Autopsy 4.7 in Linux

Last year, I got Autopsy 4.5 to work in Linux, including processing some data. Now, Autopsy 4.7 is out and it claims even better Linux support. Today, I decided to try it.

First, I’ll uninstall the existing sleuthkit.

$ cd ~/sleuthkit/sleuthkit-sleuthkit-4.5.0
$ sudo make uninstall
...

Now, I’ll follow the instructions for Linux

$ sudo apt install libvhdi1 libvmdk1 libvhdi-dev libvmdk-dev libpostgresql-jdbc-java libc3p0-java
...
$ export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
$ sudo dpkg -i ~/Downloads/sleuthkit-java_4.6.1-1_amd64.deb
...
$ cd ..
$ unzip -l ~/Downloads/autopsy-4.7.0.zip
$ cd autopsy-4.7.0/bin
$ ./autopsy 
$ chmod +x autopsy
$ ./autopsy 
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.netbeans.ProxyURLStreamHandlerFactory (file:/home/tim/Autopsy/autopsy-4.7.0/platform/lib/boot.jar) to field java.net.URL.handler
WARNING: Please consider reporting this to the maintainers of org.netbeans.ProxyURLStreamHandlerFactory
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Library not found in jar (libtsk_jni)
SleuthkitJNI: failed to load libtsk_jni

Hrm. It didn’t work. The graphical window says this

org.netbeans.InvalidException: StandardModule:org.sleuthkit.autopsy.core jarFile: /home/tim/Autopsy/autopsy-4.7.0/autopsy/modules/org-sleuthkit-autopsy-core.jar: java.lang.UnsatisfiedLinkError: org.sleuthkit.datamodel.SleuthkitJNI.getVersionNat()Ljava/lang/String;

So where is libtsk_jni?

$ dpkg -l | grep sleuth
ii  sleuthkit-java                          4.6.1-1                                    amd64        tools for forensics analysis on volume and filesystem data

$ dpkg --contents sleuthkit-java_4.6.1-1_amd64.deb
drwxr-xr-x root/root         0 2018-05-08 11:38 ./
drwxr-xr-x root/root         0 2018-05-08 11:38 ./usr/
drwxr-xr-x root/root         0 2018-05-08 11:38 ./usr/lib/
drwxr-xr-x root/root         0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/
-rw-r--r-- root/root    935224 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so.13.4.2
-rw-r--r-- root/root     75042 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.a
-rw-r--r-- root/root   1719320 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.a
-rw-r--r-- root/root    133480 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so.0.0.0
-rw-r--r-- root/root      1174 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.la
-rw-r--r-- root/root      1225 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.la
drwxr-xr-x root/root         0 2018-05-08 11:38 ./usr/share/
drwxr-xr-x root/root         0 2018-05-08 11:38 ./usr/share/java/
-rw-r--r-- root/root   5131696 2018-05-08 11:38 ./usr/share/java/sqlite-jdbc-3.8.11.jar
-rw-r--r-- root/root   1399359 2018-05-08 11:38 ./usr/share/java/sleuthkit-4.6.1.jar
drwxr-xr-x root/root         0 2018-05-08 11:38 ./usr/share/doc/
drwxr-xr-x root/root         0 2018-05-08 11:38 ./usr/share/doc/sleuthkit-java/
-rw-r--r-- root/root       512 2018-05-08 11:32 ./usr/share/doc/sleuthkit-java/copyright
-rw-r--r-- root/root       196 2018-05-08 11:33 ./usr/share/doc/sleuthkit-java/changelog.Debian.gz
lrwxrwxrwx root/root         0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so.13 -> libtsk.so.13.4.2
lrwxrwxrwx root/root         0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so -> libtsk_jni.so.0.0.0
lrwxrwxrwx root/root         0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk.so -> libtsk.so.13.4.2
lrwxrwxrwx root/root         0 2018-05-08 11:38 ./usr/lib/x86_64-linux-gnu/libtsk_jni.so.0 -> libtsk_jni.so.0.0.0

$ ls -l /usr/lib/x86_64-linux-gnu/libtsk*
-rw-r--r-- 1 root root 1719320 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.a
-rw-r--r-- 1 root root   75042 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.a
-rw-r--r-- 1 root root    1225 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.la
lrwxrwxrwx 1 root root      19 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so -> libtsk_jni.so.0.0.0
lrwxrwxrwx 1 root root      19 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so.0 -> libtsk_jni.so.0.0.0
-rw-r--r-- 1 root root  133480 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk_jni.so.0.0.0
-rw-r--r-- 1 root root    1174 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.la
lrwxrwxrwx 1 root root      16 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so -> libtsk.so.13.4.2
lrwxrwxrwx 1 root root      16 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so.13 -> libtsk.so.13.4.2
-rw-r--r-- 1 root root  935224 May  8 11:38 /usr/lib/x86_64-linux-gnu/libtsk.so.13.4.2

That seems right…why can’t it find it? Oh, well; forget the package…

sudo dpkg -r sleuthkit-java
sudo dpkg --purge sleuthkit-java

Let’s try building the entire sleuthkit from source

$ cd ~/sleuthkit
$ tar xf ~/Downloads/sleuthkit-4.6.1.tar.gz
$ cd sleuthkit-4.6.1

# Hey, there's a configure script already!
$ ./configure
$ make
$ make check
$ sudo make install

# All set?
$ which mmls
/usr/local/bin/mmls
$ ls bindings/java/dist/
sleuthkit-4.6.1.jar

$ cd ~/sleuthkit
$ unzip ~/Downloads/autopsy-4.7.0.zip
$ cd autopsy-4.7.0/
$ bash unix_setup.sh
photorec found
Java found in /usr/lib/jvm/java-8-openjdk-amd64
/usr/local/share/java/sleuthkit-4.6.1.jar found
Copying into the Autopsy directory
Autopsy is now configured. You can execute bin/autopsy to start it

$ bin/autopsy
...
SleuthkitJNI: loaded libtsk_jni
...

Success! Aw, but when I started a new case, it crashed!

screen shot of creating case

The pop-up window said

Sorry, the application java has stopped unexpectedly.

If you notice further problems, try restarting the computer.

and the terminal said

# A fatal error has been detected by the Java Runtime Environment:
...
# Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P" (or dumping to /home/tim/core.21205)
#
# An error report file with more information is saved as:
# /home/tim/hs_err_pid21205.log
...
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
...

So. I don’t really know what to do about this setback. This Ubuntu machine is now at 18.04, but I doubt that’s the problem. I’m using OpenJDK, not Oracle Java…but if that’s the issue, then I don’t want to play.

Advertisements
Autopsy 4.7 in Linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s