--- autopsy-2.24.orig/debian/control +++ autopsy-2.24/debian/control @@ -0,0 +1,17 @@ +Source: autopsy +Section: admin +Priority: optional +Maintainer: Lorenzo Martignoni +Build-Depends: debhelper (>= 7.0.0), dpatch +Build-Depends-Indep: sleuthkit (>= 3.0.0) +Standards-Version: 3.8.4 + +Package: autopsy +Architecture: all +Depends: ${misc:Depends}, sleuthkit (>= 3.0.0), perl, binutils +Description: graphical interface to SleuthKit + The Autopsy Forensic Browser is a graphical interface to the command line + digital forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit + and Autopsy provide many of the same features as commercial digital forensics + tools for the analysis of Windows and UNIX file systems (NTFS, FAT, FFS, + EXT2FS, and EXT3FS). --- autopsy-2.24.orig/debian/README.source +++ autopsy-2.24/debian/README.source @@ -0,0 +1,2 @@ +This packages uses 'dpatch'. See /usr/share/doc/dpatch/README.source.gz for +specific information about 'dpatch'. --- autopsy-2.24.orig/debian/install +++ autopsy-2.24/debian/install @@ -0,0 +1,2 @@ +autopsy /usr/bin +*.pl help pict base/autopsy.base lib /usr/share/autopsy --- autopsy-2.24.orig/debian/dirs +++ autopsy-2.24/debian/dirs @@ -0,0 +1,6 @@ +usr/bin +usr/share/autopsy +usr/share/autopsy/pict +usr/share/autopsy/help +usr/share/doc/autopsy +var/lib/autopsy --- autopsy-2.24.orig/debian/copyright +++ autopsy-2.24/debian/copyright @@ -0,0 +1,24 @@ +This package was debianized by Mattia Monga on +Thu, 17 Apr 2003 22:51:27 +0200. + +It was downloaded from http://www.sleuthkit.org/autopsy/ + +Copyright (C) 2003-2008 Brian Carrier + +Copyright: + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, N: MA + 02110-1301, USA. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL-2'. --- autopsy-2.24.orig/debian/rules +++ autopsy-2.24/debian/rules @@ -0,0 +1,43 @@ +#!/usr/bin/make -f + +include /usr/share/dpatch/dpatch.make + +build: build-stamp +build-stamp: patch-stamp + dh_testdir + touch build-stamp + +clean: clean-unpatched unpatch +clean-unpatched: + dh_testdir + dh_testroot + dh_clean build-stamp config.tmp config2.tmp + +install: build-stamp + dh_testdir + dh_testroot + dh_prep + dh_installdirs + dh_install + find debian -type f -name ".perltidyrc" -exec rm {} \; + +# Build architecture-dependent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs CHANGES.txt + dh_installdocs README.txt TODO.txt + dh_installman man/man1/autopsy.1 + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: binary clean binary-indep binary-arch build install patch unpatch \ + clean1 --- autopsy-2.24.orig/debian/README.Debian +++ autopsy-2.24/debian/README.Debian @@ -0,0 +1,38 @@ +The Debian autopsy uses the md5sum executable found in the dpkg package. + +Privileges +------------------------------------------------------------------------------ +If you run autopsy as a normal user you may encounter some problems due to lack +of privileges: you may not be able to use the default evidence directory +(/var/lib/autopsy/) and you may not be able to mount physical devices. + +If you believe that what you're going to do would not require root privileges +you can safely run autopsy using a custom evidence directory (using the '-d' +command line argument). If problems related to permissions arise all the same +then probably what you're doing requires root privileges. + + -- Lorenzo Martignoni , Sat Jan 14 16:28:06 2006 + +Customizations +------------------------------------------------------------------------------ +There are a few settings in conf.pl that you may want to change. + +STIMEOUT: If USE_STIMEOUT is set to 1, then this the server will close +after STIMEOUT seconds of no activity. + +CTIMEOUT: The number of seconds to wait before closing a socket. + +COOKIES: When USE_COOKIE is set to 1, then all URLs use a random cookie +for authentication. It is stored in the file named "..cookie" in +the Evidence Locker directory, where is the port number that is +being used. + +LOGGING: When USE_LOG is set to 1, then audit logs are saved to the +case and host directories. There are general logs for the case +and host and then investigator specific ones that are saved in the +'logs' directory of the host. When the USE_NOTES is set to 1, then +the investigator can add comments to a given file, or other object. +The notes are stored in a file in the host 'logs' directory. + + -- Mattia Monga , Sun Apr 27 11:16:48 2003 + --- autopsy-2.24.orig/debian/changelog +++ autopsy-2.24/debian/changelog @@ -0,0 +1,150 @@ +autopsy (2.24-1) unstable; urgency=low + + * New upstream release + + -- Lorenzo Martignoni Sun, 20 Jun 2010 21:04:54 +0200 + +autopsy (2.23-2) unstable; urgency=low + + * Rebuilt package because prior version was improperly built (no diff file) + * Updated to standard 3.8.4 + * Package is lintian clean + + -- Lorenzo Martignoni Mon, 22 Feb 2010 14:59:13 +0100 + +autopsy (2.23-1) unstable; urgency=low + + * New upstream release + + -- Lorenzo Martignoni Mon, 22 Feb 2010 12:15:58 +0100 + +autopsy (2.21-2) unstable; urgency=low + + * Rebuilt package for unstable (Closes: #540514) + * Updated to standard 3.8.3 + + -- Lorenzo Martignoni Tue, 08 Dec 2009 10:30:17 +0100 + +autopsy (2.21-1) experimental; urgency=low + + * New upstream release (Closes: #464868) + + -- Lorenzo Martignoni Tue, 16 Jun 2009 22:46:38 +0200 + +autopsy (2.10-1) unstable; urgency=low + + * New upstream release (Closes: #464868) + + -- Lorenzo Martignoni Sun, 26 Apr 2009 17:22:17 +0200 + +autopsy (2.08-2.1) unstable; urgency=low + + * NMU + * Applied patch to prevent broken Perl check, closes: #479935. + Thanks to Peter Green . + + -- Martin A. Godisch Sat, 19 Jul 2008 08:25:23 +0200 + +autopsy (2.08-2) unstable; urgency=low + + * Patched the code to point directly to ils-sleuthkit, icat-sleuthkit + and mactime-sleuthkit instead of using original filenames (without + -sleuthkit) which, due to the alternative system, could point to + incompatible executables (Closes: #407011) + + -- Lorenzo Martignoni Sat, 20 Jan 2007 05:13:15 +0100 + +autopsy (2.08-1) unstable; urgency=low + + * New upstream release (Closes: #386412) + + -- Lorenzo Martignoni Tue, 17 Oct 2006 05:13:55 +0200 + +autopsy (2.06-2) unstable; urgency=low + + * Patched autopsy executable to add warning when it is not run as root + (Closes: #344965) + + -- Lorenzo Martignoni Sat, 14 Jan 2006 15:42:09 +0100 + +autopsy (2.06-1) unstable; urgency=low + + * New upstream release + * Updated package description + + -- Lorenzo Martignoni Sun, 23 Oct 2005 23:59:40 +0200 + +autopsy (2.05-1) unstable; urgency=high + + * New upstream release (Closes: #308990) + + -- Lorenzo Martignoni Thu, 19 May 2005 23:11:55 +0200 + +autopsy (2.04-3) unstable; urgency=low + + * Applied patch from Kenny Duffus to refles sstring executable Debian + name (Closes: #304675) + + -- Lorenzo Martignoni Fri, 1 Apr 2005 00:00:33 +0200 + +autopsy (2.04-2) unstable; urgency=low + + * Applied patch from Kenny Duffus to fix sorter executable path + + -- Lorenzo Martignoni Wed, 30 Mar 2005 20:13:37 +0200 + +autopsy (2.04-1) unstable; urgency=low + + * New upstream release + + -- Lorenzo Martignoni Sun, 27 Mar 2005 14:23:09 +0200 + +autopsy (2.03-2) unstable; urgency=low + + * Patched the code to call 'datastat' instead 'dstat' to reflect changes + introduced in the latest version of the Sleuthkit Debian package + (patch provided by Kenny Duffus) (Closes: #291548) + * Patched the code to use 'md5sum' and 'sha1sum'. Previous version of + the patch was buggy (the new patch is provided by Kenny Duffus) + (Closes: #291550) + + -- Lorenzo Martignoni Tue, 25 Jan 2005 23:27:03 +0100 + +autopsy (2.03-1) unstable; urgency=low + + * New upstream release + + -- Lorenzo Martignoni Fri, 17 Sep 2004 00:04:18 +0200 + +autopsy (2.02-1) unstable; urgency=low + + * New upstream release + * Package is now built using dpatch + + -- Lorenzo Martignoni Tue, 03 Aug 2004 14:06:42 +0200 + +autopsy (1.75-1) unstable; urgency=low + + * New upstream release + + -- Lorenzo Martignoni Fri, 28 Nov 2003 19:32:15 +0100 + +autopsy (1.71-2) unstable; urgency=low + + * Package taken while Lorenzo is waiting to become an official Debian + mantainer + + -- Mattia Monga Thu, 17 Apr 2003 22:33:36 +0200 + +autopsy (1.71-1) unstable; urgency=low + + * New upstream release + + -- Lorenzo Martignoni Tue, 15 Apr 2003 19:09:34 +0200 + +autopsy (1.70-1) unstable; urgency=low + + * Initial Release. + + -- Lorenzo Martignoni Tue, 1 Apr 2003 18:01:22 +0200 + --- autopsy-2.24.orig/debian/compat +++ autopsy-2.24/debian/compat @@ -0,0 +1 @@ +7 --- autopsy-2.24.orig/debian/patches/04.man.dpatch +++ autopsy-2.24/debian/patches/04.man.dpatch @@ -0,0 +1,86 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04.man.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: replace - with \- + +@DPATCH@ +diff -urNad autopsy-2.10~/man/man1/autopsy.1 autopsy-2.10/man/man1/autopsy.1 +--- autopsy-2.10~/man/man1/autopsy.1 2009-04-26 23:21:24.000000000 +0200 ++++ autopsy-2.10/man/man1/autopsy.1 2009-04-26 23:22:28.000000000 +0200 +@@ -2,11 +2,11 @@ + .SH NAME + autopsy \- Autopsy Forensic Browser + .SH SYNOPSIS +-.B autopsy [-c] [-C] [-d ++.B autopsy [\-c] [\-C] [\-d + .I evid_locker +-.B ] [-i ++.B ] [\-i + device filesystem mnt +-.B ] [-p ++.B ] [\-p + .I port + .B ] + .I [addr] +@@ -15,27 +15,27 @@ + .B autopsy + starts the Autopsy Forensic Browser server on port 9999 and and accepts + connections from the localhost. If +-.I -p port ++.I \-p port + is given, then the server opens on that port and if + .I addr + is given, then connections are only accepted from that host. + When the +-.I -i ++.I \-i + argument is given, then autopsy goes into live analysis mode. + + The arguments are as follows: +-.IP "-c" ++.IP "\-c" + Force the program to use cookies even for localhost. +-.IP "-C" ++.IP "\-C" + Force the program to not use cookies even for remote hosts. +-.IP "-d evid_locker" ++.IP "\-d evid_locker" + Directory where cases and hosts are stored. + This overrides the + .B LOCKDIR + value in + .I conf.pl. + The path must be a full path (i.e. start with /). +-.IP "-i device filesystem mnt" ++.IP "\-i device filesystem mnt" + Specify the information for the live analysis mode. This can be specified + as many times as needed. The + .I device +@@ -44,7 +44,7 @@ + field is for the file system type, and the + .I mnt + field is for the mounting point of the file system. +-.IP "-p port" ++.IP "\-p port" + TCP port for server to listen on. + .IP addr + IP address or host name of where investigator is located. +@@ -75,7 +75,7 @@ + .RS + Directory where cases and forensic images are located. + The images must have simple +-names with only letters, numbers, '_', '-', and '.'. (See FILES). ++names with only letters, numbers, '_', '\-', and '.'. (See FILES). + .RE + .I TSKDIR + .RS +@@ -137,7 +137,7 @@ + integrity of images. + + .SH EXAMPLE +-# ./autopsy -p 8888 10.1.34.19 ++# autopsy \-p 8888 10.1.34.19 + .SH "SEE ALSO" + .BR dd (1), + .BR fls (1), --- autopsy-2.24.orig/debian/patches/02.sleuthkit.dpatch +++ autopsy-2.24/debian/patches/02.sleuthkit.dpatch @@ -0,0 +1,353 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02.sleuthkit.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Update the name of the following Sleuthkit executables: ils, icat, and mactime + +@DPATCH@ +diff -urNad autopsy-2.21~/lib/Appview.pm autopsy-2.21/lib/Appview.pm +--- autopsy-2.21~/lib/Appview.pm 2008-09-29 04:42:46.000000000 +0200 ++++ autopsy-2.21/lib/Appview.pm 2009-06-16 22:41:19.000000000 +0200 +@@ -196,7 +196,7 @@ + # identify what type it is + local *OUT; + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + my $file_type = Exec::read_pipe_line(*OUT); + close(OUT); +@@ -231,7 +231,7 @@ + + local *OUT; + Exec::exec_pipe(*OUT, +- "'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta" ++ "'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta" + ); + + while ($_ = Exec::read_pipe_line(*OUT)) { +diff -urNad autopsy-2.21~/lib/File.pm autopsy-2.21/lib/File.pm +--- autopsy-2.21~/lib/File.pm 2009-02-03 05:26:21.000000000 +0100 ++++ autopsy-2.21/lib/File.pm 2009-06-16 22:41:19.000000000 +0200 +@@ -1095,7 +1095,7 @@ + my $recmode = $File::REC_NO; + local *OUT; + Exec::exec_pipe(*OUT, +- "'$::TSKDIR/ils' -f $ftype -e -o $offset -i $imgtype $img $meta_int"); ++ "'$::TSKDIR/ils-sleuthkit' -f $ftype -e -o $offset -i $imgtype $img $meta_int"); + while ($_ = Exec::read_pipe_line(*OUT)) { + chop; + next unless ($_ =~ /^$meta/); +@@ -1705,7 +1705,7 @@ + + local *OUT; + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/ils' -f $ftype -e -o $offset -i $imgtype $img $meta_int" ++"'$::TSKDIR/ils-sleuthkit' -f $ftype -e -o $offset -i $imgtype $img $meta_int" + ); + while ($_ = Exec::read_pipe_line(*OUT)) { + chop; +@@ -1726,12 +1726,12 @@ + # Get the file type so we can show the thumb nails automatically + if ($recmode == $File::REC_YES) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + else { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + +@@ -1785,12 +1785,12 @@ + # Get the file type + if ($recmode == $File::REC_YES) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + else { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + +@@ -1893,7 +1893,7 @@ + "$Caseman::vol2sname{$vol}: Viewing $fname ($meta) as ASCII"); + + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta" + ); + + print "Contents Of File: $fname\n\n\n"; +@@ -1905,7 +1905,7 @@ + "$Caseman::vol2sname{$vol}: Viewing $fname ($meta) as Hex"); + + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta" + ); + + print "Hex Contents Of File: $fname\n\n\n"; +@@ -1921,7 +1921,7 @@ + "$Caseman::vol2sname{$vol}: Viewing $fname ($meta) as strings"); + + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a" + ); + + print "ASCII String Contents Of File: $fname\n\n\n\n"; +@@ -1989,7 +1989,7 @@ + + local *OUT; + Exec::exec_pipe(*OUT, +- "'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta" ++ "'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta" + ); + + # We can't trust the mnt and dir values (since there +@@ -2077,7 +2077,7 @@ + # Calculate the MD5 value + local *OUT; + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::MD5_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::MD5_EXE'" + ); + my $md5 = Exec::read_pipe_line(*OUT); + close(OUT); +@@ -2095,7 +2095,7 @@ + + if ($::SHA1_EXE ne "") { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::SHA1_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::SHA1_EXE'" + ); + my $sha1 = Exec::read_pipe_line(*OUT); + close(OUT); +@@ -2114,7 +2114,7 @@ + + if ($sort == $FIL_SORT_STR) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a | '$::MD5_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a | '$::MD5_EXE'" + ); + $md5 = Exec::read_pipe_line(*OUT); + close(OUT); +@@ -2127,7 +2127,7 @@ + + if ($::SHA1_EXE ne "") { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a | '$::SHA1_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a | '$::SHA1_EXE'" + ); + $sha1 = Exec::read_pipe_line(*OUT); + close(OUT); +@@ -2167,7 +2167,7 @@ + + # File Type + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + my $apptype = Exec::read_pipe_line(*OUT); + close(OUT); +@@ -2187,14 +2187,14 @@ + + if ($sort == $FIL_SORT_ASC) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta" + ); + Print::print_output($_) while ($_ = Exec::read_pipe_data(*OUT, 1024)); + close(OUT); + } + elsif ($sort == $FIL_SORT_HEX) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta" + ); + my $offset = 0; + while ($_ = Exec::read_pipe_data(*OUT, 1024)) { +@@ -2205,7 +2205,7 @@ + } + elsif ($sort == $FIL_SORT_STR) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype $recflag -o $offset -i $imgtype $img $meta | '$::TSKDIR/srch_strings' -a" + ); + Print::print_output($_) while ($_ = Exec::read_pipe_line(*OUT)); + close(OUT); +@@ -2267,7 +2267,7 @@ + + local *OUT_MD5; + Exec::exec_pipe(*OUT_MD5, +-"'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $in | '$::MD5_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $in | '$::MD5_EXE'" + ); + my $md5out = Exec::read_pipe_line(*OUT_MD5); + +diff -urNad autopsy-2.21~/lib/Meta.pm autopsy-2.21/lib/Meta.pm +--- autopsy-2.21~/lib/Meta.pm 2008-09-29 04:42:46.000000000 +0200 ++++ autopsy-2.21/lib/Meta.pm 2009-06-16 22:41:19.000000000 +0200 +@@ -185,7 +185,7 @@ + my $recmode = $File::REC_NO; + local *OUT; + Exec::exec_pipe(*OUT, +- "'$::TSKDIR/ils' -f $ftype -e -o $offset -i $imgtype $img $meta_int"); ++ "'$::TSKDIR/ils-sleuthkit' -f $ftype -e -o $offset -i $imgtype $img $meta_int"); + while ($_ = Exec::read_pipe_line(*OUT)) { + chop; + next unless ($_ =~ /^$meta_int/); +@@ -289,12 +289,12 @@ + + if ($recmode == $File::REC_YES) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + else { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + my $file_type = Exec::read_pipe_line(*OUT); +@@ -313,12 +313,12 @@ + # MD5 Value + if ($recmode == $File::REC_YES) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::MD5_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::MD5_EXE'" + ); + } + else { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $meta | '$::MD5_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $meta | '$::MD5_EXE'" + ); + } + +@@ -379,12 +379,12 @@ + if ($::SHA1_EXE ne "") { + if ($recmode == $File::REC_YES) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::SHA1_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::SHA1_EXE'" + ); + } + else { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $meta | '$::SHA1_EXE'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $meta | '$::SHA1_EXE'" + ); + } + +@@ -546,11 +546,11 @@ + local *OUT; + if ($recmode == $File::REC_YES) { + Exec::exec_pipe(*OUT, +- "'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $meta"); ++ "'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $meta"); + } + else { + Exec::exec_pipe(*OUT, +- "'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $meta"); ++ "'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $meta"); + } + + print "$_" while ($_ = Exec::read_pipe_data(*OUT, 512)); +@@ -658,12 +658,12 @@ + + if ($recmode == $File::REC_YES) { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -r -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + else { + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $meta | '$::FILE_EXE' -z -b -" + ); + } + +@@ -734,7 +734,7 @@ + # The list + local *OUT; + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/ils' -e -s $Caseman::ts -f $ftype -o $offset -i $imgtype $img $fmin-$max" ++"'$::TSKDIR/ils-sleuthkit' -e -s $Caseman::ts -f $ftype -o $offset -i $imgtype $img $fmin-$max" + ); + while ($_ = Exec::read_pipe_line(*OUT)) { + if (/^($::REG_META)\|([af])\|\d+\|\d+\|\d+\|\d+\|\d+\|/o) { +diff -urNad autopsy-2.21~/lib/Notes.pm autopsy-2.21/lib/Notes.pm +--- autopsy-2.21~/lib/Notes.pm 2008-09-29 04:42:46.000000000 +0200 ++++ autopsy-2.21/lib/Notes.pm 2009-06-16 22:41:19.000000000 +0200 +@@ -144,7 +144,7 @@ + $meta_int = $1 if ($meta_int =~ /^(\d+)-\d+(-\d+)?$/); + local *OUT; + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/ils' -s $Caseman::ts -f $ftype -e -o $offset -i $imgtype $img $meta_int" ++"'$::TSKDIR/ils-sleuthkit' -s $Caseman::ts -f $ftype -e -o $offset -i $imgtype $img $meta_int" + ); + + # Get the fourth line +@@ -322,7 +322,7 @@ + $meta_int = $1 if ($meta_int =~ /^(\d+)-\d+(-\d+)?$/); + local *OUT; + Exec::exec_pipe(*OUT, +-"'$::TSKDIR/ils' -s $Caseman::ts -f $ftype -e -o $offset -i $imgtype $img $meta_int" ++"'$::TSKDIR/ils-sleuthkit' -s $Caseman::ts -f $ftype -e -o $offset -i $imgtype $img $meta_int" + ); + + # Skip to the fourth line +diff -urNad autopsy-2.21~/lib/Timeline.pm autopsy-2.21/lib/Timeline.pm +--- autopsy-2.21~/lib/Timeline.pm 2008-09-29 04:42:46.000000000 +0200 ++++ autopsy-2.21/lib/Timeline.pm 2009-06-16 22:41:19.000000000 +0200 +@@ -930,7 +930,7 @@ + } + + Exec::exec_sys( +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $pwi > '$pw_tmp'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $pwi > '$pw_tmp'" + ); + $mac_args .= " -p \'$pw_tmp\' "; + +@@ -969,7 +969,7 @@ + } + } + Exec::exec_sys( +-"'$::TSKDIR/icat' -f $ftype -o $offset -i $imgtype $img $gri > '$gr_tmp'" ++"'$::TSKDIR/icat-sleuthkit' -f $ftype -o $offset -i $imgtype $img $gri > '$gr_tmp'" + ); + $mac_args .= " -g \'$gr_tmp\' "; + } +@@ -1005,17 +1005,17 @@ + local *OUT; + if ($otype == $OTYPE_NORM) { + Exec::exec_pipe(*OUT, +-"LANG=C LC_ALL=C '$::TSKDIR/mactime' -b $Caseman::vol2path{$body} $tz -i day '${fname}.sum' $mac_args $date > '$fname'" ++"LANG=C LC_ALL=C '$::TSKDIR/mactime-sleuthkit' -b $Caseman::vol2path{$body} $tz -i day '${fname}.sum' $mac_args $date > '$fname'" + ); + } + elsif ($otype == $OTYPE_HOURLY) { + Exec::exec_pipe(*OUT, +-"LANG=C LC_ALL=C '$::TSKDIR/mactime' -b $Caseman::vol2path{$body} $tz -d -i hour '${fname}.sum' $mac_args $date > '$fname'" ++"LANG=C LC_ALL=C '$::TSKDIR/mactime-sleuthkit' -b $Caseman::vol2path{$body} $tz -d -i hour '${fname}.sum' $mac_args $date > '$fname'" + ); + } + elsif ($otype == $OTYPE_DAILY) { + Exec::exec_pipe(*OUT, +-"LANG=C LC_ALL=C '$::TSKDIR/mactime' -b $Caseman::vol2path{$body} $tz -d -i day '${fname}.sum' $mac_args $date > '$fname'" ++"LANG=C LC_ALL=C '$::TSKDIR/mactime-sleuthkit' -b $Caseman::vol2path{$body} $tz -d -i day '${fname}.sum' $mac_args $date > '$fname'" + ); + } + else { --- autopsy-2.24.orig/debian/patches/01.configure.dpatch +++ autopsy-2.24/debian/patches/01.configure.dpatch @@ -0,0 +1,1049 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 01.debianization.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Simualte configuration (which is useless on Debian) + +@DPATCH@ +diff -urNad autopsy-2.21~/autopsy autopsy-2.21/autopsy +--- autopsy-2.21~/autopsy 1970-01-01 01:00:00.000000000 +0100 ++++ autopsy-2.21/autopsy 2009-06-16 22:26:29.000000000 +0200 +@@ -0,0 +1,856 @@ ++#!/usr/bin/perl -wT ++use lib '/usr/share/autopsy/'; ++use lib '/usr/share/autopsy/lib/'; ++# ++# autopsy gui server ++# Autopsy Forensic Browser ++# ++# ++# This file requires The Sleuth Kit ++# www.sleuthkit.org ++# ++# ++# Brian Carrier [carrier@sleuthkit.org] ++# Copyright (c) 2001-2005 by Brian Carrier. All rights reserved ++# ++# ++# This file is part of the Autopsy Forensic Browser (Autopsy) ++# ++# Autopsy is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# Autopsy is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with Autopsy; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++# ++# ++# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED ++# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF ++# MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE. ++# IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++# (INCLUDING, BUT NOT LIMITED TO, LOSS OF USE, DATA, OR PROFITS OR ++# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ++# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR ++# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ++# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++# ++ ++# ++# refer to Security Considerations in README for a description of the ++# cookie authentication ++# ++ ++require 5.008; ++ ++use strict; ++use Socket; ++ ++use Main; ++use Print; ++require Fs; ++require Caseman; ++ ++require 'conf.pl'; ++require 'lib/define.pl'; ++ ++# Import variables from conf.pl ++use vars '$LOCKDIR', '$INSTALLDIR', '$PICTDIR'; ++use vars '$SANITIZE_TAG', '$SANITIZE_PICT'; ++use vars '$USE_STIMEOUT', '$STIMEOUT', '$CTIMEOUT'; ++use vars '$SAVE_COOKIE', '$GREP_EXE', '$FILE_EXE'; ++use vars '$NSRLDB'; ++ ++# Default port ++my $port = 9999; ++ ++# Default 'remote' host ++my $rema = 'localhost'; ++ ++$| = 1; ++ ++$::LIVE = 0; ++$::USE_NOTES = 1; ++$::USE_LOG = 1; ++ ++sub usage { ++ print ++"\n\nusage: $0 [-c] [-C] [-d evid_locker] [-i device filesystem mnt] [-p port] [remoteaddr]\n"; ++ print " -c: force a cookie in the URL\n"; ++ print " -C: force NO cookie in the URL\n"; ++ print " -d dir: specify the evidence locker directory\n"; ++ print " -i device filesystem mnt: Specify info for live analysis\n"; ++ print " -p port: specify the server port (default: $port)\n"; ++ print " remoteaddr: specify the host with the browser (default: $rema)\n"; ++ exit 1; ++} ++ ++my $cook_force = 0; ++ ++my $vol_cnt = 0; ++ ++# Were options given? ++while ((scalar(@ARGV) > 0) && ($ARGV[0] =~ /^-/)) { ++ my $f = shift; ++ ++ # Evidence Locker ++ if ($f eq '-d') { ++ if (scalar(@ARGV) == 0) { ++ print "Missing Directory\n"; ++ usage(); ++ } ++ ++ my $d = shift; ++ ++ # We need to do this for the tainting ++ # We don't need to check for special characters in this case because ++ # all commands will be run with the same permissions as the ++ # original user. We will check for the obvious ';' though ++ if ($d =~ /;/) { ++ print "Illegal argument\n"; ++ exit(1); ++ } ++ ++ # If the path is relative, autopsyfunc will get screwed up when ++ # this is run from a directory other than where autopsyfunc is ++ # so force full paths ++ elsif ($d !~ /^\//) { ++ print "The evidence locker must be full path (i.e. begin with /)\n"; ++ exit(1); ++ } ++ elsif ($d =~ /(.*)/) { ++ $LOCKDIR = $1; ++ } ++ } ++ ++ # Force no cookie ++ elsif ($f eq '-C') { ++ $::USE_COOKIE = 0; ++ $cook_force = 1; ++ } ++ ++ # force a cookie ++ elsif ($f eq '-c') { ++ $::USE_COOKIE = 1; ++ $cook_force = 1; ++ } ++ ++ elsif ($f eq '-i') { ++ $::LIVE = 1; ++ $::USE_LOG = 0; ++ $::USE_NOTES = 0; ++ $::SAVE_COOKIE = 0; ++ ++ if (scalar(@ARGV) < 3) { ++ print "Missing device, file system, and mount point arguments\n"; ++ usage(); ++ } ++ ++ my $vol = "vol" . $vol_cnt; ++ $vol_cnt++; ++ ++ my $dev = shift; ++ if ($dev =~ /($::REG_IMG_PATH)/) { ++ $dev = $1; ++ } ++ else { ++ print "invalid device: $dev\n"; ++ usage(); ++ } ++ ++ unless ((-e "$dev") || (-l "$dev")) { ++ print "Device ($dev) not found\n"; ++ usage(); ++ } ++ ++ my $fs = shift; ++ if ($fs =~ /($::REG_FTYPE)/) { ++ $fs = $1; ++ } ++ else { ++ print "invalid file system: $fs\n"; ++ usage(); ++ } ++ unless ((exists $Fs::root_meta{$fs}) ++ && (defined $Fs::root_meta{$fs})) ++ { ++ print "File system not supported: $fs\n"; ++ usage(); ++ } ++ $Caseman::vol2ftype{$vol} = "$fs"; ++ ++ my $mnt = shift; ++ if ($mnt =~ /($::REG_MNT)/) { ++ $mnt = $1; ++ } ++ else { ++ print "invalid mount point: $mnt\n"; ++ usage(); ++ } ++ $Caseman::vol2mnt{$vol} = "$mnt"; ++ $Caseman::vol2cat{$vol} = "part"; ++ $Caseman::vol2itype{$vol} = "raw"; ++ $Caseman::vol2start{$vol} = 0; ++ $Caseman::vol2end{$vol} = 0; ++ ++ # This makes me nervous ... ++ $Caseman::vol2par{$vol} = $vol; ++ $Caseman::vol2path{$vol} = "$dev"; ++ $Caseman::vol2sname{$vol} = "$dev"; ++ } ++ ++ # Specify a different port ++ elsif ($f eq '-p') { ++ if (scalar(@ARGV) == 0) { ++ print "Missing port argument\n"; ++ usage(); ++ } ++ ++ my $p = shift; ++ if ($p =~ /(\d+)/) { ++ $p = $1; ++ } ++ else { ++ print "invalid port: $p\n"; ++ usage(); ++ } ++ if (($p < 1) || ($p > 65535)) { ++ print "invalid port: $port\n"; ++ usage(); ++ } ++ $port = $p; ++ } ++ ++ else { ++ print "Invalid flag: $f\n"; ++ usage(); ++ } ++} ++ ++# remote address ++if (scalar(@ARGV) > 0) { ++ $rema = shift; ++} ++ ++# Get remote address ++my @acl_addr; # Array of host addresses ++my $hn; # Host name ++my $tmp; ++if ($rema =~ /(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/) { ++ $acl_addr[0] = pack('C4', ($1, $2, $3, $4)); ++ $hn = $rema; ++} ++else { ++ ($hn, $tmp, $tmp, $tmp, @acl_addr) = gethostbyname($rema); ++ unless (defined $tmp) { ++ print "Host not found: $rema\n"; ++ usage(); ++ } ++} ++ ++# Determine the address that will be used to access this server ++my $lclhost; ++my @ta = unpack('C4', $acl_addr[0]); ++ ++my $bindaddr; ++ ++# If we are being accessed by localhost, we need that and not the hostname ++if ( ($ta[0] == 127) ++ && ($ta[1] == 0) ++ && ($ta[2] == 0) ++ && ($ta[3] == 1)) ++{ ++ $lclhost = "localhost"; ++ $bindaddr = $acl_addr[0]; ++ ++ # Force no cookie to be used unless we already set this value ++ # with arguments ++ $::USE_COOKIE = 0 unless ($cook_force == 1); ++} ++else { ++ $lclhost = `/bin/hostname`; ++ chop $lclhost; ++ ++ $bindaddr = INADDR_ANY; ++ ++ # Force a cookie to be used unless we already set this value ++ # with arguments ++ $::USE_COOKIE = 1 unless ($cook_force == 1); ++} ++ ++# Verify the variables defined in the configuration files ++check_vars(); ++ ++# Remove the final '/' from TSKDIR if it exists ++$::TSKDIR = $1 ++ if ($::TSKDIR =~ /(.*?)\/$/); ++ ++# ++# Verify that all of the required executables exist ++# ++check_tools(); ++ ++ ++ ++# Currently, HFS is in beta and not enabled by default. ++# Autopsy has been configured for it though, so disable it if ++# the user has not compiled support into TSK. remove this when ++# HFS support is standard. ++# This redirects stderr to stdout so we can easily capture it ++my $out = `\'$::TSKDIR/fls\' -f list 2>&1`; ++unless ($out =~ /hfs/) { ++ for (my $i = 0; $i < @Fs::types; $i++) { ++ if ($Fs::types[$i] eq "hfs") { ++ $Fs::types[$i] = ""; ++ last; ++ } ++ } ++} ++ ++ ++ ++# remove environment stuff that we don't need and that could be insecure ++# We allow basic bin directories for CYGWIN though, since they are ++# required for the CYGWIN dlls ++my $UNAME = ""; ++if (-e "/bin/uname") { ++ $UNAME = "/bin/uname"; ++} ++elsif (-e "/usr/bin/uname") { ++ $UNAME = "/usr/bin/uname"; ++} ++ ++my $ispathclear = 1; ++if (($UNAME ne "") && (`$UNAME` =~ /^CYGWIN/)) { ++ $ENV{PATH} = '/bin:/usr/bin:/usr/local/bin'; ++ $ispathclear = 0; ++} ++else { ++ $ENV{PATH} = ''; ++} ++delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; ++ ++my $date = localtime; ++ ++if ($::LIVE == 0) { ++ ++ # Remove the final '/' if it exists ++ $LOCKDIR = $1 ++ if ($LOCKDIR =~ /(.*?)\/$/); ++} ++ ++# Setup socket ++my $proto = getprotobyname('tcp'); ++socket(Server, PF_INET, SOCK_STREAM, $proto) ++ or die "Error creating network socket: $!"; ++ ++setsockopt(Server, SOL_SOCKET, SO_REUSEADDR, 1) ++ or die "Error setting network socket options (reuse): $!"; ++ ++setsockopt(Server, SOL_SOCKET, SO_KEEPALIVE, 1) ++ or die "Error setting network socket options (keep alive): $!"; ++ ++bind(Server, sockaddr_in($port, $bindaddr)) ++ or die "Error binding to port $port (is Autopsy already running?): $!"; ++ ++listen(Server, SOMAXCONN) ++ or die "Error listening to socket for connections: $!"; ++ ++my $magic; # magic authentication cookie ++my $cook_file; ++my $cookie_url = ""; ++ ++if ($::USE_COOKIE == 1) { ++ ++ # Try for a real random device, or use rand if all else fails ++ if (-e "/dev/urandom") { ++ my $r; ++ open RAND, "$cook_file") { ++ chmod 0600, "$cook_file"; ++ print COOK "$magic\n"; ++ close COOK; ++ } ++ else { ++ print "WARNING: Cannot open file to save cookie in ($cook_file)"; ++ } ++ } ++} ++ ++print < to exit ++EOF2 ++ ++Print::log_session_info("Starting session on port $port and $hn\n"); ++ ++# Set the server alarm ++$SIG{ALRM} = \&SIG_ALARM_SERVER; ++$SIG{INT} = \&SIG_CLOSE; ++ ++# setting this to ignore will automatically wait for children ++$SIG{CHLD} = 'IGNORE'; ++ ++# Wait for Connections ++while (1) { ++ ++ alarm($STIMEOUT) if ($USE_STIMEOUT == 1); ++ ++ my $raddr = accept(CLIENT, Server); ++ next unless ($raddr); ++ my ($rport, $riaddr) = sockaddr_in($raddr); ++ ++ die "Error creating child" unless (defined(my $pid = fork())); ++ ++ if (0 == $pid) { ++ open(STDOUT, ">&CLIENT") or die "Can't dup client to stdout"; ++ ++ # open(STDERR, ">&CLIENT") or die "Can't dup client to stdout"; ++ open(STDIN, "<&CLIENT") or die "Can't dup client to stdin"; ++ $| = 1; ++ ++ my @rip = unpack('C4', $riaddr); ++ ++ # Check ACL ++ foreach $tmp (@acl_addr) { ++ if ($tmp eq $riaddr) { ++ spawn_cli($riaddr); ++ close CLIENT; ++ exit 0; ++ } ++ } ++ ++ forbid("$rip[0].$rip[1].$rip[2].$rip[3]"); ++ Print::log_session_info("ERROR: Unauthorized Connection from: " ++ . "$rip[0].$rip[1].$rip[2].$rip[3]\n"); ++ ++ close CLIENT; ++ exit 1; ++ } ++ else { ++ close CLIENT; ++ } ++} ++ ++# Error messages ++sub forbid { ++ my $ip = shift; ++ ++ print "HTTP/1.0 403 Forbidden$::HTTP_NL" ++ . "Content-type: text/html$::HTTP_NL$::HTTP_NL" ++ . "
\n" ++ . "

Access Denied

\n" ++ . "

Your connection from: $ip has been logged

\n" ++ . "
$::HTTP_NL$::HTTP_NL$::HTTP_NL"; ++ ++ return; ++} ++ ++sub bad_req { ++ print "HTTP/1.0 404 Bad Request$::HTTP_NL" ++ . "Content-type: text/html$::HTTP_NL$::HTTP_NL" ++ . "
\n" ++ . "

Invalid URL
" ++ . shift() ++ . "

\n" ++ . "
" ++ . "$::HTTP_NL$::HTTP_NL$::HTTP_NL"; ++ ++ return; ++} ++ ++# Alarm Functions ++sub SIG_ALARM_CLIENT { ++ Print::log_session_info("Connection timed out\n"); ++ close CLIENT; ++ exit 1; ++} ++ ++sub SIG_ALARM_SERVER { ++ print "Server Timeout ($STIMEOUT seconds), Exiting\n"; ++ Print::log_session_info("Server Timeout ($STIMEOUT seconds), Exiting\n"); ++ exit 0; ++} ++ ++# Close the system down when Control-C is given ++sub SIG_CLOSE { ++ ++ # delete the cookie file ++ if (($::USE_COOKIE == 1) && ($SAVE_COOKIE == 1)) { ++ unlink "$cook_file"; ++ } ++ ++ print "End Time: " . localtime() . "\n"; ++ Print::log_session_info("Ending session on port $port and $hn\n"); ++ exit 0; ++} ++ ++# Pass the remote IP address as the argument for logging ++sub spawn_cli { ++ ++ # Set timeout for 10 seconds if we dont get any input ++ alarm($CTIMEOUT); ++ $SIG{ALRM} = \&SIG_ALARM_CLIENT; ++ ++ while () { ++ ++ if (/^GET \/+(\S*)\s?HTTP/) { ++ my $url = $1; ++ my $script; ++ my $args; ++ ++ if (/\x0d\x0a$/) { ++ $::HTTP_NL = "\x0d\x0a"; ++ } ++ else { ++ $::HTTP_NL = "\x0a"; ++ } ++ ++ # Magic Cookie ++ # If we are using cookies, then the url should be: ++ # cookie/autopsy?var=val ... ++ if ($::USE_COOKIE == 1) { ++ ++ if ( ($url =~ /^(\d+)\/+([\w\.\/]+)(?:\?(.*))?$/) ++ && ($1 == $magic)) ++ { ++ $script = $2; ++ $args = $3; ++ } ++ else { ++ my @rip = unpack('C4', shift()); ++ Print::log_session_info("ERROR: Incorrect Cookie from: " ++ . "$rip[0].$rip[1].$rip[2].$rip[3]\n"); ++ forbid("$rip[0].$rip[1].$rip[2].$rip[3]"); ++ return 1; ++ } ++ } ++ ++ # if we aren't using cookies, then it should be: ++ # autopsy?var=val ... ++ else { ++ if ($url =~ /^\/?([\w\.\/]+)(?:\?(.*))?$/) { ++ $script = $1; ++ $args = $2; ++ } ++ else { ++ bad_req($url); ++ return 1; ++ } ++ } ++ ++ if ($script eq $::PROGNAME) { ++ $args = "" unless (defined $args); ++ ++ # Turn timer off ++ alarm(0); ++ ++ # Print status ++ print "HTTP/1.0 200 OK$::HTTP_NL"; ++ ::main($args); ++ } ++ elsif ($script eq "global.css") { ++ show_file($script); ++ } ++ ++ # Display the sanitized picture or reference error ++ elsif ($script eq $::SANITIZE_TAG) { ++ Appview::sanitize_pict($args); ++ return 1; ++ } ++ ++ # Display a picture or help file ++ elsif (($script =~ /^(pict\/[\w\.\/]+)/) ++ || ($script =~ /^(help\/[\w\.\/]+)/)) ++ { ++ show_file($1); ++ } ++ elsif ($script eq 'about') { ++ about(); ++ } ++ ++ # I'm not sure why this is needed, but there are reqs for it ++ elsif ($script eq 'favicon.ico') { ++ show_file("pict/favicon.ico"); ++ } ++ else { ++ bad_req($url); ++ Print::log_session_info("Unknown function: $script\n"); ++ return 1; ++ } ++ return 0; ++ } ++ } # end of while (<>) ++ ++} # end of spawn_cli ++ ++# Print the contents of a local picture or help file ++sub show_file { ++ my $file = "$INSTALLDIR/" . shift; ++ ++ if (-e "$file") { ++ print "HTTP/1.0 200 OK$::HTTP_NL"; ++ ++ open FILE, "<$file" ++ or die "can not open $file"; ++ ++ if ($file =~ /\.css$/i) { ++ print "Content-type: text/css$::HTTP_NL$::HTTP_NL"; ++ } ++ elsif ($file =~ /\.jpg$/i) { ++ print "Content-type: image/jpeg$::HTTP_NL$::HTTP_NL"; ++ } ++ elsif ($file =~ /\.gif$/i) { ++ print "Content-type: image/gif$::HTTP_NL$::HTTP_NL"; ++ } ++ elsif ($file =~ /\.ico$/i) { ++ print "Content-type: image/ico$::HTTP_NL$::HTTP_NL"; ++ } ++ elsif ($file =~ /\.html$/i) { ++ print "Content-type: text/html$::HTTP_NL$::HTTP_NL"; ++ } ++ else { ++ print "HTTP/1.0 404 Bad Request$::HTTP_NL" ++ . "Content-type: text/html$::HTTP_NL$::HTTP_NL" ++ . "\n" ++ . "Error\n" ++ . "

Unknown Extension

\n" ++ . "$::HTTP_NL$::HTTP_NL$::HTTP_NL"; ++ exit(1); ++ } ++ ++ while () { ++ print "$_"; ++ } ++ close(FILE); ++ ++ print "$::HTTP_NL$::HTTP_NL"; ++ } ++ else { ++ print "HTTP/1.0 404 Bad Request$::HTTP_NL" ++ . "Content-type: text/html$::HTTP_NL$::HTTP_NL" ++ . "\n" ++ . "Error\n" ++ . "

File Not Found

" ++ . "$::HTTP_NL$::HTTP_NL$::HTTP_NL"; ++ exit(1); ++ } ++ ++ return; ++} ++ ++sub about { ++ ++ print "HTTP/1.0 200 OK$::HTTP_NL" ++ . "Content-type: text/html$::HTTP_NL$::HTTP_NL"; ++ ++ my $tskver = ::get_tskver(); ++ ++ print < ++About Autopsy ++ ++ ++ ++

About Autopsy

++
++ \"Logo\" ++

++ Version: $::VER ++
++ http://www.sleuthkit.org/autopsy/ ++
++ http://www.sleuthkit.org/informer/ ++
++ ++ ++

Credits

++
    ++
  • Code Development: Brian Carrier (carrier at sleuthkit dot org) ++
  • Interface Assistance: Samir Kapuria ++
  • Mascot: Hash the Hound ++
++ ++

