Install Autopsy 4.6 on Fedora Linux
Quick Introduction to Autopsy
Anyone exploring what the opensource world has to offer in the realm of digital forensics will soon end up finding the Sleuthkit project. According to the Sleuthkit project website, the projects mission is to
"To create the leading open source file and volume system forensic analysis tools that run on all major platforms and allow access to common data types in methods that support standard analysis techniques. "
The Sleuthkit project is a series of command line tools used for working with and analyzing hard drive images. The folks behind the Sleuthkit project also created a tool called Autopsy, which is a GUI frontend for the Sleuthkit command line tools.
Up until version 2, Autopsy ran on Unix type operating systems natively and on Windows systems with the use of Cygwin. This version of Autopsy was HTML based. The Autopsy server ran locally and you would connect to it using a standard web browser.
Starting with version 3, Autopsy went through a rewrite. The project was no longer HTML based. The project migrated to using the Java Swing GUI toolkit to build the user interface.
The second major change that occurred was that Autopsy 3 became Windows only. This was unfortunate for the forensic analysts out there for whom the OS of choice is Linux. This meant that all Infosec/Forensic Linux distributions no longer had a GUI for hard disk analysis. Analysts had to rely on using the command line versions of the Sleuthkit.
There’s good news! The Autopsy project recently released a version of Autopsy 4.6 that works on Linux. The packages and instructions are provided for Debian based operating systems. Since my workstation of choice is Fedora, I had to go through a couple of extra steps to get the software installed. In the next section I’ll be explaining those steps in detail.
Autopsy 4.6 requires the following prerequisites:
- sleuthkit 4.6.0
- Oracle Java JRE
My workstation of choice is the Fedora Linux distribution. Why?….I like staying in the loop regarding what the Enterprise will be eventually using. Fedora being a cutting edge Redhat distribution means that what you see in Fedora today, will one day make its way into the RedHat Enterprise Linux distribution. Let’s begin with installing the prerequisites.
To install the photorec we need to install the package called testdisk. I found this out by quering the software repositories using ‘dnf’ like so:
Since testdisk provides us with photorec, we now install testdisk:
The sleuthkit package does not come in the default Fedora software repositories. My preferred method for installing sleuthkit is from the CERT Forensics Tools software repository. You can find details and downloads on the CERT website https://forensics.cert.org/. To configure our Fedora workstation to use the CERT repository we perform the following steps:
1 - Download the RPM for your version of Fedora/Centos/RHEL from the https://forensics.cert.org/ website. For this instance we download the RPM for Fedora 27: https://forensics.cert.org/cert-forensics-tools-release-27.rpm
2 - Once we have the RPM downloaded, we install it locally:
3 - Once the repository is installed and activated we can install sleuthkit
Install Oracle Java JRE
Autopsy is written in Java and therefore requires a java runtime environment. You may already have a JRE installed on your workstation as it is a dependency of sleuthkit. Fedora repositories have the OpenJDK java runtime available and this is the version that would’ve been installed if you already installed sleuthkit using dnf. Unfortunately Autopsy is not compatible with this version. Autopsy relies on some features found specifically in the Oracle Java JRE so we’ll need to install that one. Conveniently, Oracle provides RPM’s for Java on the java.com website. Download the RPM for your specific OS here: https://java.com/en/download/linux_manual.jsp
Once we have the Java RPM downloaded, we use dnf to install it.
So we now have the Oracle Java JRE installed. Let’s make sure it installed correctly
Java exists. Is it the correct version?
Uhoh…..It’s the OpenJDK version. What happened to our Oracle JRE installation? Turns out it’s possible to have more than one JRE installed. However, only one can be the default java. To configure which java is the default java used by the system, we use the ‘alternatives’ utility.
If you select option 3, you’ll make the Oracle JRE the new java default. We can now test if that’s the case
We’re now using the Oracle Java JRE instead of OpenJDK. One last Java step is setting the $JAVA_HOME variable. We add the following line to the /etc/environment file
Perfect. That takes care of installing java.
The Autopsy project provides us with the sleuthkit-java prerequisite in the form of a .deb file
The sleuthkit-java_4.6.0-1_amd64.deb file is a Debian .deb package that is used to install Sleuthkit-Java on Debian and Ubuntu based Linux distributions. This is great for any Linux distributions based on Debian or Ubuntu, such as the SANS SIFT workstation. Since we’re installing this on Fedora we can’t install the package directly from the .deb file.
We first extract the files that we need from the .deb file. For this we use a tool called ‘dpkg-deb’, which is a Debian package archive manipulation tool.
This command extracts the content of the .deb package. The file we’re interested in, sleuthkit-4.6.0.jar, is located in usr/share/java.
The files located in usr/share/java are the files that the sleuthkit-java_4.6.0-1_amd64.deb package would install on a Debian system. We’ll need to install those ourselves.
The sqlite-jdbc-3.8.11.jar file can easily be installed using the Fedora package manager as it is available in the default software repositories.
The sleuthkit-4.6.0.jar file doesn’t exist in the Fedora repositories so we’ll need to install it manually ourselves. We need to find out where Autopsy expects the file and copy the file to that location manually. The Autopsy ZIP comes with a script called ‘unix_setup.sh’. The script does a handful of checks to see if all prerequisites are present. The check that we’re interested in right now is for the existance of sleuthkit-4.6.0.jar.
The ‘unix_setup.sh’ script expects to find sleuthkit-4.6.0.jar to be in /usr/share/java/. We simply copy the file to the expected location.
Configuring and Running Autopsy
Normally we should now be able to install/configure Autopsy by executing the unix_setup.sh script. Unfortunately the way we have our $JAVA_HOME configured, the default unix_setup.sh script won’t work. We need to modify the check for java. The current line reads this:
The ‘/bin’ in the path results in an error with the check. Based on how we set our $JAVA_HOME environment variable in a previous step, this check looks for a path/file that doesn’t exist. Here is what $JAVA_HOME/bin/java actually resolves to:
This path doesn’t exist. We need to modify the unix_setup.sh script to read as follows:
This line now resolves correctly:
We can now run the unix_setup.sh script to configure/install Autopsy.
Run it to test the installation.
Awesome! You’re now ready to analyze evidence using Autopsy on your Feodra workstation. In future posts I’m hoping to go over how to analyze some evidence using your newly installed tool.