Need help with Ultimate-Forensics-VM?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

150 Stars 28 Forks 74 Commits 0 Opened issues


Evolving directions on building the best Open Source Forensics VM

Services available


Need anything else?

Contributors list

# 388,900
74 commits

Had issues with APT updates breaking and I don't feel like messing with APT problems. Therefore I am attempting to move to a Docker based forensics VM. See the docker directory for more information.
The below may still work but I don't feel like troubleshooting the APT conflicts.


Evolving directions on building the best Open Source Forensics VM

VM minimum config recommendations:
- 2 procs
- 30GB disk space
- 2 NICs
- One shared or direct connect
- One host only
- Use this NIC for the SO monitor interface
- Replay your PCAPs on this interface

Install Ubuntu 14.04 LTS and run:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

Install SIFT Workstation:
wget --quiet -O - | sudo bash -s -- -i
sudo apt-get update
sudo apt-get upgrade
sudo reboot

Install Remnux Tools:
wget --quiet -O - | sudo bash
sudo apt-get update
sudo apt-get upgrade
sudo reboot

(above three steps sourced from:

Install JSDetox Docker:
- Awesome JavaScript forensic tool:
sudo apt-get install docker
sudo apt-get update
sudo apt-get upgrade
Run JSDetox:
docker run
sudo docker run --rm -p 3000:3000 remnux/jsdetox
To stop JSDetox --> use "sudo docker ps -l" to obtain the container ID, then use the "sudo docker stop container-id" and wait about a minute.

Install SecurityOnion:
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
sudo apt-get -y install securityonion-all syslog-ng-core
Now setup SecurityOnion as a standalone server.
- You can now run PCAPs against the monitor interface and have Bro and Suricata run against them.
- Install all of your custom Bro scripts
- View the results of the PCAP replay in Sguil and ELSA.

Install Libemu:
sudo apt-get install python-libemu

Install YARA rules:
mkdir yara
cd yara
git clone
Update to latest YARA version and enable various support:
Download latest version of Yara
tar -xzf yara-3.X.0.tar.gz
cd yara-3.4.0/
sudo apt-get install libjansson-dev
./configure --with-crypto --enable-cuckoo --enable-magic
sudo make install
cd yara-python/
python build
sudo python install
yara -v
**more work to do here, not sure if this is the best way forward

Update SIFT and Remnux:

If you have any APT keys that need added run the below command.
sudo apt-key adv --keyserver --recv-keys KEY

(good to do before starting a new investigation)

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.