Autopsy

Autopsy is a graphical front end to The Sleuth Kit, a collection of command-line forensic tools that allow for detailed exploration of forensically-relevant artifacts. Due to the fact that autopsy is a heavyweight, opinionated, graphical Java application, building it as a container is non-trivial. Another issue that has become relevant as of 16 April, 2019, is that Oracle has changed Java SE Licensing. This has resulted in the popular Ubuntu “WebUpd8” team PPA being discontinued due to licensing concerns.

Linux Installation

Autopsy is mostly developed on an for Windows systems, but it is possible to run Autopsy on Linux and OS X. Building and running Autopsy on Ubuntu 18.10 (Cosmic Cuttlefish), is not too difficult after a significant amount of trial and error. The same instructions with minor modifications, should probably work on Ubuntu 18.04.2 LTS (Bionic Beaver), but this has not yet been tested.

Prerequisites

It appears that Autopsy relies on JavaFX, and therefore will not successfully run when compiled against OpenJDK. Fortunately, there appears to be a functional alternative, which is not encumbered by the same Oracle licensing issues, and is theoretically binary-compatible with Oracle’s Java 8 SE implementation: Amazon Corretto 8. The official installation documentation includes instructions for both .rpm and .deb package formats, which Amazon provides. The below Dockerfile seems to create a working Autopsy 4.10.0 build on Ubuntu. However, some of the packages installed are probably not-necessary. Further testing can help eliminate trim dependencies.

FROM ubuntu:cosmic
LABEL maintainer "djds djds@ccs.neu.edu"

ENV DEBIAN_FRONTEND="noninteractive"

RUN apt-get update && apt-get dist-upgrade -y && apt-get install -y \
    ant ca-certificates g++ gcc gpg java-common libafflib-dev \
    libboost-dev libewf-dev libgl1-mesa-dri libgl1-mesa-glx \
    libsolr-java libsqlite3-dev libswt-gtk-4-java libtika-java \
    libtool libtsk-dev libvhdi-dev libvmdk-dev make openjfx postgresql \
    software-properties-common sqlite3 testdisk wget zip zlib1g-dev

WORKDIR /opt

RUN wget "https://d3pxv6yz143wms.cloudfront.net/8.212.04.1/ java-1.8.0-amazon-corretto-jdk_8.212.04-1_amd64.deb" \
    && apt-get install -y ./java-1.8.0-amazon-corretto-jdk_8.212.04-1_amd64.deb \
    && apt-get install -y --fix-missing

RUN wget "https://github.com/sleuthkit/autopsy/ releases/download/autopsy-4.10.0/autopsy-4.10.0.zip" \
    && wget "https://github.com/sleuthkit/autopsy/ releases/download/autopsy-4.10.0/autopsy-4.10.0.zip.asc" \
    && wget "https://github.com/sleuthkit/sleuthkit/ releases/download/sleuthkit-4.6.5/sleuthkit-4.6.5.tar.gz" \
    && wget "https://github.com/sleuthkit/sleuthkit/ releases/download/sleuthkit-4.6.5/sleuthkit-4.6.5.tar.gz.asc"

RUN gpg --recv-keys "0917A7EE58A9308B13D3963338AD602EC7454C8B" \
    && gpg --verify autopsy-4.10.0.zip.asc && gpg --verify sleuthkit-4.6.5.tar.gz.asc \
    && tar -xf sleuthkit-4.6.5.tar.gz && unzip autopsy-4.10.0.zip

WORKDIR /opt/sleuthkit-4.6.5

RUN export JAVA_HOME="/usr/lib/jvm/java-1.8.0-amazon-corretto/" \
    && ./configure && make && make install

WORKDIR /opt/autopsy-4.10.0

RUN chmod +x ./unix_setup.sh \
    && export JAVA_HOME="/usr/lib/jvm/java-1.8.0-amazon-corretto/" \
    && ./unix_setup.sh \
    && apt-get install -y --fix-broken \
    && chmod +x /opt/autopsy-4.10.0/bin/autopsy

ARG GID
ARG ID
ARG AUDIO

RUN groupadd -g "${GID}" autopsy \
    && groupmod -g "${AUDIO}" audio \
    && useradd -m -G audio,video -u "${ID}" -g "${GID}" autopsy \
    && mkdir -p /home/autopsy/data \
    && chown -R autopsy:autopsy /home/autopsy \
    && rm -rf /var/lib/apt/lists/* \
    && rm /opt/sleuthkit-4.6.5.tar.gz && rm /opt/autopsy-4.10.0.zip

WORKDIR /home/autopsy/data

# Run as non privileged user
USER autopsy

ENTRYPOINT ["/opt/autopsy-4.10.0/bin/autopsy"]

This Dockerfile is again base on Ubuntu. First, the required dependencies are fetched and installed, using the apt package manager. Next the Amazon Corretto 8 Java distribution is downloaded as a prepackeged .deb file and installed, and any additional dependicies are added. Then the correct version of The Sleuth Kit source code is downloaded, along with the binary for the latest version of Autopsy. After verifying that these archives are properly signed using GnuPG, the archives are unpacked.

