From 32e824434bcc5e332e9e04e1e3b3aeec90a2fcab Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Wed, 17 May 2023 13:36:00 -0400 Subject: [PATCH 1/7] changes for linux and mac installation --- .travis.yml | 8 ++++---- appveyor.yml | 6 +++--- linux_macos_install_scripts/install_prereqs_macos.sh | 8 ++++---- linux_macos_install_scripts/install_prereqs_ubuntu.sh | 10 +++++----- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.travis.yml b/.travis.yml index dfe0a70a66..28218be2c9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,16 +52,16 @@ before_script: wget -q -O - https://download.bell-sw.com/pki/GPG-KEY-bellsoft | sudo apt-key add -; echo "deb [arch=amd64] https://apt.bell-sw.com/ stable main" | sudo tee /etc/apt/sources.list.d/bellsoft.list; sudo apt-get update; - sudo apt-get install bellsoft-java11-full; + sudo apt-get install bellsoft-java17-full; export PATH=/usr/bin:$PATH; - export JAVA_HOME=/usr/lib/jvm/bellsoft-java11-full-amd64; + export JAVA_HOME=/usr/lib/jvm/bellsoft-java17-full-amd64; fi - if [ $TRAVIS_OS_NAME = osx ]; then brew uninstall java --force --ignore-dependencies; brew cask uninstall java --force; brew tap bell-sw/liberica; - brew cask install liberica-jdk11-full; - export JAVA_HOME=/Library/Java/JavaVirtualMachines/liberica-jdk-11-full.jdk/Contents/Home; + brew install --cask liberica-jdk17-full; + export JAVA_HOME=/Library/Java/JavaVirtualMachines/liberica-jdk-17-full.jdk/Contents/Home; fi - java -version diff --git a/appveyor.yml b/appveyor.yml index f6cd5374bb..d691bcd385 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -11,14 +11,14 @@ platform: x64 environment: global: TSK_HOME: "C:\\sleuthkit" - JDK_HOME: C:\Program Files\BellSoft\LibericaJDK-11-Full - JAVA_HOME: C:\Program Files\BellSoft\LibericaJDK-11-Full + JDK_HOME: C:\Program Files\BellSoft\LibericaJDK-17-Full + JAVA_HOME: C:\Program Files\BellSoft\LibericaJDK-17-Full PYTHON: "C:\\Python36-x64" install: - ps: choco install nuget.commandline - ps: choco install ant --ignore-dependencies - - ps: choco install liberica11jdkfull --force + - ps: choco install liberica17jdkfull --force - git clone https://github.com/sleuthkit/sleuthkit - ps: $env:Path="$($env:JAVA_HOME)\bin;$($env:Path);C:\ProgramData\chocolatey\lib\ant" - set PATH=C:\Python36-x64\';%PATH% diff --git a/linux_macos_install_scripts/install_prereqs_macos.sh b/linux_macos_install_scripts/install_prereqs_macos.sh index 61615f3032..127b21a22e 100644 --- a/linux_macos_install_scripts/install_prereqs_macos.sh +++ b/linux_macos_install_scripts/install_prereqs_macos.sh @@ -9,14 +9,14 @@ then exit 1 fi -echo "Installing liberica java 8..." +echo "Installing liberica java 17..." brew tap bell-sw/liberica && \ -brew install --cask liberica-jdk8-full +brew install --cask liberica-jdk17-full if [[ $? -ne 0 ]] then echo "Unable to install liberica java" >> /dev/stderr exit 1 fi -java_path=$(/usr/libexec/java_home -v 1.8) -echo "Java 1.8 path: $java_path" \ No newline at end of file +java_path=$(/usr/libexec/java_home -v 17) +echo "Java 17 path: $java_path" \ No newline at end of file diff --git a/linux_macos_install_scripts/install_prereqs_ubuntu.sh b/linux_macos_install_scripts/install_prereqs_ubuntu.sh index 5c03de40af..498dd546a1 100644 --- a/linux_macos_install_scripts/install_prereqs_ubuntu.sh +++ b/linux_macos_install_scripts/install_prereqs_ubuntu.sh @@ -24,18 +24,18 @@ if [[ $? -ne 0 ]]; then exit 1 fi -echo "Installing bellsoft Java 8..." +echo "Installing bellsoft Java 17..." pushd /usr/src/ && wget -q -O - https://download.bell-sw.com/pki/GPG-KEY-bellsoft | sudo apt-key add - && echo "deb [arch=amd64] https://apt.bell-sw.com/ stable main" | sudo tee /etc/apt/sources.list.d/bellsoft.list && sudo apt update && - sudo apt -y install bellsoft-java8-full && + sudo apt -y install bellsoft-java17-full && popd if [[ $? -ne 0 ]]; then - echo "Failed to install bellsoft java 8" >>/dev/stderr + echo "Failed to install bellsoft java 17" >>/dev/stderr exit 1 fi echo "Autopsy prerequisites installed." -echo "Java path at /usr/lib/jvm/bellsoft-java8-full-amd64: " -ls /usr/lib/jvm/bellsoft-java8-full-amd64 \ No newline at end of file +echo "Java path at /usr/lib/jvm/bellsoft-java17-full-amd64: " +ls /usr/lib/jvm/bellsoft-java17-full-amd64 \ No newline at end of file From 91e255817a9ea13dfcf364dafff7a78efda89d28 Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Wed, 17 May 2023 13:50:19 -0400 Subject: [PATCH 2/7] update for readme --- Running_Linux_OSX.