Autopsy 4.14.0 on kali Linux and Java 1.8.0_242-b07

Hello all: A newbie here.

I have been using Sleuthkit for some time but definitely wanted to try and work Autopsy and its modules.

I am running a VirtualBox 6.0 on a Mac laptop and working within the latest Kali Linux update.

I followed the clear steps outlined for Linux install but when I launch Autopsy a big window opens up with the menus and it is blank. I can see and pull down the menus but I never see the opening screen for creating new cases etc.

I am unable to do anything with this screen.

I have Autopsy 4.14.0 on Kali Linux and Java 1.8.0_242-b07

The only 2 ways I feel I have deviated from the install instructions is:

1. Instead of java build 1.8.0_232-BellSoft-b10 I have the newer Java 1.8.0_242-b07
2. Instead of installing sleuthkit-java_4.7.0-1_amd64.deb from Git, I elected to go with the newer Sleuth Kit 4.8.0

Can anyone tell me if by downloading newer Java build and the newer sleuthkit 4.8 I have created a problem?

Do I somehow need to revert to the earlier version of Java and the Sleuthkit version.

I would guess it’s your Java version. The newer version removed javafx from the standard installation. You can either use the older version or specify the full installation, which is now in the readme file.

sudo apt-get install bellsoft-java8-full
(make sure to update JAVA_HOME with the new folder)

apriestman: Many thanks for your reply and help.

I apologize in advance for my newbieness but when I try and install with your suggested “sudo apt-get install bellsoft-java8-full” command I get a response that “bellsoft-java8-full is already the newest version (1.8.0.242+7” and that nothing is upgraded or installed or removed.

Might you be able to help me get around that and reinstall the full version of java 8?

Are there commands I can use to uninstall? and then reinstall the full version this time?

Thank you again,

Emile

sudo apt-get remove bellsoft-java8-full or bellsoft-java8

Thanks to both apriestman and Mark McKinnon for your help. I hope you will bear with me just a little longer. I really appreciate it.

I really need help.

So:

I made sure to uninstall java8 (as shown by Mark_McKinnon) and then reinstall the full version as shown in the document apreistman linked in the reply. (Just FYI: I had originally used that exact document and had indeed done the full install as shown. But I did it again anyways.)

After a restart, I tried again and get the same situation as before:

1. I can launch by ./autopsy in the bin folder. A basic UI comes up, as before. I went into the Plugins tab and tried to get the basic UI module Autopsy Core installed, but got repeated errors:

Activation Failed. Not all requested modules can be enabled. [StandardModule.org.sleuthkit.autopsy.core jarfile://root/autopsy-4.14.0/autopsy/modules/org-sleuthkit-autopsy-core.jar]

Back in the terminal I saw the following errors:

Library not found in jar (libtsk_jni)
SleuthkitJNI: failed to load libtsk_jni
Library not found in jar (libtsk_jni)
SleuthkitJNI: failed to load libtsk_jni
Using java binary path: java

Truth be told I was super glad to see any errors listed, I figured someone here will know what they mean.

Also, after I quit Autopsy and restarted it I saw a dialog box that either forces me to disable plugins or exit. I am including a screenshot in here: ( The Error Dialog box did not allow me to copy and paste)

I sure hope someone here can help. I’m stuck. Thanks all for your input and time.

Emile Diaz

all is ok when you do “sh unix_setup.sh” at the end of the installation.?

Piere: Thanks for your post and help.

So, when I run “sh unix_setup.sh” inside the Autopsy folder I get the following error:

---------------------------------------------
Checking prerequisites and preparing Autopsy:
---------------------------------------------
Checking for PhotoRec...found in /usr/bin

Checking for Java...ERROR: JAVA_HOME environment variable must be defined.

So I check via echo JAVA_HOME and I get a return of
JAVA_HOME

Since I get no path I am guessing that means I do not have a home set for JAVA.

Even though I made sure earlier to set the JAVA_HOME via:
export JAVA_HOME=/usr/lib/jvm/bellsoft-java8-full-amd64

Does all that help at all in narrowing down the problem? Should I be setting the path to java home under bashrc or bashrc_profile? Or is the problem that the JAVA_HOME setting not persist across reboots on Kali?

With your help, I have one guess: Did I create a problem by installing Autopsy under root (I always work under root and have no user set up) and the instructions in the GitHub doc (see above) ask to set up the JAVA_HOME under /usr/lib/jvm/bellsoft-java8-full-amd64.

As root, should I be setting up JAVA_HOME under /lib/jvm/bellsoft-java8-full-amd64.

But I am a newbie. You would know best.

Thank you again.

Emile

The export JAVA_HOME=/usr/lib/jvm/bellsoft-java8-full-amd64 command will only apply to the shell in which it was run. If you want it to be persistent across all shells then, yes, go ahead and add it to .bashrc.

Downey: Thanks so much for your help.

But I have a dumb newbie question:

So going on your logic, which makes perfect sense, I tested the idea by first setting JAVA_HOME in the shell (by the export JAVA_HOME=/usr/lib/jvm/bellsoft-java8-full-amd64 command) and then immediately within the same shell checked by echo JAVA_HOME. But then if it works within the same shell, why does the return not show the path I just set? And just returns JAVA_HOME? Should it not show the path I just set in the previous line?

I figured I’d ask before I go editing the .bshrc file.

You need a $ before the environment variable name. Try echo $JAVA_HOME.

