Installing The Sleuthkit on Ubuntu 6.06 (Dapper)
TSK (The Sleuth Kit) is a package of Unix-based computer forensics tools. My interest atm is mainly in robust data recovery.
Usually, it's a good idea to install packages of software if you are running Ubuntu, which I am. In this case, the Ubuntu TSK package is version 2.03, and 2.07 is current as of today. Lotsa bug fixes and a few features added. So I started to install from source. There are a couple of dependencies that apt would have handled, but alas...someday I'll have to learn to create packages so I can save people some trouble.
TSK requires afflib. Afflib requires zlib and libssl.
First, install zlib
download file
tar -xzvf
cd
./configure
make
sudo make install (sudo required to install files in system directories. I understand it's bad practice to configure and make as root)
Now libssl:
sudo apt-get install libssl-dev
Now afflib
This was a pain. Fortunately, it was an unnecessary pain. There's no package available for Ubuntu 6.06 LTS. Compiling from source doesn't work either. But you don't need to - TSK just needs the code available for it's own compile. Found the following:
"The problem is that AFFLIB (for the AFF image format) requires zlib and
openssl, both of which do not seem to be included with Ubuntu by
default. You will need to install those packages and libraries. Most
systems come with those libraries, but Ubuntu does not seem to (I went
through the same pain a couple of months ago setting a system up).
Also, someone else had issues compiling Kubuntu with the version of
AFFLIB that was included in tsk 2.04, so you should probably update the
AFFLIB with the latest version:
1. Download version 1.6.26
http://www.afflib.org/downloads/afflib-1.6.26.tar.gz
2. Untar it.
3. Remove the src/afflib directory from TSK.
4. Move the afflib-1.6.26 directory to src/afflib (be sure you name it
afflib and not afflib-1.6.26).
5. Compile TSK as normal. "
So...do that. To continue with afflib:
download file
download tsk file
tar -xzvf
tar -xzvf
cd/src
rm -rf afflib
cp ./afflib
Now for TSK:
no configure, just make
This will put all the finished tools in/bin, not somewhere in the system folders. You may want to link to /usr/local/bin or some other spot. I cp'd sleuthkit-2.07 /usr/local/sleuthkit-2.07, then ln -s /usr/local/sleuthkit-2.07 /usr/local/sleuthkit
The symlink is for the convenience of apps like Autopsy (see below) so they can refer to a generic location and not be tripped up by updated versions of sleuthkit.
Now for Autopsy:
Autopsy is the html gui for TSK. You can do wonderful command-line things with just TSK, but by all accounts, you want this piece to tie it all together.
You need to know where you have sleuthkit installed, because it will ask.
tar -xzvf
cd
make
answer any questions...
follow its directions
TSK (The Sleuth Kit) is a package of Unix-based computer forensics tools. My interest atm is mainly in robust data recovery.
Usually, it's a good idea to install packages of software if you are running Ubuntu, which I am. In this case, the Ubuntu TSK package is version 2.03, and 2.07 is current as of today. Lotsa bug fixes and a few features added. So I started to install from source. There are a couple of dependencies that apt would have handled, but alas...someday I'll have to learn to create packages so I can save people some trouble.
TSK requires afflib. Afflib requires zlib and libssl.
First, install zlib
download file
tar -xzvf
cd
./configure
make
sudo make install (sudo required to install files in system directories. I understand it's bad practice to configure and make as root)
Now libssl:
sudo apt-get install libssl-dev
Now afflib
This was a pain. Fortunately, it was an unnecessary pain. There's no package available for Ubuntu 6.06 LTS. Compiling from source doesn't work either. But you don't need to - TSK just needs the code available for it's own compile. Found the following:
"The problem is that AFFLIB (for the AFF image format) requires zlib and
openssl, both of which do not seem to be included with Ubuntu by
default. You will need to install those packages and libraries. Most
systems come with those libraries, but Ubuntu does not seem to (I went
through the same pain a couple of months ago setting a system up).
Also, someone else had issues compiling Kubuntu with the version of
AFFLIB that was included in tsk 2.04, so you should probably update the
AFFLIB with the latest version:
1. Download version 1.6.26
http://www.afflib.org/downloads/afflib-1.6.26.tar.gz
2. Untar it.
3. Remove the src/afflib directory from TSK.
4. Move the afflib-1.6.26 directory to src/afflib (be sure you name it
afflib and not afflib-1.6.26).
5. Compile TSK as normal. "
So...do that. To continue with afflib:
download file
download tsk file
tar -xzvf
tar -xzvf
cd
rm -rf afflib
cp
Now for TSK:
no configure, just make
This will put all the finished tools in
The symlink is for the convenience of apps like Autopsy (see below) so they can refer to a generic location and not be tripped up by updated versions of sleuthkit.
Now for Autopsy:
Autopsy is the html gui for TSK. You can do wonderful command-line things with just TSK, but by all accounts, you want this piece to tie it all together.
You need to know where you have sleuthkit installed, because it will ask.
tar -xzvf
cd
make
answer any questions...
follow its directions
posted by JimmytheGeek at 12:28 PM
0 Comments:
Post a Comment
<< Home