Many forensic examiners and investigators are used to having resources at their place of employment to work cases. We believe the learning process never stops and no one can be an expert in everything. Therefore we have to use the resources we have at our disposal and when we’re away from work, we may not have the computer forensic towers or dongles needed to run software. Autopsy is an open-source forensic software that’s built on the Sleuthkit that is amazing for what it does at its price point (free). Autopsy for Windows is any easy install that’s as easy as double-clicking an exe; however, for some of us with Apple products at home, installation is a bit more cumbersome.
The guides in the links below really helped along the way and were created to work on macOS Catalina. With the introduction of macOS Big Sur, some of the instructions were no longer valid and some needed updates. This guide is largely based on the links below, but I wanted to provide a more visual instruction to installing Autopsy on macOS Big Sur 11.5.2 from start to finish.
We will be installing:
Sleuth Kit: 4.11.0
Estimated completion time: 40 minutes.
Install of required tools and dependencies
I’m starting with a brand new install of macOS so I have nothing on this machine. We’ll kick off this process by installing Xcode command line tools on your mac. We need to ensure we have the correct tools in Terminal to start the process. ‘Sudo xcode-select --install’ will get what’s necessary.
Next, we’re going to need access to HomeBrew and some packages available to download. If you’ve never installed Homebrew, head on over to https://brew.sh and copy the link on the homepage and paste it in your macOS Terminal:
You’ll see a bunch of things installed that will ultimately allow you to continue to install different packages required later on for Autopsy.
Install ImageMagick to be able to view the HEIC files
We want to be able to view Apple’s High Efficiency Image File formats.
Install TestDisk to enable photo carving
This is required for carving of images.
Install GStreamer for the ability to playback videos
In order to playback videos, we’ll need to install GStreamer.
The next step is to install a version of Java Development Kit that Autopsy can use. It’s a very specific version (Bellsoft Liberica JDK) so you can’t just go out and install Java directly from the website. We’ll use the following two commands to install the Liberica JDK 8.
We can see that Liberica JDK8 was successfully installed.
Now we need to set up a few environment variables. The two below should do the trick.
Once it’s complete, we can verify we have the correct version of Java installed. It should be 1.8.xxx.
Since I’m running Big Sur, I want to make the Java variable persistent in the .zshrc file.
We want to ensure that when you open up a new Terminal window, you’ll have access to the correct Java version.
Building the Sleuth Kit
Install Sleuth Kit Dependencies
We will start the build with the installation of a few key Sleuth Kit dependencies with the following command.
We need to ensure that the Sleuth Kit is using the correct version of Java that we previously installed.
And we can verify that our symlink is pointing to the correct Java version.
Build and install the Sleuth Kit
We then need to download the Sleuth Kit from https://github.com/sleuthkit/sleuthkit/releases. The version we need to download will end in tar.gz.
I saved the Sleuth Kit download to my Documents folder so I’m going to cd into that folder.
Front there, I unzip the downloaded file ‘sleuthkit-4.11.0.tar.gz’. Depending on when you read this, your Sleuth Kit version may be different.
Since you’re on a mac, you might be prompted for access to different folders. Click on ‘OK’ to proceed.
After it’s unzipped, we need to cd into the Sleuth Kit folder.
We need to configure Sleuth Kit with the following commands.
If everything installed correctly, you should see a yes next to: afflib, libewf, zlib, Java/JNI support, Multithreading as shown below. Apparently Autopsy no longer requires postgresql support.
Once you have all the required configurations correct, we can use ‘make’ to build Sleuth Kit.
If everything goes well, you will see ‘Build Success’.
Now let’s make sure Sleuth Kit is pointing to all the right things.
Once complete, we can verify that Java is correctly being used by the sleuthkit as shown below.
We download the zip file from https://github.com/sleuthkit/autopsy/releases/.
I downloaded this into my Documents folder as well so I need to cd into the Documents folder and unzip the downloaded zip file.
Now that it’s unzipped, we can cd into the autopsy folder. Once there, we can run the following command to configure Autopsy and make sure it has all the correct prerequisites.
We have success...we are ready to run.
Once that’s complete, let’s cd into the bin folder to launch autopsy with the following command:
You should see additional lines come up in the Terminal.
And we have success!
Let’s run a test case to ensure it’s working properly. We want to deselect the following ingest modules: Android Analyzer (aLEAPP), Plaso, YARA Analyzer, iOS Analyzer (iLEAPP). If you don’t, Autopsy will crash and give you an error message like the one below.
Once we have those deselected, we run Autopsy as we normally would. I downloaded the m57 e01 from https://digitalcorpora.org/corpora/scenarios/m57-jean. Once we let it run and complete the ingest modules, it’s ready for further examination.
Making it an ‘App’
Now that we have it running, we could stop there if we wanted to. But I tend to like things that look ‘nice’ and fit with the rest of my mac apps. I don’t want to have to keep going into the bin folder to launch Autopsy. So we’re going to use the mac to create an ‘app’ that will help launch this with a double click.
First, open up Automator on your mac and select ‘Application.
From there, we want to select ‘Run Shell Script’ from the Actions menu.
We will then enter in the following commands in the ‘Run Shell Script’ screen:
./autopsy --jdkhome /Library/Java/JavaVirtualMachine/liberica-jdk-8-full.jdk/Contents/home.
We also want to save it as ‘Autopsy’ in the Applications folder.
Once you save and close it, you can go to your Applications launcher and you’ll see a new Autopsy ‘app’.
Fixing the ‘app’ icon
Remember when I said I like it to look nice...well that Automator icon doesn’t fit with the rest of the apps. I need Renzix on my machine! The icon we need is located in the autopsy folder we downloaded earlier. But first, we have to convert it to icns.
Double click on the icon and it should open up in Preview. Once there, we need to export it as a PNG.
Now let’s create a folder called logo.iconset and place that png we exported above, inside this newly created folder. This folder has to end in .iconset for the next command to work.
Now let’s go back to Terminal and cd to the Desktop. Run the following command to convert your png into a icns. Since we didn’t set an output path, the icns will come out on the Desktop.
Now we can right click on the Autopsy ‘app’ to ‘Get Info’. We click and drag the newly created icns file onto the picture.
And now we have success! Autopsy now has it’s proper icon and will launch like a normal app.
One thing I wasn’t able to figure out to complete the install is how to change the icon in the Dock when Autopsy launches. I’m stuck with this.
Wow, that was a long one with many pictures that hopefully helped someone out. Autopsy is a great open-source tool that enables a lot of folks to delve into computer forensics. It’s always been readily accessible on the Windows side but been very difficult to get working on the macOS side. Now we can all have some computer forensics fun at home and delve into cool new artifacts. If you have any questions or know how to fix that dock icon, please reach out!