Hey all:

I sincerely apologize for my repeated posts, but I am tearing my hair out trying to figure out this issue.

So here’s the latest update:

• I edited the .bashrc file with the export JAVA_HOME command to make it persist across shells and log ins.

• Then I went back inside the Autopsy folder and tried to build it with the “sh unix_setup.sh” command. I got the following (Happy!) output:

---------------------------------------------
Checking prerequisites and preparing Autopsy:
---------------------------------------------
Checking for PhotoRec...found in /usr/bin
Checking for Java...found in /usr/lib/jvm/bellsoft-java8-full-amd64
Checking for Sleuth Kit Java bindings...found in /usr/share/java
Copying sleuthkit-4.8.0.jar into the Autopsy directory...done

Autopsy is now configured. You can execute bin/autopsy to start it

OK. Great news. That was good.

(Oddly enough even now when I try echo JAVA_HOME the shell does not return a path and instead just returns JAVA_HOME. But hey it works!)

BUT:

I started Autopsy by going into the /bin folder and using ./autopsy.

It launches, much like before I came to this forum and begged for help.

Then I go into plugins and try and activate the Autopsy-Core. (I think I definitely need that to do anything at all with the Autopsy GUI.)

The Autopsy-Core plugin will not install. And yet again I run into the same error:

In the shell I see the error:

Library not found in jar (libtsk_jni)
SleuthkitJNI: failed to load libtsk_jni

And I get the same error popup in the Autopsy GUI. I am attaching the picture here:

My apologies again for bombing this forum with posts, but I feel like with all your help I am making progress and close to the solution.

Does anyone know what the libtsk_jni library is and why it is not loading into the jar?

Or what the heck the UnsatisfiedLink Error is that is being reported by the pop up?

Many thanks,

Emile

The libtsk_jni library are the bindings that allow Autopsy Java code to call into native Sleuthkit code. When everything works correctly libtsk_jni is extracted from the sleuthkit-4.8.0.jar and dropped into your temp folder (e.g. /tmp).
The following is more of a shot in the dark but try deleting the “.autopsy” folder in your home directory (rm -rf ~/.autopsy) and starting Autopsy again.

Forgive me for saying so, downey, BUT YOU ARE A F*CKING GENIUS!

IT WORKED!

Wowoo.

That was it! I have no clue what it was. But that WAS IT!

Thanks everyone for your help. Give downey a huge F*CKING raise.

Emile

Glad it worked.

I agree

Downey:

While I have you in a flattered mood, I hope you won’t mind helping with a total noob question.

So, I plan on working with Autospy quite a bit. Hence it is a little awkward to keep having to cd into the autospy and then the bin folder and type ./autopsy.

I’d love to just type autopsy at the shell prompt to launch it

In the shell I used the following line:

export PATH=$PATH:~/autopsy-4.14.0/bin

First I tested it by entering the line into the shell and then launching the app by just typing autopsy. That worked.

Of course once I close the shell I lose the path.

So I decided to edit the ~/.bashrc file to force the shell to look at the path.

After I enter the line and save it in ~/.bashrc using the vi editor for some reason it is not recognized on reboot, even though the line is there after reboot–and I have checked that it works in the shell.

This is total noob madness and I should be able to figure this out. But I cannot.

I thought maybe it needed:

export PATH=$PATH:/root/autopsy-4.14.0/bin

But that did not work also.

I am attaching a screenshot below of the ~/.bashrc file. I wanted to show you how part of the directory name is showing up in red and perhaps that has something to do with it. Does the red text mean the ~/.bashrc file is having trouble with the numbers in the directory name?

Can you see what the heck I am doing wrong? If the line works in the shell, why does the ~/.bashrc file has an issue with the numbers in the directory name? Or at least that is my guess.

I promise not to bug you after this and yell again at the management to give you a raise.

Thanks,

Emile

Adding the following to .bashrc works for me. There should be no need to reboot, just open a new terminal or type ‘. ~/.bashrc’ in the current terminal to apply the change.

Thank you downey, very much. It helps to know it works on your end. On my end it still does not work, when I follow your steps.

Here’s a summary: (I feel like a total noob boob for not being able to figure this out)

1. I made sure I have no mistake in the syntax by copying the line export PATH=$PATH:~/autopsy-4.14.0/bin from .bashrc and pasting it into a shell. If I do that I can invoke autopsy by just typing the name. So that works in the shell.

2. I checked and rechecked inside of .bashrc file to make sure the line is there.

3. I tried reloading by ‘. ~/.bashrc’ as well as opening a new terminal. It still does not work.

4. Also when I check by echo $PATH I do not see the new path I just added into .bashrc.

I am mystified.

Ok. So I am a total noob boob from hell.

Emile

The .bashrc file is generally not executable. When you make changes there and want to apply them you can:

1. Close and restart the shell
2. run “source .bashrc” from the directory in which it is store. A synonym of source is the period, e.g., “. .bashrc”.

John_Lehr:

I’ve tried both your notes and none of them work. I have some weird issue.

See my note above describing the 4 points to see where I am at.

I try the line in shell and it works. I try the line in .bashrc file and it does not despite me reloading, restarting and sourcing the .bshrc file.

I am working as a root and the file permissions clearly show that I am the owner of the .bashrc file.

Very odd.

I am on Kali linux BTW.

Emile

I had a similar problem in Ubuntu and I was able to fix it writing directly in the file /etc/environment the JAVA_HOME variable with the path, because doing it in .bashrc didn’t work.