Installing Autopsy on macOS Big Sur

Share This Post

Many forensic examiners and investigators are used to having resources at their place of employment to work cases. We believe the learning process never stops and no one can be an expert in everything. Therefore we have to use the resources we have at our disposal and when we’re away from work, we may not have the computer forensic towers or dongles needed to run software. Autopsy is an open source forensic software that’s built on the Sleuthkit that is amazing for what it does at its price point (free). Autopsy for Windows is any easy install that’s as easy as double-clicking an exe. However, some of us have Apple products at home and installation is a bit more cumbersome. The guides in the links below really helped along the way and were created to work on macOS Catalina. With the introduction of macOS Big Sur, some of the instructions were no longer valid and some needed updates. This guide is largely based on the links below but I wanted to provide a more visual instruction to installing Autopsy on macOS Big Sur 11.5.2 from start to finish. 

We will be installing:

Sleuth Kit: 4.11.0

Autopsy: 4.19.1

Estimated completion time: 40 minutes.

Guides available 

https://github.com/sleuthkit/autopsy/blob/develop/Running_Linux_OSX.txt

https://slo-sleuth.github.io/tools/InstallingAutopsyOnMacOS.html

Install of required tools and dependencies

I’m starting with a brand new install of macOS so I have nothing on this machine. We’ll kick off this process by installing Xcode command line tools on your mac. We need to ensure we have the correct tools in Terminal to start the process. ‘Sudo xcode-select –install’ will get what’s necessary.

Next, we’re going to need access to HomeBrew and some packages available to download. If you’ve never installed Homebrew, head on over to https://brew.sh and copy the link on the homepage and paste it in your macOS Terminal:

You’ll see a bunch of things installed that will ultimately allow you to continue to install different packages required later on for Autopsy.

Install ImageMagick to be able to view the HEIC files

We want to be able to view Apple’s High Efficiency Image File formats

Install TestDisk to enable photo carving 

This is required for carving of images.

Install GStreamer for the ability to playback videos

In order to playback videos, we’ll need to install GStreamer

Install JDK

The next step is to install a version of Java Development Kit that Autopsy can use. It’s a very specific version (Bellsoft Liberica JDK) so you can’t just go out and install Java directly from the website. We’ll use the following two commands to install the Liberica JDK 8.

We can see that Liberica JDK8 was successfully installed.

Now we need to set up a few environment variables. The two below should do the trick.

Once it’s complete, we can verify we have the correct version of Java installed. It should be 1.8.xxx

Since I’m running Big Sur, I want to make the Java variable persistent in the .zshrc file.

We want to ensure that when you open up a new Terminal window, you’ll have access to the correct Java version.

Building the Sleuth Kit

Install Sleuth Kit Dependencies

We will start the build with the installation of a few key Sleuth Kit dependencies with the following command.

We need to ensure that the Sleuth Kit is using the correct version of Java that we previously installed.

And we can verify that our symlink is pointing to the correct Java version.

Build and install the Sleuth Kit

We then need to download the Sleuth Kit from https://github.com/sleuthkit/sleuthkit/releases. The version we need to download will end in tar.gz.

I saved the Sleuth Kit download to my Documents folder so I’m going to cd into that folder.

From there, unzip the downloaded file ‘sleuthkit-4.11.0.tar.gz’. Depending on when you read this, your Sleuth Kit version may be different.

Since you’re on a mac, you might be prompted for access to different folders. Click on ‘OK’ to proceed. After the file is unzipped, we need to cd into the Sleuth Kit folder.

We need to configure Sleuth Kit with the following commands. 

If everything installed correctly, you should see a yes next to: afflib, libewf, zlib, Java/JNI support, Multithreading as shown below. Apparently Autopsy no longer requires postgresql support.

Once you have all the required configurations correct, we can use ‘make’ to build Sleuth Kit.

If everything goes well, you will see ‘Build Success’.

Now let’s make sure Sleuth Kit is pointing to all the right things.

Once complete, we can verify that Java is correctly being used by the sleuthkit as shown below.

Install Autopsy

We download the zip file from https://github.com/sleuthkit/autopsy/releases/

I downloaded this into my Documents folder as well so I need to cd into the Documents folder and unzip the downloaded zip file.

Now that it’s unzipped, we can cd into the autopsy folder. Once there, we can run the following command to configure Autopsy and make sure it has all the correct prerequisites.

We have success…we are ready to run.

Once that’s complete, let’s cd into the bin folder to launch autopsy with the following command.

You should see additional lines come up in the Terminal.

And we have success!

Running Autopsy

Let’s run a test case to ensure it’s working properly. We want to deselect the following ingest modules: Android Analyzer (aLEAPP), Plaso, YARA Analyzer, iOS Analyzer (iLEAPP). If you don’t, Autopsy will crash and give you an error message like the one below.

Once we have those deselected, we run Autopsy as we normally would. I downloaded the m57 e01 from https://digitalcorpora.org/corpora/scenarios/m57-jean. Once we let it run and complete the ingest modules, it’s ready for further examination.

Making it an ‘App’

Now that we have it running, we could stop there if we wanted to. But I tend to like things that look ‘nice’ and fit with the rest of my mac apps. I don’t want to have to keep going into the bin folder to launch Autopsy. So we’re going to use the mac to create an ‘app’ that will help launch this with a double click.

Using Automator

First, open up Automator on your mac and select ‘Application.

 From there, we want to select ‘Run Shell Script’ from the Actions menu.

We will then enter in the following commands in the ‘Run Shell Script’ screen:

cd ~/Documents/autopsy-4.19.1/bin/

./autopsy –jdkhome /Library/Java/JavaVirtualMachine/liberica-jdk-8-full.jdk/Contents/home.

We also want to save it as ‘Autopsy’ in the Applications folder.

Once you save and close it, you can go to your Applications launcher and you’ll see a new Autopsy ‘app’.

Fixing the ‘app’ icon

Remember when I said I like it to look nice…well that Automator icon doesn’t fit with the rest of the apps. I need Renzix on my machine! The icon we need is located in the autopsy folder we downloaded earlier. But first, we have to convert it to icns.

Double click on the icon and it should open up in Preview. Once there, we need to export it as a PNG.

Now let’s create a folder called logo.iconset and place that png we exported above, inside this newly created folder. This folder has to end in .iconset for the next command to work.

Now let’s go back to Terminal and cd to the Desktop. Run the following command to convert your png into a icns. Since we didn’t set an output path, the icns will come out on the Desktop.

Now we can right click on the Autopsy ‘app’ to ‘Get Info’. We click and drag the newly created icns file onto the picture.

And now we have success! Autopsy now has its proper icon and will launch like a normal app.

Conclusion

Autopsy is a great open source tool that enables a lot of folks to delve into computer forensics. It’s always been readily accessible on the Windows side but been very difficult to get working on the macOS side. Now we can all have some computer forensics fun at home and delve into cool new artifacts. If you have any questions, please reach out!

About ArcPoint Forensics

ArcPoint Forensics, Inc. was founded by investigators, for investigators. We get your mission. We’ve experienced your frustration. Every day we ask ourselves, “What else can we bring to the table that would make digital forensics easier and the work of investigators—especially field investigators—more productive?” How can we meet their need to easily acquire, exploit, and access captured data?

At ArcPoint, we believe digital forensics operations don’t need to be limited to professionally trained, lab-based examiners armed with multiple complex tools and software suites. With advances in automation, digital forensics processing can and should be simpler. Learn more at https://arcpointforensics.com/

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.
Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .