Forensics

How to run Autopsy on Linux

on Sunday, 09 February 2014. Posted in Forensics

Since version 3 of Autopsy which is a graphical front end to the well-known sleuth kit Linux binaries are not provided by the project team due to packaging issues. Unfortunately, I have not found one site for RedHat distributions such as Fedora or Centos that provide Autopsy packages.

Therefore, I have digged through the documentation and figured out how to get Autopsy up and running on Linux.

1) Required packages

yum install git bzip2-devel uuid-devel.x86_64 libuuid-devel.x86_64 fuse-devel.x86_64 zlib-devel rpm-build openssl-devel python-devel libstdc++-devel libstdc++ ant gcc-c++

2) Java

Java is needed. As Autopsy requires JavaFX, OpenJDK will not work. Therefore, Oracle Java version 1.7 needs to be installed. I use Fedy – formarly called Fedora Utils – (http://satya164.github.io/fedy/) to install Oracle java or download it via http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html.

2) libewf

Libewf is required for Autopsy and its dependency Sleuth Kit. At the time of writing SkeuthKit 4.1.3 was just released. Version 4.1.3 requires libewf >= 20131230 whereas forensic tools repository of NIST (http://www.cert.org/forensics/repository/) only provides version  20131210 as of February 2014. Therefore, libewf is built from the sources. The project homegae of libewf is https://code.google.com/p/libewf/ but the source code is not hosted via google code. You need to use the ‘Downloads’ links on the left pane to get the source code. After unpacking run

./configure 
make
make install

If you prefer to build your own rpms so that everything is managed by your package manager just run

rpmbuild –ta libewf-<version>.tar.gz

You’ll find the freshly build rpm files in $HOME/rpm/build. libewf incl. devel, python and tools are required to be installed.

In the future a regular

yum install libewf 

will do the trick as soon as the forensic tools repository of NIST has been updated.

3) TSK / SleuthKit

The SleuthKit package provided in the forensic tools repository of NIST can’t be used because the java bindings are missing. Therefore, SleuthKit needs to be built from source. After obtaining the sources (http://www.sleuthkit.org/sleuthkit/download.php) and unpacking the archive, the following commands need to be run.

./configure 
make 

 ‘make install’ is not necessary as only Autopsy will rely on the freshly build binaries and the environment variable TSK_HOME will point Autopsy to them.

export TSK_HOME=/home/dennis/forensics/sleuthkit-4.1.3/

Check that the java bindings have been compiled as well. You need to find the following lines in the output of make:

dist-do:
	   [jar] Building jar: /home/dennis/forensics/sleuthkit-4.1.3/bindings/java/dist/Tsk_DataModel.jar

Or with chan     ge into the directory bindings/java and run              

ant

4) Autopsy

Now Autopsy can be built by retrieving the Autopsy sources via git.

git clone https://github.com/sleuthkit/autopsy

Changing into the source directory and running

ant build

will download all (java) dependencies and compile Autopsy. Autopsy can be started via the following command

ant run 

Please take in mind that the environment variable TSK_HOME needs to be set correctly for Autopsy to run. Therefore, I have generated this really simple three line bash script.

export TSK_HOME=/home/dennis/Autopsy/sleuthkit/
ant run

And this is it:

I’ll test run Autopsy on Linux during the next weekend. I have made some good and some not so good experiences with Autopsy on Windows during the last couple of month. I’ll try to test if (almost) all features work like expected and report back.