Results 1 to 3 of 3

Thread: TUMBLEWEED Autopsy

  1. #1
    Join Date
    Oct 2008
    Location
    Mojave desert
    Posts
    298

    Default TUMBLEWEED Autopsy

    I recently killed a disk, which got me looking for recovery tools. One of the best regarded seems to be autopsy, which isn't avilable in its current version 4.12 on openSUSE, but I found an old version 2.24 here: http://rpm.pbone.net/index.php3/stat...oarch.rpm.html.

    Much to my surprise, it installed with current versions of its dependencies including sleuthkit. The menu launcher didn't work until I replaced the command "beesu Autopsy" with "kdesu autopsy | xdg-open http://localhost:9999/autopsy" - other desktops use your own version of launch-as-superuser. All I've done so far is delete some songs off a usb stick and then bring 'em back to life with autopsy, but that works. With I'd thought to use "Bring Me to Life" as my test case!

    Autopsy is a browser-based GUI to command line tools, and opensuse has the latest version of those. Using the old version of autopsy is a bit clunky, but still way better than memorizing dozens of commands with their respective options and arguments, for anyone who wants to try it. I do wonder, though, if the old gui knows how to use all the current tool capabilities; for instance, I didn't have a btrfs usb stick to test.

    GEF

  2. #2
    Join Date
    Oct 2008
    Location
    Mojave desert
    Posts
    298

    Default Re: TUMBLEWEED Autopsy

    In case it wasn't clear from context, the reason I'm looking at an old version of autopsy (one that's still packaged for lots of distros) is that I can't get the current one installed. There's a zip file download, with an installer script in it. You have to clean it up with a dos2linux command, and then it runs and tells you what dependencies you're missing. All of them are easy to satisfy from standard repo except the java bindings, sleuthkit-4.6.7.ja. First of all, we've sleuthkit 4.6.5 in Tumbleweed, but secondly, even if I found the slightly-less-current version of autopsy that works with our sleuthkit, the java bindings aren't part of the package and searching in google by file name doesn't yield any hits at all (except, going forward, this forum thread). -GEF

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,143
    Blog Entries
    2

    Default Re: TUMBLEWEED Autopsy

    I can verify that the old version of autopsy seems to work, I instead simply launched from an elevated console without problems
    Code:
    # autopsy
    Then opened Firefox to
    Code:
    http://localhost:9999/autopsy
    I also took a look at installing a current version but ran into difficulties and at the point there was a missing JAR file, I decided not to proceed further...

    But if anyone wants to put more effort into it,
    This is what I found...

    Note I took certain liberties in not following the instructions exactly in the following instructions for installing on Linux (like installing Oracle Java)
    https://github.com/sleuthkit/autopsy..._Linux_OSX.txt

    1. Download the following zip file and unpack it
    https://github.com/sleuthkit/autopsy...psy-4.12.0.zip

    2.Install testdisk(may not be necessary, didn't work for me) photorec, and sleuthkit
    Sleuthkit-devel is supposed to provide the java bindings and indeed plenty of java files are installed but no JAR file.
    Code:
    zypper in photorec sleuthkit sleuthkit-devel
    3. In an elevated console, browse to the root of the files that were unpacked and run the following to remove the Windows line feeds in the script
    Code:
    sed -i -e 's/\r$//' unix_setup.sh
    4. Make the script executable and execute
    Code:
    chmod +x unix_setup.sh
    ./unix_setup.sh
    That's as far as I was willing to go, the error you should see is
    Code:
    # ./unix_setup.sh          
    ---------------------------------------------
    Checking prerequisites and preparing Autopsy:
    ---------------------------------------------
    Checking for PhotoRec...found in /usr/bin
    Checking for Java...found in /usr/lib64/jvm/java
    Checking for Sleuth Kit Java bindings...ERROR: sleuthkit-4.6.7.jar not found in /usr/share/java/ or /usr/local/share/java/.
    Please install the Sleuth Kit Java bindings file.
    See https://github.com/sleuthkit/sleuthkit/releases.
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •