1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
The Sleuth Kit
http://www.sleuthkit.org/sleuthkit
Installation Instructions
Last Modified: Oct 2012
REQUIREMENTS
=============================================================================
Tested Platform:
- FreeBSD 2-6.*
- Linux 2.*
- OpenBSD 2-3.*
- Mac OS X
- SunOS 4-5.*
- Windows
Build System (to compile from a source distribution):
- C/C++ compiler
- GNU Make
- Java compiler / JDK (if you want the java bindings)
Development System (to extend TSK or compile from the repository):
- GNU autoconf, automake, and libtool
- Plus the build system requirements
Optional Programs:
- Autopsy: Provides a graphical HTML-based interface to The
Sleuth Kit (which makes it much easier to use). Install this AFTER
installing The Sleuth Kit.
Available at: http://www.sleuthkit.org/autopsy
Optional Libraries:
There are optional features that TSK can use if you have installed
them before you build and install TSK.
- AFFLIB: Allows you to process disk images that are stored in the
AFF format. Version 3.3.6 has been tested to compile and work with this
release.
Available at: http://www.afflib.org
- LibEWF: Allows you to process disk images that are stored in the
Expert Witness format (EnCase Format). Version 20130128 has been
tested to compile and work with this release. It is the last
stable release of libewf and therefore the only one that we
currently support. You can download it from:
https://github.com/sleuthkit/libewf_64bit
The official repository is available here, but there is not
a package of the last stable release:
https://github.com/libyal/libewf
Available at: http://sourceforge.net/projects/libewf/
INSTALLATION
=============================================================================
Refer to the README_win32.txt file for details on Windows.
The Sleuth Kit uses the GNU autotools for building and installation.
There are a few steps to this process. First, run the 'configure'
script in the root TSK directory. See the CONFIGURE OPTIONS section
for useful arguments that can be given to 'configure.
$ ./configure
If there were no errors, then run 'make'. If you do not have a
'configure' script, then it is probably because you cloned the
source code repository. If so, you will need to have automake,
autoconf, and libtool installed and you can create the configure
script using the 'bootstrap' script in the root directory.
$ make
The 'make' process will take a while and will build the TSK tools.
When this process is complete, the libraries and executables will
be located in the TSK sub-directories. To install them, type
'make install'.
$ make install
By default, this will copy everything in to the /usr/local/ structure.
So, the executables will be in '/usr/local/bin'. This directory will
need to be in your PATH if you want to run the TSK commands without
specifying '/usr/local/bin' everytime.
If you get an error like:
libtool: Version mismatch error. This is libtool 2.2.10, but the
libtool: definition of this LT_INIT comes from libtool 2.2.4.
libtool: You should recreate aclocal.m4 with macros from libtool 2.2.10
libtool: and run autoconf again.
Run:
./bootstrap
and then go back to running configure and make. To run 'bootstrap',
you'll need to have the autotools installed (see the list at the
top of this page).
CONFIGURE OPTIONS
-----------------------------------------------------------------------------
There are some arguments to 'configure' that you can supply to
customize the setup. Currently, they focus on the optional disk
image format libraries.
--without-afflib: Supply this if you want TSK to ignore AFFLIB even
if it is installed.
--with-afflib=dir: Supply this if you want TSK to look in 'dir' for
the AFFLIB installation (the directory should have 'lib' and 'include'
directories in it).
--without-ewf: Supply this if you want TSK to ignore libewf even
if it is installed.
--with-libewf=dir: Supply this if you want TSK to look in 'dir' for
the libewf installation (the directory should have 'lib' and 'include'
directories in it).
-----------------------------------------------------------------------------
Brian Carrier
carrier <at> sleuthkit <dot> org
|
