Last year, I got Autopsy 4.5 to work in Linux, including processing some data. Now, Autopsy 4.7 is out and it claims even better Linux support. Today, I decided to try it.
First, I’ll uninstall the existing sleuthkit.
$ cd ~/sleuthkit/sleuthkit-sleuthkit-4.5.0 $ sudo make uninstall ...
Now, I’ll follow the instructions for Linux
$ sudo apt install libvhdi1 libvmdk1 libvhdi-dev libvmdk-dev libpostgresql-jdbc-java libc3p0-java ... $ export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 $ sudo dpkg -i ~/Downloads/sleuthkit-java_4.6.1-1_amd64.deb ... $ cd .. $ unzip -l ~/Downloads/autopsy-4.7.0.zip $ cd autopsy-4.7.0/bin $ ./autopsy $ chmod +x autopsy $ ./autopsy WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.netbeans.ProxyURLStreamHandlerFactory (file:/home/tim/Autopsy/autopsy-4.7.0/platform/lib/boot.jar) to field java.net.URL.handler WARNING: Please consider reporting this to the maintainers of org.netbeans.ProxyURLStreamHandlerFactory WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Library not found in jar (libtsk_jni) SleuthkitJNI: failed to load libtsk_jni
Hrm. It didn’t work. The graphical window says this
org.netbeans.InvalidException: StandardModule:org.sleuthkit.autopsy.core jarFile: /home/tim/Autopsy/autopsy-4.7.0/autopsy/modules/org-sleuthkit-autopsy-core.jar: java.lang.UnsatisfiedLinkError: org.sleuthkit.datamodel.SleuthkitJNI.getVersionNat()Ljava/lang/String;
So where is libtsk_jni?
$ dpkg -l | grep sleuth ii sleuthkit-java 4.6.1-1 amd64 tools for forensics analysis on volume and filesystem data $ dpkg --contents sleuthkit-java_4.6.1-1_amd64.deb drwxr-xr-x root/root 0 2018-05-08 11:38 ./ drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/ drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/lib/ drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/ -rw-r--r-- root/root 935224 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so.13.4.2 -rw-r--r-- root/root 75042 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.a -rw-r--r-- root/root 1719320 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.a -rw-r--r-- root/root 133480 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so.0.0.0 -rw-r--r-- root/root 1174 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.la -rw-r--r-- root/root 1225 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.la drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/ drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/java/ -rw-r--r-- root/root 5131696 2018-05-08 11:38 ./usr/share/java/sqlite-jdbc-3.8.11.jar -rw-r--r-- root/root 1399359 2018-05-08 11:38 ./usr/share/java/sleuthkit-4.6.1.jar drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/doc/ drwxr-xr-x root/root 0 2018-05-08 11:38 ./usr/share/doc/sleuthkit-java/ -rw-r--r-- root/root 512 2018-05-08 11:32 ./usr/share/doc/sleuthkit-java/copyright -rw-r--r-- root/root 196 2018-05-08 11:33 ./usr/share/doc/sleuthkit-java/changelog.Debian.gz lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so.13 -> libtsk.so.13.4.2 lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so -> libtsk_jni.so.0.0.0 lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so -> libtsk.so.13.4.2 lrwxrwxrwx root/root 0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so.0 -> libtsk_jni.so.0.0.0 $ ls -l /usr/lib/x86_64-linux-gnu/libtsk* -rw-r--r-- 1 root root 1719320 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.a -rw-r--r-- 1 root root 75042 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.a -rw-r--r-- 1 root root 1225 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.la lrwxrwxrwx 1 root root 19 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so -> libtsk_jni.so.0.0.0 lrwxrwxrwx 1 root root 19 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so.0 -> libtsk_jni.so.0.0.0 -rw-r--r-- 1 root root 133480 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so.0.0.0 -rw-r--r-- 1 root root 1174 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.la lrwxrwxrwx 1 root root 16 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so -> libtsk.so.13.4.2 lrwxrwxrwx 1 root root 16 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so.13 -> libtsk.so.13.4.2 -rw-r--r-- 1 root root 935224 May 8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so.13.4.2
That seems right…why can’t it find it? Oh, well; forget the package…
sudo dpkg -r sleuthkit-java sudo dpkg --purge sleuthkit-java
Let’s try building the entire sleuthkit from source
$ cd ~/sleuthkit $ tar xf ~/Downloads/sleuthkit-4.6.1.tar.gz $ cd sleuthkit-4.6.1 # Hey, there's a configure script already! $ ./configure $ make $ make check $ sudo make install # All set? $ which mmls /usr/local/bin/mmls $ ls bindings/java/dist/ sleuthkit-4.6.1.jar $ cd ~/sleuthkit $ unzip ~/Downloads/autopsy-4.7.0.zip $ cd autopsy-4.7.0/ $ bash unix_setup.sh photorec found Java found in /usr/lib/jvm/java-8-openjdk-amd64 /usr/local/share/java/sleuthkit-4.6.1.jar found Copying into the Autopsy directory Autopsy is now configured. You can execute bin/autopsy to start it $ bin/autopsy ... SleuthkitJNI: loaded libtsk_jni ...
Success! Aw, but when I started a new case, it crashed!
The pop-up window said
Sorry, the application java has stopped unexpectedly.
If you notice further problems, try restarting the computer.
and the terminal said
# A fatal error has been detected by the Java Runtime Environment: ... # Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P" (or dumping to /home/tim/core.21205) # # An error report file with more information is saved as: # /home/tim/hs_err_pid21205.log ... # The crash happened outside the Java Virtual Machine in native code. # See problematic frame for where to report the bug. ...
So. I don’t really know what to do about this setback. This Ubuntu machine is now at 18.04, but I doubt that’s the problem. I’m using OpenJDK, not Oracle Java…but if that’s the issue, then I don’t want to play.