Forget The Beer I Will Take Wine

Thursday, January 27, 2011 Posted by Corey Harrell
Wine is a program that lets Windows software run on other operating systems. This means Wine can be used to run Windows only forensic or malware analysis tools on the Sift workstation and REMnux. It’s so easy to get Wine up and running I wasn’t even sure if a blog post was needed. However, it never hurts to be informed. Here's a quick post on installing Wine and running Windows tools on Sift and REMnux.

Install Wine

The Sift v2 workstation and REMnux v2 both were built using Ubuntu Linux. The Wine website shows the different options for installing Wine on Ubuntu including using repositories, the GUI, or the command line. All of these options require the Sift and REMnux to have Internet access. I used the command line option since it only involved running the following commands:

          * sudo add-apt-repository ppa:ubuntu-wine/ppa
          * sudo apt-get update
          * sudo apt-get install wine1.3
               - Enter Yes to proceed with the installation

That’s right, just three commands to install Wine. The next few pictures show Wine being installed on the Sift workstation.






Running Windows Programs on the Sift and REMnux

Wine can be used to run standalone Windows programs or programs that require an installation process. I wanted Wine so I could run a few standalone Windows programs so this post won’t cover installing a program in Wine (the Wine website has information on this topic). To run a standalone Windows program the program needs to be launched with Wine. Most of the programs I’ve tested run without any issues but a couple programs required some tinkering. The pictures below show Windows programs running on the Sift and REMnux.

First up is Nirsoft’s IEHistoryView running on Sift.


Next is McAfee’s BinText running on REMnux.


Here is PEID running on REMnux.


As I mentioned before, not all of the Windows programs will run without any issues. For example, Digital Detective’s Dcode program fails to run because of a missing dll. This is shown below with the missing dll highlighted in the red box.


A quick search on a Windows system locates the msvbvm60.dll in the Windows\System32 folder (this search was done on a Windows XP system). To fix the missing dll error, just copy the msvbvm60.dll from a Windows system to Wine’s Windows\System32 folder as shown below.


Now here is the picture of Dcode running on the Sift. Some messages appear while Dcode runs so testing has to be done to make sure the program still converts all of the dates properly.



REMnux and Sift are great distributions since they come preconfigured with some of the tools I use. My main platform is Windows so REMnux and Sift save me a lot of time because I don’t have to setup my own Linux environments. At times I find myself switching between Windows and Linux to run certain tools. Wine gives me the option of bringing a few Windows tools over to the Linux so I won’t have to switch between the two operating systems as much.


Labels:
  1. On the SANS Institute's forensics blog, I have published new methods for preserving and authenticating evidence in a cyber investigation. http://goo.gl/ramnu What is your opinion? --Ben

  2. I read your post when I saw it in my RSS feeds. I work in a corporate environment and I haven't had the need to preserve the content of a live website as mentioned in your post. As a result, I really don't have an opinion about it. If at any point in the future I have to do that then I will definitely re-read your post as part of my research.

    On another note, I'm going to look into the BB Flashback software you mentioned. In the past, I made training and demonstration videos using Camtasia but I'm curious how BB Flashback would work for this.

  3. great post. i wonder if you have found a replacement for peid since the creators have stopped maintaining it. or, a good place to get new definition files.

  4. @Kevin

    No I don't. I'm just starting to try to learn more about examining malware.

Post a Comment