The installation process requires some prerequisites, The Sleuth Kit, and installing Autopsy itself. If using Windows, there is a pre-built installer bundling all dependencies that can be found in the Autopsy downloads section or in the Releases section on GitHub.
A script to install these dependencies that can be found here. Make sure the script is executable before running.
- Using Homebrew, install dependencies that have formulas:
brew install ant automake libtool afflib libewf postgresql testdisk - You will also need to install Java 8 and JavaFX to run autopsy. We recommend Liberica OpenJDK which can be installed by tapping this third-party dependency:
brew tap bell-sw/liberica - Then, you can install this dependency using
brew:brew install --cask liberica-jdk8-full -
- Confirm that java has been successfully installed by running
java -version. You should get a result like the following:
% java -version openjdk version "1.8.0_342" OpenJDK Runtime Environment (build 1.8.0_342-b07) OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode) - Confirm that java has been successfully installed by running
- You will need the java path for properly setting up autopsy. You can get the path to java by calling:
/usr/libexec/java_home -v 1.8 - If you want gstreamer to open media, you can download and install gstreamer here:
https://gstreamer.freedesktop.org/data/pkg/osx/1.20.3/gstreamer-1.0-1.20.3-universal.pkg
A script to install these dependencies that can be found here. Make sure the script is executable before running.
- You will need to include some repositories in order to install this software. One way to do that is to uncomment lines in your
sources.list:sudo sed -Ei 's/^# deb-src /deb-src /' /etc/apt/sources.list - Use
aptto install dependencies:sudo apt update && \ sudo apt -y install build-essential autoconf libtool git-core automake git zip wget ant \ libde265-dev libheif-dev \ libpq-dev \ testdisk libafflib-dev libewf-dev libvhdi-dev libvmdk-dev \ libgstreamer1.0-0 gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-bad \ gstreamer1.0-plugins-ugly gstreamer1.0-libav gstreamer1.0-tools gstreamer1.0-x \ gstreamer1.0-alsa gstreamer1.0-gl gstreamer1.0-gtk3 gstreamer1.0-qt5 gstreamer1.0-pulseaudio - You will also need to install Java 8 and JavaFX to run autopsy. We recommend Liberica OpenJDK which can be installed as follows:
pushd /usr/src/ && \ wget -q -O - https://download.bell-sw.com/pki/GPG-KEY-bellsoft | sudo apt-key add - && \ echo "deb [arch=amd64] https://apt.bell-sw.com/ stable main" | sudo tee /etc/apt/sources.list.d/bellsoft.list && \ sudo apt update && \ sudo apt -y install bellsoft-java8-full && \ popd - Confirm that java has been successfully installed by running
java -version. You should get a result like the following:% java -version openjdk version "1.8.0_342" OpenJDK Runtime Environment (build 1.8.0_342-b07) OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode) - Take note of the location of the java 1.8 install. This will be necessary to properly setup Autopsy. If using the recommended method, the path should be
/usr/lib/jvm/bellsoft-java8-full-amd64
The Sleuth Kit must be installed before trying to install Autopsy. If you are on a Debian-like system (i.e. Ubuntu) you can download the most recent deb file from the github release section, and install by running something like sudo apt install ./sleuthkit-java_4.11.1-1_amd64.deb. Otherwise, you can follow the directions below to install The Sleuth Kit from source code.
A script to install these dependencies on Unix-like systems (i.e. macOS, Linux) that can be found here. Make sure the script is executable before running.
- Please ensure you have all the prerequisites installed on your system (see the directions here).
- If you don't have a copy of the repository on your local machine, clone it (this requires git):
git clone --depth 1 https://github.com/sleuthkit/sleuthkit.git - If you want to build source from a particular branch or tag (i.e.
developorrelease-4.11.0), check out that branch:git checkout <YOUR BRANCH HERE> && git pull - Then, with The Sleuth Kit repo as your working directory, you can build with:
./bootstrap && ./configure && make - If the output from
makelooks good, then install:sudo make install
In most instances, you should download the Autopsy Zip file from the Autopsy downloads section or in the Releases section on GitHub, but if you have a special use case you can do the following. Please make sure you have the prerequisites installed and have installed The Sleuth Kit.
- If you haven't already, clone the repo:
git clone --depth 1 https://github.com/sleuthkit/autopsy.git - With the autopsy repo as your working directory, you can run:
ant clean && ant build && ant build-zip - The zip file should be created within the
distfolder of the Autopsy repository and will have the version in the name (i.e.autopsy-4.18.0.zip).
These instructions are for Unix-like systems like macOS and Linux. If you are on Windows, there is an installer that can be downloaded from the Autopsy downloads section or in the Releases section on GitHub. Please make sure you have the prerequisites installed and have installed The Sleuth Kit. A script to perform these steps can be found here. Make sure the script is executable before running.
