autopsy
autopsy copied to clipboard
sleuthkit
Make a Linux Package of Autopsy
I'm making this issue to track progress on making a package for Linux. Last time this was discussed, there were some Java build issues that needed to be resolved. But, the details were not fully understood at the time.
From a skim of the Debian docs:
Regarding JNI:
If a Java library relies on native code, the dynamic libraries containing this compiled native code should be installed into the directory /usr/lib/jni. These dynamic libraries should be shipped in a separate architecture-specific package named libXXX[version]-jni. The package containing the Java bytecode (generally libXXX[version]-java) should depend on this package.
There may be situations, such as with very small packages, where it is better to bundle the Java code and the native code together into a single package. Such packages should be architecture-specific and follow the usual libXXX[version]-java naming convention.
TODO: This will require some changes to the TSK build. Currently, tsk_jni is installed in same place as libtsk and some of the native code is embedded the JAR file. We have historically embedded the native code to make it easier to expand the JNI API w/out requiring a TSK release each time. But, we've started to get in the habit of Autopsy depending only on released versions of TSK.
Java Packaging
TODO: Someone should run javahelper on the TSK bindings and Autopsy to see what policy violations we are breaking.
Not quite complete packaging yet, but those instructions at least give some solid foundation for building Autopsy on Linux: https://periciacomputacional.com/linux-install-autopsy/
It'll compile, but won't run cleanly.
Case setup works fine, but attempting to add a data source, or alter the Keyword Search options throws a null pointer exception - similar to https://github.com/sleuthkit/autopsy/issues/2210 - but manifesting as
[exec] SEVERE [global]
[exec] java.lang.NullPointerException
[exec] at org.sleuthkit.autopsy.keywordsearch.KeywordSearchGlobalSettingsPanel.addPropertyChangeListener(KeywordSearchGlobalSettingsPanel.java:56)
I also think you need to add a
apt-get install solr-tomcat
to your script to get the solr & lucene server installed for keyword searching.
Ditto, on Debian. I've made a little progress by disabling the Keyword Search module for now.
@marshalla99, a quick analysis suggests to me that your conjecture about #2210 is correct and wishdasher's fix on Sept 12, 2016 missed a place where super class addPropertyChangeListener/removePropertyChangeListener methods need to be invoked, i.e., in KeywordSearchGlobalSettingsPanel and any child components that override addPropertyChangeListener/removePropertyChangeListener.
Thanks @rcordovano Unfortunately, I'm not a Java programmer so I'm kinda hoping someone might have time to patch that. FWIW, the rest of the modules seem to be working pretty well. I have successfully ingested a 2Gb dd image and carried out some simple viewing tasks.
My goal is to get a reasonably stable version running on a live distro., so I can use it when I teach my Masters forensic computing module in March.
@marshalla99, I have made a fix to the add/remove property change listener code of these two classes:
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/GlobalListSettingsPanel.java KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchGlobalSettingsPanel.java
The fix is in a new release-4.5.1 branch (commit 67cab4672fa99ea3cb1fe72ca30087e5efdd58bb). Will you please test the fix? If so, thanks, it is appreciated.
Well, it's moved the error down a couple of lines ;)
[exec] SEVERE [global] [exec] java.lang.NullPointerException [exec] at org.sleuthkit.autopsy.keywordsearch.KeywordSearchGlobalSettingsPanel.addPropertyChangeListener(KeywordSearchGlobalSettingsPanel.java:58)
@marshalla99 , I have pushed another commit to the release-4.5.1 branch. Please let me know if this solves the problem, thanks.
Sorry, same error but now in line 55.
In case I'm leading you down the wrong path and there's something more fundamental wrong with the build environment, I'm attaching the build log and runtime logs.
autopsy.log autopsy_traces.log messages.log
@marshalla99, thanks, it was extremely informative to have the stack trace for the exception from messages.log. It allowed me to pinpoint the problem. Unless you express interest in the actual details of my analysis, I will simply tell you that I don't have a quick and easy fix. I'll post here when I have found a way forward.
@marshalla99, I put on my thinking cap, as we used say when I was a child, and I came up with what might be a quick and easy fix. I have pushed a commit with my workaround to the release-4.5.1 branch. Please let me know if I have nailed it this time.
For anyone interested, I believe the problem is that there is a class in the look and feel library (javax.swing.plaf.synth.SynthPanelUI) in use in this case that is following the bad practice of calling overrideable methods in a constructor. It is happening via a call to addPropertyChangeListener (the overrideable method) as you can see in this fragment of a stack trace:
SEVERE [global] java.lang.NullPointerException at org.sleuthkit.autopsy.keywordsearch.KeywordSearchGlobalSettingsPanel.addPropertyChangeListener(KeywordSearchGlobalSettingsPanel.java:55) at javax.swing.plaf.synth.SynthPanelUI.installListeners(SynthPanelUI.java:83) at javax.swing.plaf.synth.SynthPanelUI.installUI(SynthPanelUI.java:63) at javax.swing.JComponent.setUI(JComponent.java:666) at javax.swing.JPanel.setUI(JPanel.java:153) at javax.swing.JPanel.updateUI(JPanel.java:126) at javax.swing.JPanel.<init>(JPanel.java:86) at javax.swing.JPanel.<init>(JPanel.java:109) at javax.swing.JPanel.<init>(JPanel.java:117) at org.sleuthkit.autopsy.ingest.IngestModuleGlobalSettingsPanel.<init>(IngestModuleGlobalSettingsPanel.java:26) at org.sleuthkit.autopsy.keywordsearch.KeywordSearchGlobalSettingsPanel.<init>(KeywordSearchGlobalSettingsPanel.java:36)
When this happens for a few JPanel subclasses in Autopsy that pass the listener on to the child JPanels, the child components have not been constructed yet, since the parent JPanel's constructor has not been called yet, leading to the NullPointerException.
