Combining Transformers: The Ultimate Podman Forensics Box
"Fusing REMnux and SIFT into a Single, Deployable Noble Workhorse"
In the world of DFIR, we often talk about “Transformers” combining to form a super-robot. Usually, this means installing SIFT and REMnux on the same VM. But it’s 2026—VMs are heavy, snapshots are clunky, and we want speed.
Today, we’re building that “super-robot” using Podman. We’ll be taking the brand-new REMnux (built on Ubuntu 24.04 “Noble”) and force-multiplying it with SIFT.
→ Thank You Lenny Seltzer and team
Note: So previously there was a post about how I did not think they would ever update REMnux. On this date to my surprise.
The Blueprint: compose.yaml
Why run long strings of commands when you can define your infrastructure as code? We use privileged: true here because forensics tools need to talk to the kernel for mounting disk images, and :Z to handle those pesky SELinux labels.
YAML
services:
forensics-suite:
image: remnux/remnux-distro:noble
container_name: remnux-sift
hostname: forensics-lab
privileged: true
user: root
volumes:
- ./evidence:/home/remnux/evidence:Z
environment:
- DISPLAY=$DISPLAY
stdin_open: true
tty: true
command: /bin/bash
Spin it up:
Bash
podman-compose up -d
podman exec -it remnux-sift /bin/bash
The Hurdles (And How to Jump Them)
Every lab build has its “learning moments.” Here is how we tackled the issues that popped up during the Noble transition.
1. The GPG Key War
Ubuntu 24.04 is strict about repository signing. Both REMnux and SIFT use the GIFT PPA, but they provide different keys for it. If you try to install SIFT on top of REMnux, APT will throw a “Conflicting values for Signed-By” error and die.
The Fix: You have to clear the battlefield. Delete the existing configs so the SIFT installer can lay its own foundation.
Bash
# Wipe the conflicting repos and keys
rm -f /etc/apt/sources.list.d/gift*.list /etc/apt/sources.list.d/sift*.list
rm -f /usr/share/keyrings/GIFT-GPG-KEY.asc /usr/share/keyrings/SIFT-GPG-KEY.asc
# Refresh the cache
apt-get update
2. The Missing cast Binary
You can’t just apt install sift anymore. You need the Cast tool. However, the generic “latest” download links are often broken due to GitHub’s naming conventions for Noble.
The Fix: Pull the specific debian package for version 1.0.4.
Bash
wget https://github.com/ekristen/cast/releases/download/v1.0.4/cast-v1.0.4-linux-amd64.deb
dpkg -i cast-v1.0.4-linux-amd64.deb
The Final Transformation
Once the keys are cleared and Cast is installed, it’s time for the heavy lifting. We use --mode=server to keep the container light and avoid breaking the X11 socket with desktop GUI packages.
Bash
cast install teamdfir/sift-saltstack --mode=server
Don’t Lose Your Work!
Remember, containers are ephemeral. Once that 20GB SIFT installation finishes, commit your changes to a new image before you exit, or you’ll be doing this all over again tomorrow.
Bash
# On your host machine:
podman commit remnux-sift my-forensics-super-image:latest
Now you have a single image that can perform memory forensics with Volatility 3, static malware analysis with REMnux tools, and filesystem forensics with the SIFT suite—all starting in under two seconds.
The 99% Trap: Don't let a "Fatal" error at the end of a SIFT install ruin your day. In containerized environments, SIFT's installation scripts often look for Ubuntu desktop artifacts that simply don't exist. If your success count is in the high 700s, your forensic arsenal is ready. There is no --ignore-failures flag to force the exit code to green, but as you see below 705 out of 709 were successful.
INFO[1291] statistics component=installer failed=4 success=705 total=709
Love the containerized apporach here. Moving from VMs to Podman for forensics makes so much sense when you're juggling disk images and need that speed. The 99% success rate point is key tho, saved me from panicing when I hit similar install issues last year.