Configuration

++The Sleuth Kit:
++  URL: ++ http://www.sleuthkit.org/sleuthkit/
++  Installation Location: $::TSKDIR
++  Version: $tskver
++Evidence Locker: $LOCKDIR
++grep: $GREP_EXE
++file: $FILE_EXE
++NIST NSRL: $NSRLDB
++ ++ ++ ++EOF ++ return 0; ++} ++ ++### Check that the required tools are there ++sub check_tools { ++ ++ # Sleuth Kit execs ++ unless (-x $::TSKDIR . "/icat") { ++ print "ERROR: Sleuth Kit icat executable missing: $::TSKDIR\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/istat") { ++ print "ERROR: Sleuth Kit istat executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/ifind") { ++ print "ERROR: Sleuth Kit ifind executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/ils") { ++ print "ERROR: Sleuth Kit ils executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/fls") { ++ print "ERROR: Sleuth Kit fls executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/ffind") { ++ print "ERROR: Sleuth Kit ffind executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/blkcat") { ++ print "ERROR: Sleuth Kit blkcat executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/blkcalc") { ++ print "ERROR: Sleuth Kit blkcalc executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/blkls") { ++ print "ERROR: Sleuth Kit blkls executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/img_stat") { ++ print "ERROR: Sleuth Kit img_stat executable missing\n"; ++ exit(1); ++ } ++ unless (-x "$::FILE_EXE") { ++ print "ERROR: Sleuth Kit (or local) file executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/fsstat") { ++ print "ERROR: Sleuth Kit fsstat executable missing\n"; ++ exit(1); ++ } ++ unless (-x "$::MD5_EXE") { ++ print "ERROR: md5 executable missing\n"; ++ exit(1); ++ } ++ if ($::SHA1_EXE ne "") { ++ unless (-x "$::SHA1_EXE") { ++ print "ERROR: sha1 executable missing\n"; ++ exit(1); ++ } ++ } ++ unless (-x $::TSKDIR . "/srch_strings") { ++ print "ERROR: Sleuth Kit srch_strings executable missing\n"; ++ exit(1); ++ } ++ ++ if ($::LIVE == 0) { ++ unless (-x $::TSKDIR . "/sorter") { ++ print "ERROR: Sleuth Kit sorter executable missing\n"; ++ exit(1); ++ } ++ unless (-x $::TSKDIR . "/hfind") { ++ print "ERROR: Sleuth Kit hfind executable missing\n"; ++ print ++ " You likely have an old version of The Sleuth Kit or TASK\n"; ++ exit(1); ++ } ++ } ++ ++ unless (-x "$GREP_EXE") { ++ print "ERROR: grep executable missing\n"; ++ exit(1); ++ } ++} ++ ++# check values that should be defined in the configuration files ++# This will show incomplete installations ++sub check_vars { ++ unless ((defined $::TSKDIR) && ($::TSKDIR ne "")) { ++ print "ERROR: TSKDIR variable not set in configuration file\n"; ++ print " This could been caused by an incomplete installation\n"; ++ exit(1); ++ } ++ ++ unless (-d "$::TSKDIR") { ++ print "Invalid Sleuth Kit binary directory: $::TSKDIR\n"; ++ exit(1); ++ } ++ ++ return if ($::LIVE == 1); ++ ++ # Verify The evidence locker directory ++ unless ((defined $LOCKDIR) && ($LOCKDIR ne "")) { ++ print "ERROR: LOCKDIR variable not set in configuration file\n"; ++ print " This could been caused by an incomplete installation\n"; ++ exit(1); ++ } ++ ++ unless (-d "$LOCKDIR") { ++ print "Invalid evidence locker directory: $LOCKDIR\n"; ++ exit(1); ++ } ++} +diff -urNad autopsy-2.21~/conf.pl autopsy-2.21/conf.pl +--- autopsy-2.21~/conf.pl 1970-01-01 01:00:00.000000000 +0100 ++++ autopsy-2.21/conf.pl 2009-06-16 22:26:29.000000000 +0200 +@@ -0,0 +1,27 @@ ++# Autopsy configuration settings ++ ++# when set to 1, the server will stop after it receives no ++# connections for STIMEOUT seconds. ++$USE_STIMEOUT = 0; ++$STIMEOUT = 3600; ++ ++# number of seconds that child waits for input from client ++$CTIMEOUT = 15; ++ ++# set to 1 to save the cookie value in a file (for scripting) ++$SAVE_COOKIE = 1; ++ ++$INSTALLDIR = '/usr/share/autopsy/'; ++ ++ ++# System Utilities ++$GREP_EXE = '/bin/grep'; ++$FILE_EXE = '/usr/bin/file'; ++$MD5_EXE = '/usr/bin/md5sum'; ++$SHA1_EXE = '/usr/bin/sha1sum'; ++ ++ ++# Directories ++$TSKDIR = '/usr/bin/'; ++$NSRLDB = ''; ++$LOCKDIR = '/var/lib/autopsy/'; +diff -urNad autopsy-2.21~/make-live-cd autopsy-2.21/make-live-cd +--- autopsy-2.21~/make-live-cd 1970-01-01 01:00:00.000000000 +0100 ++++ autopsy-2.21/make-live-cd 2009-06-16 22:26:29.000000000 +0200 +@@ -0,0 +1,147 @@ ++#!/usr/bin/perl ++# ++# This makes a directory ($CD) with the needed files to burn to ++# a CD for live analysis ++# ++# Current limitations are that Perl needs to be on the suspect system and ++# that it uses the untrusted Perl files. ++ ++require 'conf.pl'; ++use vars '$USE_STIMEOUT', '$STIMEOUT', '$CTIMEOUT', '$SAVE_COOKIE'; ++use vars '$GREP_EXE', '$TSKDIR'; ++ ++ ++my $CD = "./live-cd/"; ++ ++# Make the directories ++if (-d "$CD") { ++ print "Live CD directory already exists ($CD)\n"; ++ print "Plese delete and run this again\n"; ++ exit (1); ++} ++ ++print "Making base directory ($CD)\n"; ++die "Error making Live CD directory ($CD)" ++ unless (mkdir "$CD", 0775); ++ ++die "Error making Live CD binaries directory ($CD)" ++ unless (mkdir "$CD/bin/", 0775); ++ ++ ++print "Copying executables\n"; ++ ++# Copy the executables ++die "Missing grep executable ($GREP_EXE)" ++ unless (-x "$GREP_EXE"); ++`cp '$GREP_EXE' '$CD/bin/grep'`; ++die "Error copying grep executable" ++ unless (-x "$CD/bin/grep"); ++ ++ ++# Sleuth Kit Binaries ++die "Missing Sleuth Kit Directory ($TSKDIR)" ++ unless (-d "$TSKDIR"); ++ ++foreach my $exec ("blkcalc", "blkcat", "blkls", "blkstat", "ffind", "fls", "fsstat", ++ "icat", "ifind", "ils", "istat", "md5", "sha1", "srch_strings", "img_stat", "mmls") { ++ ++ die "Missing Sleuth Kit executable ($exec)" ++ unless (-x "$TSKDIR/$exec"); ++ ++ `cp '$TSKDIR/$exec' '$CD/bin/$exec'`; ++ ++ die "Error copying Sleuth Kit executable ($exec)" ++ unless (-x "$CD/bin/$exec"); ++} ++ ++ ++# Make a fake file ++open FILE, ">$CD/bin/file" or die ("Error creating Live CD file exec"); ++print FILE "#!./bin/perl\n"; ++print FILE "print STDOUT \"File Type Not Supported During Live Analysis\n\";\n"; ++close FILE; ++`chmod +x "$CD/bin/file"`; ++ ++ ++# Copy the autopsy directories ++print "Copying autopsy files\n"; ++`cp -r help "$CD"`; ++`cp -r lib "$CD"`; ++`cp -r pict "$CD"`; ++ ++ ++# Get the path for Perl from the current autopsy ++open AUT, "<./autopsy" or die ("Error opening normal autopsy exec"); ++my $perl; ++while () { ++ $perl = $_; ++ last; ++} ++close AUT; ++ ++if ($perl =~ /^#!(\S+)/) { ++ $perl = $1; ++} else { ++ die "Error parsing Perl location from autopsy" ++} ++ ++ ++# Copy the perl exec ++# @@@ I'm not sure if just copying the bin is enough ... ++die "Missing Perl executable ($perl)" ++ unless (-x "$perl"); ++ ++`cp '$perl' '$CD/bin/perl'`; ++ ++die "Error copying perl executable" ++ unless (-x "$CD/bin/perl"); ++ ++ ++# Make a new autopsy ++open AUT, ">$CD/autopsy" or die ("Error opening Live CD autopsy exec"); ++ ++print AUT "#!./bin/perl -wT\n"; ++print AUT "use lib '.';\n"; ++print AUT "use lib './lib/';\n"; ++ ++ ++open BASE, "<./base/autopsy.base" or die ("Error opening base autopsy"); ++ ++print AUT $_ ++ while (); ++ ++close (AUT); ++close (BASE); ++ ++`chmod +x "$CD/autopsy"`; ++ ++ ++print "Creating configuration file using existing settings\n"; ++ ++# Make the configuration file ++open CONF, ">$CD/conf.pl" or die ("Error opening Live CD Config file"); ++ ++print CONF "# Configuration file for Live CD version of Autopsy\n"; ++print CONF "# http://www.sleuthkit.org/autopsy\n"; ++print CONF "# Created on ".localtime()."\n\n"; ++ ++# Variables ++print CONF "\$USE_STIMEOUT = $USE_STIMEOUT;\n"; ++print CONF "\$STIMEOUT = $STIMEOUT;\n"; ++print CONF "\$CTIMEOUT = $CTIMEOUT;\n"; ++print CONF "\$SAVE_COOKIE = $SAVE_COOKIE;\n"; ++ ++print CONF "\n"; ++print CONF "\$INSTALLDIR = './';\n"; ++print CONF "\$NSRLDB = '';\n"; ++print CONF "\$LOCKDIR = './read-only-live-version/';\n"; ++ ++print CONF "\n"; ++print CONF "# System Utilities\n"; ++print CONF "\$GREP_EXE = './bin/grep';\n"; ++print CONF "\$FILE_EXE = './bin/file';\n"; ++print CONF "\$TSKDIR = './bin/';\n"; ++ ++close CONF; ++ ++print "\n"; --- autopsy-2.24.orig/debian/patches/00list +++ autopsy-2.24/debian/patches/00list @@ -0,0 +1,4 @@ +01.configure.dpatch +02.sleuthkit.dpatch +03.warn_when_not_root.dpatch +04.man.dpatch --- autopsy-2.24.orig/debian/patches/03.warn_when_not_root.dpatch +++ autopsy-2.24/debian/patches/03.warn_when_not_root.dpatch @@ -0,0 +1,32 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02.warn_when_not_root.dpatch by Lorenzo Martignoni +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Warn users when autopsy is run as non-root. + +@DPATCH@ +diff -urNad autopsy-2.06~/base/autopsy.base autopsy-2.06/base/autopsy.base +--- autopsy-2.06~/base/autopsy.base 2006-01-14 15:54:34.000000000 +0100 ++++ autopsy-2.06/base/autopsy.base 2006-01-14 15:54:44.000000000 +0100 +@@ -385,6 +385,21 @@ + Keep this process running and use to exit + EOF2 + ++if (POSIX::getuid() != 0) { ++ ++ print "\n----------------- WARNING: you\'re not running Autopsy as root -----------------\n"; ++ print "You may encounter some problems due to lack of privileges: you may not be able\n"; ++ print "to use the default evidence directory (/var/lib/autopsy/) and you may not be\n"; ++ print "able to mount physical devices.\n\n"; ++ ++ print "If you believe that what you\'re going to do would not require root privileges\n"; ++ print "you can safely run autopsy using a custom evidence directory (using the \'-d\'\n"; ++ print "command line argument). If you are already doing that forgot this last message\n"; ++ print "but keep in mind that if problems related to permissions arise then probably\n"; ++ print "what you\'re doing requires root privileges.\n"; ++ print "-------------------------------------------------------------------------------\n\n"; ++} ++ + Print::log_session_info("Starting session on port $port and $hn\n"); + + # Set the server alarm