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Running_Linux_OSX.md b/Running_Linux_OSX.md index 5c5cdd07f2..6dfcf5370d 100644 --- a/Running_Linux_OSX.md +++ b/Running_Linux_OSX.md @@ -5,15 +5,15 @@ When installing on Debian-based Linux or macOS systems, there are three general - **Linux**: Run [`linux_macos_install_scripts/install_prereqs_ubuntu.sh`](./linux_macos_install_scripts/install_prereqs_ubuntu.sh). - **macOS**: Run [`linux_macos_install_scripts/install_prereqs_macos.sh`](./linux_macos_install_scripts/install_prereqs_macos.sh). This script requires the package manager: [Homebrew](https://brew.sh/), which has installation steps on their site. -*NOTE: The last output of the script is the path to the Java 8 installation. You will want to note that path when installing Autopsy.* +*NOTE: The last output of the script is the path to the Java 17 installation. You will want to note that path when installing Autopsy.* # Installing The Sleuth Kit - **Linux**: Download the .deb file for the release you want to install from the [release section](https://github.com/sleuthkit/sleuthkit/releases). Install The Sleuth Kit package from the repositories with the following command: `sudo apt update && sudo apt install /path/to/sleuthkit-version.deb`. -- **macOS**: Ensure that for this session, your `JAVA_HOME` variable is set to the java 8 installation by running `export JAVA_HOME=$(/usr/libexec/java_home -v 1.8)/bin/java`. Then, install The Sleuth Kit from source by running [`linux_macos_install_scripts/install_tsk_from_src.sh`](./linux_macos_install_scripts/install_tsk_from_src.sh), which will download, build, and install The Sleuth Kit. It can be run as follows: `install_tsk_from_src.sh -p ~/src/sleuthkit -b sleuthkit-4.11.1`. Make sure that your path to download source ends with "sleuthkit" as the last directory, and the release is the corresponding tag in the [repository](https://github.com/sleuthkit/sleuthkit). +- **macOS**: Ensure that for this session, your `JAVA_HOME` variable is set to the java 17 installation by running `export JAVA_HOME=$(/usr/libexec/java_home -v 17)/bin/java`. Then, install The Sleuth Kit from source by running [`linux_macos_install_scripts/install_tsk_from_src.sh`](./linux_macos_install_scripts/install_tsk_from_src.sh), which will download, build, and install The Sleuth Kit. It can be run as follows: `install_tsk_from_src.sh -p ~/src/sleuthkit -b sleuthkit-4.11.1`. Make sure that your path to download source ends with "sleuthkit" as the last directory, and the release is the corresponding tag in the [repository](https://github.com/sleuthkit/sleuthkit). # Installing Autopsy - Download the Autopsy zip file from [repository releases](https://github.com/sleuthkit/autopsy/releases). The file will be marked as "autopsy-<release>.zip" (i.e. "autopsy-4.19.2.zip"). -- Run [`install_application.sh`](./linux_macos_install_scripts/install_application.sh) with the following parameters: `install_application.sh [-z zip_path] [-i install_directory] [-j java_home]`. An example would be `install_application.sh -z ~/Downloads/autopsy-4.19.2.zip -i ~/autopsy -j /usr/lib/jvm/bellsoft-java8-full-amd64`. The path to the Java 8 home is the last output from the [prequisites installation scripts](#installing-prerequisites), but typically, the path will be `/usr/lib/jvm/bellsoft-java8-full-amd64` on Debian-based