- Download the zip file from the Autopsy downloads section or in the Releases section on GitHub. You can also create a zip file from source using these directions.
- If you downloaded the zip file, you can verify the zip file with the The Sleuth Kit key and the related
.ascfile found in the Releases section on GitHub. For instance, you would useautopsy-4.18.0.zip.ascwithautopsy-4.18.0.zip. Here is an example where$ASC_FILEis the path to the.ascfile and$AUTOPSY_ZIP_PATHis the path to the autopsy zip file:mkdir -p ${VERIFY_DIR} && \ pushd ${VERIFY_DIR} && \ wget https://sleuthkit.org/carrier.asc && \ gpg --homedir "${VERIFY_DIR}" --import https://sleuthkit.org/carrier.asc && \ gpg --homedir "${VERIFY_DIR}" --keyring "${VERIFY_DIR}/pubring.kbx" ${ASC_FILE} ${AUTOPSY_ZIP_PATH} && \ rm -r ${VERIFY_DIR} popd - Extract the zip file to a location where you would like to have Autopsy installed.
- Set up java path. There are two ways to provide the path to java:
JAVA_HOMEcan be set as an environmental variable or theautopsy.conffile can define the home for java.- To update the
autopsy.conffile, navigate to where autopsy has been extracted and then openetc/autopsy.conf. Within that file, replace the commented line or add a new line specifying the java home like:jdkhome=<JAVA_PATH>. Another option is to provide an argument tounix_setup.shlike the followingunix_setup.sh -j <JAVA_PATH>when performing the next step.
- To update the
- With the extracted folder as the working directory, you can run the following commands to perform setup:
chown -R $(whoami) . && \ chmod u+x ./unix_setup.sh && \ ./unix_setup.sh - At this point, you should be able to run Autopsy with the command
./autopsyfrom within thebindirectory of the extracted folder.
A few features in Autopsy will only work (i.e. gstreamer) if the JNA paths are specified. If you installed the necessary dependencies through Homebrew, you will want to either run this script or manually add all the gstreamer lib and dependency lib paths to the env variable jre_flags with jre flag: -Djna.library.path.
-
If you see something like "Cannot create case: javafx/scene/paint/Color" it is an indication that Java FX is not being found. Confirm that the file
$JAVA_HOME/jre/lib/ext/jfxrt.jarexists. If it does not exist, return to the Java setup steps above. -
If you see something like "An illegal reflective access operation has occurred" it is an indication that the wrong version of Java is being used to run Autopsy. Check the version of Java reported in the
messages.logfile in the log directory. The log directory can be found by opening Autopsy, and, with no cases open, go to 'Help' > 'Open Log Folder'.messages.logshould contain lines that looks like:Java; VM; Vendor = 1.8.0_342; OpenJDK 64-Bit Server VM 25.342-b07; BellSoft Runtime = OpenJDK Runtime Environment 1.8.0_342-b07 Java Home = /usr/lib/jvm/bellsoft-java8-full-amd64/jreIf your
messages.logfile indicates that Java 8 is not being used:- Confirm that you have a version of Java 8 installed
- Confirm that your java path environment variable is set correctly. Autopsy first uses the value of
jdkhomein<autopsy_install_location>/etc/autopsy.conf, so look for an uncommented line (not starting with '#') that looks likejdkhome=<java path>. If that is not set, check your$JAVA_HOMEenvironment variable by runningecho $JAVA_HOME.
-
If you see something like "cannot be opened because the developer cannot be verified." it is an indication that Gatekeeper is running and is stopping a file from being executed. To fix this open a new terminal window and enter the following command
sudo spctl --master-disable, you will be required to enter your password. This will allow any program to be be downloaded from anywhere and executed. -
On initial run, Autopsy shows a window that can appear behind the splash screen. This looks like Autopsy has stalled during startup. The easiest way to get around this issue for the first run is to run autopsy with the
--nosplashflag, which will hide the splash screen on startup. There will be a lag where no window appears for a bit, so please be patient. -
If a script fails to run due to operation not permitted or something along those lines, you may need to run
chmod u+x <path to script>from the command line to allow the script to run. -
If you encounter an error like:
getcwd: cannot access parent directories: Operation not permittedon Mac, you can do the following:- Select System Preferences -> Security & Privacy -> Full Disk Access
- Click the lock to make changes
- Click '+'
- Press 'cmd' + 'shift' + '.' to show hidden files
- Select
/bin/shSource: Symscape
- Not all current features in Autopsy are functional in a Linux and Mac environment including but not limited to:
- Recent Activity
- The LEAPP processors
- HEIF processing
- Timeline does not work on OS X
- Video thumbnails
- VHD and VMDK files not supported on OS X