Ever since Autopsy 3.0 was released and right up through Autopsy 4.4.1, it only worked in Windows. I could get it to compile without error on my Linux machine, but running it would only display the splash screen of the little doggie and then immediately crash.
But yesterday at OSDFCon, my friend Ben said he got the newly released Autopsy 4.5 to compile and run on his Ubuntu 16.04 machine! The weird part was that he said he didn’t do anything different, it just worked.
Today, I tried compiling it on my Xubuntu 17.04 machine and it did indeed work! It wasn’t completely straightforward, so here’s what I did:
First, get Sleuthkit 4.5…
$ cd ~/sleuthkit $ tar xf ~/Downloads/sleuthkit-sleuthkit-4.5.0.tar.gz $ cd sleuthkit-sleuthkit-4.5.0
…and build it. It didn’t have a
configure file included, so we’ll need need to run autoconf ourselves.
$ autoreconf --install $ autoconf $ ./configure $ make $ make check $ sudo make install
Now we have to build the Java bindings for it.
$ cd bindings/java $ ant dist-PostgreSQL
But Autopsy will be looking for
Tsk_DataModel_PostgreSQL.jar rather than
Tsk_DataModel.jar, so we’ll fake one of those.
$ cd dist $ ln -s Tsk_DataModel.jar Tsk_DataModel_PostgreSQL.jar
Okay, now we’re ready to get and build Autopsy 4.5.
$ cd ~/sleuthkit $ tar xf ../Downloads/autopsy-autopsy-4.5.0.tar.gz $ cd autopsy-autopsy-4.5.0 $ export TSK_HOME=$HOME/sleuthkit/sleuthkit-sleuthkit-4.5.0 $ ant
Now when we run it…
$ ant run ... BUILD SUCCESSFUL Total time: 19 minutes 25 seconds
…we eventually get an Autopsy window!
We can try to create a new case…
…and process it.
Hrm. The default settings apparently include things that only work in Windows.
So it’s still pretty aggressively single-platform, but at least it runs without crashing! To be fair, they describe it as “a Windows-based desktop digital forensics tool” right on the tin. But it’s written in Java, so there’s no good reason that it shouldn’t just work everyhere.
Assuming I can get it to actually process some data for me, next I want to try writing a plug-in for it in Clojure. I bounced that idea off of Brian Carrier and Richard Cordovano at OSDFCon yesterday. Both seemed skeptical.