Linux or the output of running `/usr/libexec/java_home -v 1.8` on macOS. +- Run [`install_application.sh`](./linux_macos_install_scripts/install_application.sh) with the following parameters: `install_application.sh [-z zip_path] [-i install_directory] [-j java_home]`. An example would be `install_application.sh -z ~/Downloads/autopsy-4.19.2.zip -i ~/autopsy -j /usr/lib/jvm/bellsoft-java17-full-amd64`. The path to the Java 17 home is the last output from the [prequisites installation scripts](#installing-prerequisites), but typically, the path will be `/usr/lib/jvm/bellsoft-java17-full-amd64` on Debian-based Linux or the output of running `/usr/libexec/java_home -v 17` on macOS. # Setup macOS JNA paths If you are on macOS, run [linux_macos_install_scripts/add_macos_jna.sh](./linux_macos_install_scripts/add_macos_jna.sh) to properly setup the jna path to get things like gstreamer working. An example would be `add_macos_jna.sh -i ~/autopsy`. @@ -26,13 +26,13 @@ If you are on macOS, run [linux_macos_install_scripts/add_macos_jna.sh](./linux_ the wrong version of Java is being used to run Autopsy. Check the version of Java reported in the `messages.log` file in the log directory. The log directory can be found by opening Autopsy, and, with no cases open, go to 'Help' > 'Open Log Folder'. `messages.log` should contain lines that looks like: ``` - Java; VM; Vendor = 1.8.0_342; OpenJDK 64-Bit Server VM 25.342-b07; BellSoft - Runtime = OpenJDK Runtime Environment 1.8.0_342-b07 - Java Home = /usr/lib/jvm/bellsoft-java8-full-amd64/jre + Java; VM; Vendor = 17.0.5; OpenJDK 64-Bit Server VM 17.0.5+8-LTS; BellSoft + Runtime = OpenJDK Runtime Environment 17.0.5+8-LTS + Java Home = /usr/lib/jvm/bellsoft-java17-full-amd64/jre ``` - If your `messages.log` file indicates that Java 8 is not being used: - - Confirm that you have a version of Java 8 installed + If your `messages.log` file indicates that Java 17 is not being used: + - Confirm that you have a version of Java 17 installed - Confirm that your java path environment variable is set correctly. Autopsy first uses the value of `jdkhome` in `/etc/autopsy.conf`, so look for an uncommented line (not starting with '#') that looks like `jdkhome=`. If that is not set, check your `$JAVA_HOME` environment variable by running `echo $JAVA_HOME`. - If you see something like "cannot be opened because the developer cannot be verified." it is an indication that Gatekeeper is running and is stopping a file from being executed. To fix this open a new terminal window and enter the following command `sudo spctl --master-disable`, you will be required to enter your password. This will allow any program to be be downloaded from anywhere and executed. - On initial run, Autopsy shows a window that can appear behind the splash screen. This looks like Autopsy has stalled during startup. The easiest way to get around this issue for the first run is to run autopsy with the `--nosplash` flag, which will hide the splash screen on startup. There will be a lag where no window appears for a bit, so please be patient. From 1281fae895ddddf5d565b30f3da895e3d4abeb78 Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Wed, 17 May 2023 14:45:22 -0400 Subject: [PATCH 3/7] readme updates --- Running_Linux_OSX.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Running_Linux_OSX.md b/Running_Linux_OSX.md index 6dfcf5370d..d6946d6c6e 100644 --- a/Running_Linux_OSX.md +++ b/Running_Linux_OSX.md @@ -26,9 +26,9 @@ If you are on macOS, run [linux_macos_install_scripts/add_macos_jna.sh](./linux_ the wrong version of Java is being used to run Autopsy. Check the version of Java reported in the `messages.log` file in the log directory. The log directory can be found by opening Autopsy, and, with no cases open, go to 'Help' > 'Open Log Folder'. `messages.log` should contain lines that looks like: ``` - Java; VM; Vendor = 17.0.5; OpenJDK 64-Bit Server VM 17.0.5+8-LTS; BellSoft - Runtime = OpenJDK Runtime Environment 17.0.5+8-LTS - Java Home = /usr/lib/jvm/bellsoft-java17-full-amd64/jre + Java; VM; Vendor = 17.0.7; OpenJDK 64-Bit Server VM 17.0.7+7-LTS; BellSoft + Runtime = OpenJDK Runtime Environment 17.0.7+7-LTS + Java Home = /usr/lib/jvm/bellsoft-java17-full-amd64 ``` If your `messages.log` file indicates that Java 17 is not being used: From 163b6ff53e893d220531b19b595672502a4a7aaa Mon Sep 17 00:00:00 2001 From: "eugene.livis" Date: Thu, 18 May 2023 15:12:48 -0400 Subject: [PATCH 4/7] Fixes for bugs that broke NTL branch --- .../autopsy/keywordsearch/InlineSearcher.java | 7 ++++++- .../sleuthkit/autopsy/keywordsearch/LuceneQuery.java | 10 +++++++--- .../sleuthkit/autopsy/keywordsearch/RegexQuery.java | 6 +----- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/InlineSearcher.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/InlineSearcher.java index b8a8dcdf61..30365c304a 100755 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/InlineSearcher.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/InlineSearcher.java @@ -393,7 +393,12 @@ final class InlineSearcher { UniqueKeywordHit hit = hitList.get(0); SleuthkitCase tskCase = Case.getCurrentCase().getSleuthkitCase(); Content content = tskCase.getContentById(hit.getContentID()); - BlackboardArtifact artifact = RegexQuery.createKeywordHitArtifact(content, originalKeyword, hitKeyword, hit, hit.getSnippet(), hitKeyword.getListName(), sourceId); + BlackboardArtifact artifact; + if (hit.isLiteral() && hit.isWholeWord()) { + artifact = LuceneQuery.createKeywordHitArtifact(content, originalKeyword, hitKeyword, hit, hit.getSnippet(), hitKeyword.getListName(), sourceId); + } else { + artifact = RegexQuery.createKeywordHitArtifact(content, originalKeyword, hitKeyword, hit, hit.getSnippet(), hitKeyword.getListName(), sourceId); + } // createKeywordHitArtifact has the potential to return null // when a CCN account is created. if (artifact != null) { diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java index a07ddb66f9..cfc13f7bc9 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java @@ -234,6 +234,10 @@ class LuceneQuery implements KeywordSearchQuery { */ @Override public BlackboardArtifact createKeywordHitArtifact(Content content, Keyword foundKeyword, KeywordHit hit, String snippet, String listName, Long ingestJobId) { + return createKeywordHitArtifact(content, originalKeyword, foundKeyword, hit, snippet, listName, ingestJobId); + } + + public static BlackboardArtifact createKeywordHitArtifact(Content content, Keyword originalKW, Keyword foundKeyword, KeywordHit hit, String snippet, String listName, Long ingestJobId) { final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName(); Collection attributes = new ArrayList<>(); @@ -245,13 +249,13 @@ class LuceneQuery implements KeywordSearchQuery { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, listName)); } - if (originalKeyword != null) { - BlackboardAttribute.ATTRIBUTE_TYPE selType = originalKeyword.getArtifactAttributeType(); + if (originalKW != null) { + BlackboardAttribute.ATTRIBUTE_TYPE selType = originalKW.getArtifactAttributeType(); if (selType != null) { attributes.add(new BlackboardAttribute(selType, MODULE_NAME, foundKeyword.getSearchTerm())); } - if (originalKeyword.searchTermIsWholeWord()) { + if (originalKW.searchTermIsWholeWord()) { attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE, MODULE_NAME, KeywordSearch.QueryType.LITERAL.ordinal())); } else { attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE, MODULE_NAME, KeywordSearch.QueryType.SUBSTRING.ordinal())); diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java index 0d70e5af43..051b323343 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java @@ -591,11 +591,7 @@ final class RegexQuery implements KeywordSearchQuery { ); if (originalKW.searchTermIsLiteral()) { - if(!originalKW.searchTermIsWholeWord()) { - attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE, MODULE_NAME, KeywordSearch.QueryType.SUBSTRING.ordinal())); - } else { - attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE, MODULE_NAME, KeywordSearch.QueryType.LITERAL.ordinal())); - } + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE, MODULE_NAME, KeywordSearch.QueryType.SUBSTRING.ordinal())); } else { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE, MODULE_NAME, KeywordSearch.QueryType.REGEX.ordinal())); } From 59bcfef79b6738b329e7697aa9a486e07f62c056 Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Thu, 18 May 2023 18:47:30 -0400 Subject: [PATCH 5/7] install application zip path fix --- linux_macos_install_scripts/install_application.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/linux_macos_install_scripts/install_application.sh b/linux_macos_install_scripts/install_application.sh index 6a09324b85..2c592912a1 100644 --- a/linux_macos_install_scripts/install_application.sh +++ b/linux_macos_install_scripts/install_application.sh @@ -60,14 +60,12 @@ if [[ -n "$ASC_FILE" ]] && [[ -n "$APPLICATION_ZIP_PATH" ]]; then fi fi -ZIP_FILE_NAME=$(basename -- "$APPLICATION_ZIP_PATH") -ZIP_NAME="${ZIP_FILE_NAME%.*}" -APPLICATION_EXTRACTED_PATH=$INSTALL_DIR/$ZIP_NAME/ +APPLICATION_EXTRACTED_PATH=$INSTALL_DIR/ # if specifying a zip path, ensure directory doesn't exist and then create and extract if [[ -n "$APPLICATION_ZIP_PATH" ]]; then - if [[ -d $APPLICATION_EXTRACTED_PATH || -f $APPLICATION_EXTRACTED_PATH ]]; then - echo "A file or directory already exists at $APPLICATION_EXTRACTED_PATH" >>/dev/stderr + if [[ -f $APPLICATION_EXTRACTED_PATH ]]; then + echo "A file already exists at $APPLICATION_EXTRACTED_PATH" >>/dev/stderr exit 1 fi From 1d6c2e5dfb0e641369253e4879e130ac15e2f015 Mon Sep 17 00:00:00 2001 From: "eugene.livis" Date: Fri, 19 May 2023 09:20:30 -0400 Subject: [PATCH 6/7] Lowercase the serch term for UI --- .../src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java index cfc13f7bc9..144704a27e 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java @@ -244,7 +244,7 @@ class LuceneQuery implements KeywordSearchQuery { if (snippet != null) { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW, MODULE_NAME, snippet)); } - attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD, MODULE_NAME, foundKeyword.getSearchTerm())); + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD, MODULE_NAME, foundKeyword.getSearchTerm().toLowerCase())); if (StringUtils.isNotBlank(listName)) { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, listName)); } From 5a5b678484044fbcf6fc7e7040e7d7c7cc445739 Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Fri, 19 May 2023 09:46:56 -0400 Subject: [PATCH 7/7] mac prereqs update --- .../install_prereqs_macos.sh | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/linux_macos_install_scripts/install_prereqs_macos.sh b/linux_macos_install_scripts/install_prereqs_macos.sh index 127b21a22e..8a35cd819f 100644 --- a/linux_macos_install_scripts/install_prereqs_macos.sh +++ b/linux_macos_install_scripts/install_prereqs_macos.sh @@ -1,14 +1,4 @@ #!/bin/bash -echo "Installing dependencies..." -brew install ant automake libtool afflib libewf postgresql testdisk libheif \ - gst-libav gst-plugins-bad gst-plugins-base gst-plugins-good gst-plugins-ugly gstreamer - -if [[ $? -ne 0 ]] -then - echo "Unable to install necessary dependencies" >> /dev/stderr - exit 1 -fi - echo "Installing liberica java 17..." brew tap bell-sw/liberica && \ brew install --cask liberica-jdk17-full @@ -18,5 +8,14 @@ then exit 1 fi +echo "Installing remaining dependencies..." +brew install ant automake libtool afflib libewf postgresql@15 testdisk libheif gstreamer + +if [[ $? -ne 0 ]] +then + echo "Unable to install necessary dependencies" >> /dev/stderr + exit 1 +fi + java_path=$(/usr/libexec/java_home -v 17) echo "Java 17 path: $java_path" \ No newline at end of file