I try to use my MacBook Pro for most of my day-to-day work. However, when it comes to digital forensics, I typically use my Linux workstation. While this works well, and I enjoy using Linux, it bothers me that I have to switch systems. So, I set about to get all of my forensic tools moved to my MacBook Pro. Following are the steps I performed.
Before we begin, you’ll need to install XCode if you haven’t already. You won’t be able to compile anything without it.
First, we want to install Sleuth Kit, but before we do we need to get a few libraries installed. Sleuth Kit needs the first and will use the others if they’re available.
The first is libexpat, the XML parsing C library. Download the source and do the following:
# tar xfvz libexpat-X.XX.tar.gz
# cd libexpat-X.XX
# ./configure
# make
# sudo make install
# sudo ln -s /usr/local/lib/libexpat.a /usr/lib
That last step is probably unnecessary if you pass the correct flags to the configure script. I didn’t, so I fixed it by adding the symlink.
Next is AFFLIB which allows you to process disk images that are stored in the AFF format. If you don’t anticipate using AFF disk images, you can skip this step. However, since I never really know what I’m going to be facing, I figure it’s better to have it. Download the source and do the following:
# tar xfvz afflib-X.X.X
# cd afflib-X.X.X
# ./configure
# make
# sudo make install
LibEWF allows you to process disk images stored in Expert Witness format. This is optional, but again, better safe than sorry. If you have MacPorts installed, getting LibEWF is easy. If you don’t have it, install it. Otherwise, download the package and follow the installation instructions. Here’s the MacPorts command.
# sudo port install libewf
Now we’re finally ready to install Sleuth Kit. Download the package, then:
# tar xfvz sleuthkit-X.X.X
# cd sleuthkit-X.X.X
# ./configure
# make
# make install
And that’s that. Your forensics tools (blkcat, icat, etc.) are now in /usr/local/bin. You’ll want to make sure that path is in your PATH statement.
One tool, foremost, is missing. Here’s the easiest way to install it.
# sudo port install foremost
Next, we want to install Autopsy. Autopsy will use the NIST National Software Reference Library (NSRL) if you have it installed. If you don’t need it, you can skip straight to installing Autopsy.
To install the NSLR, we first need to download 4 ISO files. You can download them at this location. They’re typically labeled disc 1, disc 2, disc 3 and disc 4. They’re big files (334MB) so make sure you have plenty of room. I put mine in /Users/stephen/Library/NISTLib/ISOs.
Now mount each ISO and copy the ZIP files out. I copied mine to /Users/stephen/Library/NISTLib. Now we need to open a command prompt. We want to unzip each file and copy the NSRLFile.txt from each into one huge file. Here are the steps.
# cd /Users/stephen/Library/NISTLib
# unzip RDS_224A.ZIP
# cat NSRLFile.txt > FullLib.txt
# unzip RDS_224B.ZIP
# cat NSRLFile.txt >> FullLib.txt
# unzip RDS_224C.ZIP
# cat NSRLFile.txt >> FullLib.txt
# unzip RDS_224D.ZIP
# cat NSRLFile.txt >> FullLib.txt
# rm -rf *.ZIP NSRL* hashes.txt version.txt
# mv FullFile.txt NSRLFile.txt
# rm -rf ISOs
At this point, NSRLFile.txt should be the only file in our directory.
Now it’s time to install Autopsy. We need to create a directory for the evidence locker. This is where Autopsy will store configuration files, audit logs and output. I’m mine in the root directory, but you can put it anywhere that autopsy can write to.
# sudo mkdir /forensics
# sudo chown stephen /forensics
# sudo chgrp staff /forensics
Now it’s time to build autopsy.
# make
[Removed]
Have you purchased or downloaded a copy of the NSRL (y/n) [n]: y
Enter the directory where you installed it:
/Users/stephen/Library/NISTLib
/Users/stephen/Library/NISTLib
NSRL database was found (NSRLFile.txt)
NSRL Index file not found, do you want it created? (y/n) [n]: y
Now take a break/vacation. The system is going to create index files and this take a while. Once done, it asks where we want the evidence locker.
[Removed]
Enter the directory that you want to use for the Evidence Locker: /forensics
And that’s it. Now let’s test it.
#./autopsy
=========================================
Autopsy Forensic Browser
http://www.sleuthkit.org/autopsy/
ver 2.21
=========================================
Evidence Locker: /forensics
Start Time: Tue Jun 9 10:30:16 2009
Remote Host: localhost
Local Port: 9999
Open an HTML browser on the remote host and paste this URL in it:
http://localhost:9999/autopsy
Keep this process running and use <ctrl-c> to exit
Now open a browser and point it to the given URL. You should be ready to go!
Tags: autopsy, Forensics, sleuth kit