Next, The Sleuth Kit is compiled from source, as this seemed to be the easiest way to get things to function when linked against Amazon Corretto. Once this completes the Autopsy unix_setup.sh script is made executable and run. Due to the fact that Autopsy is a large, complex piece of software that may be exposed to all sorts of nasty files present in a given ingest image, it is not adviseable to run Autopsy as root inside the container. To avoid this bad practice, the image is built to run as the user autopsy, in an attempt to follow best practices and the principle of least privilege.

To do this correctly, it is important for the user ID of the autopsy user inside the container to match the user ID of the user running the container on the host. On a single-user linux system, the first user typically has a ${UID} of 1000, but this may vary in specialized envrionments. To take care of this issue, it is useful to define a custom build script that can be run to create the autopsy:corretto image, in the event that pulling from the registry doesn’t work seemlessly.

#!/bin/bash

set -euo pipefail

REGISTRY="${REGISTRY:gitlab.com/bghost/docker-forensics/}"

user='djds'
repo='autopsy'
tag="${1:-corretto}"

# set environment vars
GID="${GID:-$(id -g)}"
AUDIO="${AUDIO:-$(getent group audio | cut -d ':' -f 3)}"
ID="${ID:-$(id -u)}"

# build the container:
docker build \
    --build-arg GID="${GID}" \
    --build-arg ID="${ID}" \
    --build-arg AUDIO="${AUDIO}" \
    -t "${REGISTRY}${user}/${repo}:${tag}" .

if [[ "${PUSH:-}" == "true" ]]; then
    docker push "${REGISTRY}${user}/${repo}:${tag}"
fi

# clean up our host environment
unset {GID,ID,AUDIO}

By passing the --build-arg flag with environment variables for the user and group IDs of the user invoking the script, these variables are passed to the dockerd daemon when it builds the image. This is just one of many ways to use variables to dynamically effect the Docker build process. It is also possible to use variables such as PUSH in this case to decide whether or not to push the newly built container to the registry.

Running Autopsy in a container also requires that certain environment variables are passed to the container from the host. For a graphical application, like Autopsy, the most important of these are the X11 Unix socket at /tmp/.X11-unix and the ${DISPlAY} enviroment variable. To simplify launching autopsy in the future, it is helpful to put the following function or similar into a file such as ~/.bashrc.

autopsy() {
    local tag;
    local repo;
    local DOCKER_REGISTRY;

    tag=${1:-corretto};
    repo='djds/autopsy';
    DOCKER_REGISTRY="registry.gitlab.com/bghost/docker-forensics/";

    docker run --rm -d \
        -c 4 \
        -m 8192M \
        -v /etc/localtime:/etc/localtime:ro \
        -v /tmp/.X11-unix:/tmp/.X11-unix \
        -e "DISPLAY=unix${DISPLAY}" \
        -v "/dev/shm:/dev/shm" \
        --device /dev/snd \
        --device /dev/dri \
        -v "${HOME}/.autopsy:/home/autopsy/.autopsy" \
        -v "${PWD}:/home/autopsy/data" \
        --name autopsy \
        "${DOCKER_REGISTRY}${repo}:${tag}"
}

Once autopsy is running in the container, it behaves as it would in any other context. Hyperlinks, however, need to be copied and pasted into a browser, as autopsy will not have access to one, which is a security feature of this setup, if a potentially a bit inconvenient. The only directories that the autopsy container will have access to on the host is the configuration directory at ${HOME}/.autopsy and the current working directory (${PWD}), mapped to /home/autopsy/data inside the container. A screenshot of a running instance of autopsy after running ingest on a 13GB .e01 image broken up into logical segments (which Autopsy detects automatically).

Autopsy

A built version of this image can be pulled from the GitLab container registry:

$ docker pull registry.gitlab.com/bghost/docker-forensics/djds/autopsy:corretto