Saturday, April 4, 2009

The Sleuth Kit and Autopsy on Ubuntu

A quick installation guide for the latest TSK and autopsy on Ubuntu 8.04.
The default version of TSK and autopsy in Ubuntu repositories are sleuthkit-2.09-2 and autopsy-2.08-2. The latest versions are sleuthkit-3.0.1 and autopsy-2.21.

Step 1
Download afflib.tar.gz and unpack it with tar –xvf afflib.tar.gz
There are three dependencies to resolve before afflib can be installed.

Type sudo apt-get install build-essential zlib1g-dev libssl-dev
Then navigate to afflib folder and type the usual:
./configure, make, sudo make install

Step 2
Download libewf, unpack and install all three .deb packages

Step 3Install uuid-dev by typing sudo apt-get install uuid-dev
Then download sleuthkit-3.0.1.tar.gz
Unpack, and run ./configure, make, sudo make install

Step 4Download autopsy-2.21.tar.gz
Create your evidence directory, autopsy will ask for it later.
Extract autopsy and run ./configure, make, sudo make install

When asked, type the full path to your evidence directory and you done.

To start autopsy, just type sudo ./autopsy and follow the instructions.

Update for Ubuntu 9.10  - 25 November 2009

For Ubuntu 9.10 the procedure is similar except for Step 1.
afflib make  may not work, and if you really want aff support, the simple solution is to download .deb files for older distributions.

The files below worked for me:
afflib-dev_1.6.31-0ubuntu1_i386.deb and afflib_1.6.31-0ubuntu2_i386.deb

and can be downloaded from these locations:

http://packages.ubuntu.com/intrepid/i386/afflib-dev/download
or
http://np.archive.ubuntu.com/ubuntu/pool/universe/a/afflib/

Step 2 is easy, just get all 3 libewf packages (just search with Synaptic).

The rest of the procedure is the same.

Updates for Ubuntu 10.10 and the Sleuthkit 3.2.0 are here

4 comments:

Anonymous said...

Would these same instructions also work on 9.04 and 9.10?
Thanks

ecophobia said...

Probably not, usually new versions of Ubuntu differ from each other significantly because included new packages aka compilers, libraries etc. I haven't got a chance to look at the issue, but I've seen on the net someone was already complaining about afflib-3.5.2 package and missing -luuid.

It should be easily solved by running "apt-get install uuid-dev", but probably there would be some other issues to be solved. I haven't got much time at the moment, but may look at it at a later time.

Unknown said...

afflib 3.5.2 in 9.10 compiles just fine, these are the packages that you'll need/want:

apt-get install libewf1 libewf-dev zlib1g-dev build-essential libexpat1-dev libfuse2 libfuse-dev fuse-utils gvfs-fuse libncurses5-dev libreadline-dev uuid-dev

so far so good, playing with PTK rather than autopsy for the multiplayer/database backed bit.

good job, regardless.

eco said...

Thanks for the input.