So get the OVA image and import it into your favorite software, for example, Virtual Box or VMware.
What Problem Does REMnux Solve?
As the founder and primary maintainer of REMnux, Lenny Zeltser likes to say:
REMnux is for malware analysis as Kali is for penetration testing.
Kali Linux actually contains forensic tools, but the distro is meant for pentesting, and you usually have to install additional resources to perform malware analysis and reverse engineering correctly.
As these resources have their own dependencies, it’s sometimes a bit difficult to make them work properly on a system that is not meant for that, which can be very time-consuming, and sometimes frustrating because of the multiple incompatibilities and dependency conflicts.
- It’s totally free and its components are open source
- It’s beginner friendly and well documented
- It’s easy to install (OVA, docker image, from scratch) and update (thanks to SaltStack technology)
- It’s very popular among malware analysts and security professionals
- The set is very comprehensive, so it’s unlikely you’ll need any additional resources
- Tools are pre-packaged, tested, and pre-configured
- You can use REMnux tools without even installing them, using Docker and REMnux containers
- The latest big release, at the time of writing, is v7 in 2020
- REMnux is a collection of open-source packages, which on one hand is great, but comes with the same dependency and update issues
- The distro won’t teach you how to master the various tools provided even if the documentation contains useful links and demos
Why Use REMnux?
REMnux is not just another Linux distro for ethical hacking or forensics. It contains pretty much everything you need to perform various analyses.
The added value is the “glue” REMnux uses to make these hundreds of tools work together and remove the hassle of installing and configuring everything by yourself. Those are some compelling reasons to try it.