For Linux systems that support snapd, there is currently the option to install Autopsy from the snap package. Otherwise, when installing on Debian-based Linux or macOS systems, there are three general steps: installing prerequisites, installing The Sleuth Kit, and installing Autopsy itself. On macOS, you will want to setup the JNA paths.
You can download the snap package from the releases section. In order for Autopsy to run properly, snap connections will need to be properly setup, which can be done by running this script: snap connections autopsy | sed -nE 's/^[^ ]* *([^ ]*) *- *- *$/\1/p' | xargs -I{} sudo snap connect {}
. See the snap README for more information.
- Linux: Run
linux_macos_install_scripts/install_prereqs_ubuntu.sh
. - macOS: Run
linux_macos_install_scripts/install_prereqs_macos.sh
. This script requires the package manager: Homebrew, which has installation steps on their site.
NOTE: The last output of the script is the path to the Java 17 installation. You will want to note that path when installing Autopsy.
- Linux: Download the .deb file for the release you want to install from the release section. Install The Sleuth Kit package from the repositories with the following command:
sudo apt update && sudo apt install /path/to/sleuthkit-version.deb
. - macOS: Ensure that for this session, your
JAVA_HOME
variable is set to the java 17 installation by runningexport JAVA_HOME=$(/usr/libexec/java_home -v 17)
. Then, install The Sleuth Kit from source by runninglinux_macos_install_scripts/install_tsk_from_src.sh
, which will download, build, and install The Sleuth Kit. It can be run as follows:install_tsk_from_src.sh -p ~/src/sleuthkit -b sleuthkit-4.11.1
. Make sure that your path to download source ends with "sleuthkit" as the last directory, and the release is the corresponding tag in the repository.
- Download the Autopsy zip file from repository releases. The file will be marked as "autopsy-<release>.zip" (i.e. "autopsy-4.19.2.zip").
- Run
install_application.sh
with the following parameters:install_application.sh [-z zip_path] [-i install_directory] [-j java_home]
. An example would beinstall_application.sh -z ~/Downloads/autopsy-4.19.2.zip -i ~/autopsy -j /usr/lib/jvm/java-1.17.0-openjdk-amd64
. The path to the Java 17 home is the last output from the prequisites installation scripts, but typically, the path will be in the result of runningupdate-java-alternatives -l | grep java-1.17
on Debian-based Linux or the output of running/usr/libexec/java_home -v 17
on macOS.
If you are on macOS, run linux_macos_install_scripts/add_macos_jna.sh to properly setup the jna path to get things like gstreamer working. An example would be add_macos_jna.sh -i ~/autopsy
.
-
If you see something like "Cannot create case: javafx/scene/paint/Color" it is an indication that Java FX is not being found. Confirm that the file
$JAVA_HOME/jre/lib/ext/jfxrt.jar
exists. If it does not exist, return to the Java setup steps above. -
If you see something like "An illegal reflective access operation has occurred" it is an indication that the wrong version of Java is being used to run Autopsy. Check the version of Java reported in the
messages.log
file in the log directory. The log directory can be found by opening Autopsy, and, with no cases open, go to 'Help' > 'Open Log Folder'.messages.log
should contain lines that looks like:Java; VM; Vendor = 17.0.7; OpenJDK 64-Bit Server VM 17.0.7+7-Ubuntu-0ubuntu122.04.2; Private Build Runtime = OpenJDK Runtime Environment 17.0.7+7-Ubuntu-0ubuntu122.04.2 Java Home = /usr/lib/jvm/java-17-openjdk-amd64
If your
messages.log
file indicates that Java 17 is not being used:- Confirm that you have a version of Java 17 installed
- Confirm that your java path environment variable is set correctly. Autopsy first uses the value of
jdkhome
in<autopsy_install_location>/etc/autopsy.conf
, so look for an uncommented line (not starting with '#') that looks likejdkhome=<java path>
. If that is not set, check your$JAVA_HOME
environment variable by runningecho $JAVA_HOME
.
-
If you see something like "cannot be opened because the developer cannot be verified." it is an indication that Gatekeeper is running and is stopping a file from being executed. To fix this open a new terminal window and enter the following command
sudo spctl --master-disable
, you will be required to enter your password. This will allow any program to be be downloaded from anywhere and executed. -
On initial run, Autopsy shows a window that can appear behind the splash screen. This looks like Autopsy has stalled during startup. The easiest way to get around this issue for the first run is to run autopsy with the
--nosplash
flag, which will hide the splash screen on startup. There will be a lag where no window appears for a bit, so please be patient. -
If a script fails to run due to operation not permitted or something along those lines, you may need to run
chmod u+x <path to script>
from the command line to allow the script to run. -
If you encounter an error like:
getcwd: cannot access parent directories: Operation not permitted
on Mac, you can do the following:- Select System Preferences -> Security & Privacy -> Full Disk Access
- Click the lock to make changes
- Click '+'
- Press 'cmd' + 'shift' + '.' to show hidden files
- Select
/bin/sh
Source: Symscape
- Not all current features in Autopsy are functional in a Linux and Mac environment including but not limited to:
- Recent Activity
- The LEAPP processors
- HEIF processing
- Video thumbnails
- VHD and VMDK files not supported on OS X