Last year, I got Autopsy 4.5 to work in Linux, including processing some data. Now, Autopsy 4.7 is out and it claims even better Linux support. Today, I decided to try it.
First, I’ll uninstall the existing sleuthkit.
$ cd ~/sleuthkit/sleuthkit-sleuthkit-4.5.0
$ sudo make uninstall
...
Now, I’ll follow the instructions for Linux
$ sudo apt install libvhdi1 libvmdk1 libvhdi-dev libvmdk-dev libpostgresql-jdbc-java libc3p0-java
...
$ export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
$ sudo dpkg -i ~/Downloads/sleuthkit-java_4.6.1-1_amd64.deb
...
$ cd ..
$ unzip -l ~/Downloads/autopsy-4.7.0.zip
$ cd autopsy-4.7.0/bin
$ ./autopsy
$ chmod +x autopsy
$ ./autopsy
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.netbeans.ProxyURLStreamHandlerFactory (file:/home/tim/Autopsy/autopsy-4.7.0/platform/lib/boot.jar) to field java.net.URL.handler
WARNING: Please consider reporting this to the maintainers of org.netbeans.ProxyURLStreamHandlerFactory
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Library not found in jar (libtsk_jni)
SleuthkitJNI: failed to load libtsk_jni
Hrm. It didn’t work. The graphical window says this
org.netbeans.InvalidException: StandardModule:org.sleuthkit.autopsy.core jarFile: /home/tim/Autopsy/autopsy-4.7.0/autopsy/modules/org-sleuthkit-autopsy-core.jar: java.lang.UnsatisfiedLinkError: org.sleuthkit.datamodel.SleuthkitJNI.getVersionNat()Ljava/lang/String;
So where is libtsk_jni?
$ dpkg -l | grep sleuth
ii sleuthkit-java 4.6.1-1 amd64 tools for forensics analysis on volume and filesystem data
$ dpkg --contents sleuthkit-java_4.6.1-1_amd64.deb
drwxr-xr-x root/root 0 2018-05-08 11:38 ./
drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/
drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/lib/
drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/
-rw-r--r-- root/root 935224 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so.13.4.2
-rw-r--r-- root/root 75042 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.a
-rw-r--r-- root/root 1719320 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.a
-rw-r--r-- root/root 133480 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so.0.0.0
-rw-r--r-- root/root 1174 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.la
-rw-r--r-- root/root 1225 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.la
drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/
drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/java/
-rw-r--r-- root/root 5131696 2018-05-08 11:38 ./usr/share/java/sqlite-jdbc-3.8.11.jar
-rw-r--r-- root/root 1399359 2018-05-08 11:38 ./usr/share/java/sleuthkit-4.6.1.jar
drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/doc/
drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/doc/sleuthkit-java/
-rw-r--r-- root/root 512 2018-05-08 11:32 ./usr/share/doc/sleuthkit-java/copyright
-rw-r--r-- root/root 196 2018-05-08 11:33 ./usr/share/doc/sleuthkit-java/changelog.Debian.gz
lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so.13 -> libtsk.so.13.4.2
lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so -> libtsk_jni.so.0.0.0
lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so -> libtsk.so.13.4.2
lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so.0 -> libtsk_jni.so.0.0.0
$ ls -l /usr/lib/x86_64-linux-gnu/libtsk*
-rw-r--r-- 1 root root 1719320 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.a
-rw-r--r-- 1 root root 75042 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.a
-rw-r--r-- 1 root root 1225 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.la
lrwxrwxrwx 1 root root 19 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so -> libtsk_jni.so.0.0.0
lrwxrwxrwx 1 root root 19 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so.0 -> libtsk_jni.so.0.0.0
-rw-r--r-- 1 root root 133480 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so.0.0.0
-rw-r--r-- 1 root root 1174 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.la
lrwxrwxrwx 1 root root 16 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so -> libtsk.so.13.4.2
lrwxrwxrwx 1 root root 16 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so.13 -> libtsk.so.13.4.2
-rw-r--r-- 1 root root 935224 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so.13.4.2
That seems right…why can’t it find it? Oh, well; forget the package…
sudo dpkg -r sleuthkit-java
sudo dpkg --purge sleuthkit-java
Let’s try building the entire sleuthkit from source
$ cd ~/sleuthkit
$ tar xf ~/Downloads/sleuthkit-4.6.1.tar.gz
$ cd sleuthkit-4.6.1
# Hey, there's a configure script already!
$ ./configure
$ make
$ make check
$ sudo make install
# All set?
$ which mmls
/usr/local/bin/mmls
$ ls bindings/java/dist/
sleuthkit-4.6.1.jar
$ cd ~/sleuthkit
$ unzip ~/Downloads/autopsy-4.7.0.zip
$ cd autopsy-4.7.0/
$ bash unix_setup.sh
photorec found
Java found in /usr/lib/jvm/java-8-openjdk-amd64
/usr/local/share/java/sleuthkit-4.6.1.jar found
Copying into the Autopsy directory
Autopsy is now configured. You can execute bin/autopsy to start it
$ bin/autopsy
...
SleuthkitJNI: loaded libtsk_jni
...
Success! Aw, but when I started a new case, it crashed!
The pop-up window said
Sorry, the application java has stopped unexpectedly.
If you notice further problems, try restarting the computer.
and the terminal said
# A fatal error has been detected by the Java Runtime Environment:
...
# Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P" (or dumping to /home/tim/core.21205)
#
# An error report file with more information is saved as:
# /home/tim/hs_err_pid21205.log
...
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
...
So. I don’t really know what to do about this setback. This Ubuntu machine is now at 18.04, but I doubt that’s the problem. I’m using OpenJDK, not Oracle Java…but if that’s the issue, then I don’t want to play.