My simple, if somewhat unpalatable, workaround is to do null checks.
For anyone still having trouble.
I found the files KeywordSearchGlobalSettingsPanel.java and GlobalListSettingsPanel.java and commented the following methods addPropertyChangeListener and removePropertyChangeListener and it worked.
The files where on the <autopsy_base_dir>/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/
I would really like to help creating a deb package for autopsy, let me know if there is anything I can do to help.
@cesar-rickinho, you may have resolved your NPE during initialization, but you have broken the way the various tabs of the Keyword Search options panel communicate with each other.
I have a note from you ("I tried your fix editing the files manually but it still didn't worked in Debian, but I tried to comment the entire methods (both of them addPropertyChangeListener and removePropertyChangeListener) from both files and it worked. I got autopsy to add a data source. Still haven't tested all options though.") that references commit 67cab46. That is commit is not sufficent. The fix is the combination of b4d2cbd447de2759c94d588dee40b012827ec62f and 67cab4672fa99ea3cb1fe72ca30087e5efdd58bb. The interim commit 35f84dce94484a1cc61436b07bc6594768667bd9 did nothing to fix the problem.
I have had a verification of the fix from another person doing Linux builds via a personal email.
I have merged the release-4.5.1 branch into the develop branch, so my fix is ion both places now. @cesar-rickinho, I suggest that you try the develop branch again, so you will have a correctly functioning version of Autopsy. Please let me know if you can add a second confirmation of the fix, thanks!
Sorry, I’ve been on the road for a week or so dealing with other matters. I’ll try a build tomorrow when I have some time in the office and report back.
Thanks for your efforts so far.
On 8 Nov 2017, at 22:53, Richard Cordovano [email protected] wrote:
@marshalla99, I put on my thinking cap, as we used say when I was a child, and I came up with what might be a quick and easy fix. I have pushed a commit with my workaround to the release-4.5.1 branch. Please let me know if I have nailed it this time.
For anyone interested, I believe the problem is that there is a class in the look and feel library (javax.swing.plaf.synth.SynthPanelUI) in use in this case that is following the bad practice of calling overrideable methods in a constructor. It is happening via a call to addPropertyChangeListener (the overrideable method) as you can see in this fragment of a stack trace:
SEVERE [global] java.lang.NullPointerException at org.sleuthkit.autopsy.keywordsearch.KeywordSearchGlobalSettingsPanel.addPropertyChangeListener(KeywordSearchGlobalSettingsPanel.java:55) at javax.swing.plaf.synth.SynthPanelUI.installListeners(SynthPanelUI.java:83) at javax.swing.plaf.synth.SynthPanelUI.installUI(SynthPanelUI.java:63) at javax.swing.JComponent.setUI(JComponent.java:666) at javax.swing.JPanel.setUI(JPanel.java:153) at javax.swing.JPanel.updateUI(JPanel.java:126) at javax.swing.JPanel.(JPanel.java:86) at javax.swing.JPanel.(JPanel.java:109) at javax.swing.JPanel.(JPanel.java:117) at org.sleuthkit.autopsy.ingest.IngestModuleGlobalSettingsPanel.(IngestModuleGlobalSettingsPanel.java:26) at org.sleuthkit.autopsy.keywordsearch.KeywordSearchGlobalSettingsPanel.(KeywordSearchGlobalSettingsPanel.java:36)
When this happens for a few JPanel subclasses in Autopsy that pass the listener on to the child JPanels, the child components have not been constructed yet, since the parent JPanel's constructor has not been called yet, leading to the NullPointerException.
My simple, if somewhat unpalatable, workaround is to do null checks.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Thanks @rcordovano, it's been a long time since I coded anything, so I know that I was going to break something else, but I needed to check if it worked so that maybe I could give some light to what might be. You've done it, thanks, I downloaded the release-4.5.1 and it worked out of the box.
@marshalla99, thanks, and you're welcome.
@cesar-rickinho, thanks, I appreciate the additional confirmation of the fix.
We'll get there...
OK - fresh build in my test VM at work. The error during addition of the first data source has gone! Well done and thanks again! I'm running the full set of ingestion modules on a small image of a USB stick so will report back what (if anything) goes awry during that process.
OK - that's a massive step forward. Ingestion now works (as long as I remember to disable Photorec, Hash Lookup and Correlation for now) and keyword searching is possible There's a minor problem with Image Writer Opening/Closing Case Resources dialogs not closing correctly after startup and during shutdown - this may be a Java/Linux issue more than anything else, but the tool looks usable now.
Just for fun I tried to do "ant build-installer" on my current Linux build.
Showstoppers:
- gstreamer. There's no *nix gstreamer.zip in the thirdparty directory. I suspect it's not needed as the gstreamer dependent elements appear to work correctly anyway.
- cheating by using a symlink to the windows version lets the build proceed a bit further, but there's a problem somewhere in the scripts caused by of a "-JXdock" directive which is not recognised.
Consider checking https://github.com/labcif/autopsy-packager and the AUR Arch Linux repositories for autopsy and autopsy-bin.
