May 11 2021
By spartan2194 DevOps, Incident Response, Memory Forensics, PoC, Tools

Getting started with Autopsy multi-user cluster

The purpose of this blog post is to provide multiple methods on how to install/setup an Autopsy multi-client cluster. This blog post generated an infrastructure-as-code in the form of an Ansible playbook, Docker-compose, and manual instructions for setting up a cluster. In addition, this blog post will demonstrate how to setup the Autopsy client to connect to the Autopsy cluster and how to ingest disk images.

Background

What is Autopsy?

Autopsy is the premier end-to-end open source digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.

What is an Autopsy cluster?

Autopsy can be setup to work in an environment where multiple users on different computers can have the same case open at the same time. To set up this type of environment, you will need to configure additional (free and open source) network-based services.

Install Autopsy cluster with Docker-compose v2.x

WARNING

The Docker-compose v2.x setup is for development use ONLY. The setup contains hard-coded credentials in configs and environment variables. For a more secure Docker deployment please skip to the next section to use Docker Swarm which implements Docker secrets.

WARNING

Spin up stack

  1. git clone https://github.com/CptOfEvilMinions/Autopsy-Automation.git
  2. cd Autopsy-Automation
  3. vim .env
    1. ACTIVEMQ_VERSION – Set the version of ActiveMQ to use
    2. POSTGRES_VERSION – Set the version of Postgres to use
    3. SOLR_VERSION – Set the version of Solr to use
    4. ZOOKEEPER_VERSION – Set the version of Zookeeper to use
    5. AUTOPSY_USERNAME – Set the username
    6. AUTOPSY_PASSWORD – Set the password
  4. docker-compose build
  5. docker-compose up -d
  6. SOLR_VERSION=$(cat .env | grep SOLR_VERSION | awk -F= ‘{print $2}’)
    1. Create environment vari
  7. SOLR_VERSION=$(cat .env | grep SOLR_VERSION | awk -F= '{print $2}')
  8. docker exec -it autopsy-solr bin/solr create_collection -c autopsy -d /tmp/SOLR_${SOLR_VERSION}_AutopsyService/solr-${SOLR_VERSION}/server/solr/configsets/AutopsyConfig/conf
    1. Create a Solr collection for Autopsy

Install Autopsy cluster with Ansible

Setup Ansible playbook

  1. git clone https://github.com/CptOfEvilMinions/Autopsy-Automation.git
  2. cd Autopsy-Automation
  3. vim hosts.ini and IP address of server under [autopsy]
  4. vim group_vars/all.yml and set:
    1. base_domain – Set the domain of the network
    2. timezone – Set the machine to a timezone – default UTC +0
    3. hostname – Set hostname of the server
    4. cert_country – Set the country this server resides in for the self-signed cert
    5. cert_state – Set the state this server resides in for the self-signed cert
    6. cert_local – Set the city this server resides in for the self-signed cert
    7. cert_org – Set the organization this server resides in for the self-signed cert
    8. cert_ou – Set the organization unit this server resides in for the self-signed cert
    9. cert_common_name – Set the common name for the self-signed cert
    10. Save and exit
  5. vim group_vars/autopsy.yml and set:
    1. Zookeeper
      1. zookeeper_version – Set the version of Zookeeper to install
    2. ActiveMQ
      1. activemq_version – Set the version of ActiveMQ to install
      2. activemq_autopsy_username – Set username for remote access
      3. activemq_autopsy_password – Set password for remote access
    3. Samba
      1. samba_path – Set path to store Autopsy cases
      2. samba_user – Linux user to create for SAMBA auth and file permissions
      3. samba_group – Linux group to create for SAMBA auth and file permissions
      4. samba_password – Password for user
    4. Solr
      1. solr_version – Set the version Solr to install – DO NOT CHANGE UNLESS the Autopsy Solr versions match
    5. Postgres
      1. pg_user – Set username for remote access
      2. pg_password – Set password for remote access
      3. pg_max_conns – A rule of thumb is add 100 connections for each Automated Ingest Node and 100 connections for each Reviewer node you plan to have in the network
      4. pg_version – Set the version of Postgres to install
    6. Save and exit

Run playbook

  1. ansible-playbook -i hosts.ini deploy_autopsy_cluster.yml -u superadmin -K

Manual install of Autopsy cluster on Ubuntu 20.04

Install/Setup Zookeeper v3.5.7

  1. sudo su
  2. apt update -y && apt upgrade -y && reboot
  3. apt-get install default-jdk zip -y
    1. Install Java
  4. useradd --system -s /usr/sbin/nologin zookeeper
    1. Create a system user for zookeeper
  5. mkdir -p /var/lib/zookeeper
    1. Create directory for Zookeeper data
  6. chown -R zookeeper:zookeeper /var/lib/zookeeper
    1. Set owner of the data directory
  7. cd /opt && curl https://archive.apache.org/dist/zookeeper/zookeeper-3.5.7/apache-zookeeper-3.5.7-bin.tar.gz --output apache-zookeeper-3.5.7-bin.tar.gz
    1. Download Zookeeper
  8. mkdir /opt/zookeeper && tar -xvzf apache-zookeeper-3.5.7-bin.tar.gz -C /opt/zookeeper --strip-components 1
    1. Create directory for zookeeper and UNtar to it
  9. curl https://raw.githubusercontent.com/CptOfEvilMinions/Autopsy-Automation/main/conf/ansible/zookeeper/zoo.cfg --output /opt/zookeeper/conf/zoo.cfg
    1. Download Zookeeper config
  10. sed -i "s#{{ zookeeper_data_dir }}#/var/lib/zookeeper#g" /opt/zookeeper/conf/zoo.cfg
    1. Set Zookeeper data directory
  11. chown zookeeper:zookeeper -R /opt/zookeeper
    1. Set permissions
  12. curl https://raw.githubusercontent.com/CptOfEvilMinions/Autopsy-Automation/main/conf/ansible/zookeeper/zookeeper.service --output /etc/systemd/system/zookeeper.service
    1. Download Zookeeper service file
  13. systemctl start zookeeper
  14. systemctl enable zookeeper

Install/Setup Solr v8.6.3

  1. cd /tmp && curl https://archive.apache.org/dist/lucene/solr/8.6.3/solr-8.6.3.tgz --output solr-8.6.3.tgz
    1. Download Solr v8.6.3
  2. tar -xvzf solr-8.6.3.tgz
    1. UNtar Solr
  3. bash solr-8.6.3/bin/install_solr_service.sh solr-8.6.3.tgz
    1. Install Apache Solr
  4. sed -i "s/#ZK_HOST=""/ZK_HOST="127.0.0.1"/g" /etc/default/solr.in.sh
    1. Enable Solr cloud mode
  5. chown solr:solr -R /opt/solr
    1. Set permissions of Solr directory
  6. systemctl restart solr
  7. systemctl enable solr
  8. cd /tmp && curl -L https://sourceforge.net/projects/autopsy/files/CollaborativeServices/Solr/SOLR_8.6.3_AutopsyService.zip/download --output SOLR_8.6.3_AutopsyService.zip
    1. Download Solr v8.6.3 configured by Autopsy
  9. unzip SOLR_8.6.3_AutopsyService.zip
    1. UNzip Solr v8.6.3 configured by Autopsy
  10. su solr
    1. Switch to Solr user
  11. /opt/solr/bin/solr create_collection -c autopsy -d /tmp/SOLR_8.6.3_AutopsyService/solr-8.6.3/server/solr/configsets/AutopsyConfig/conf
    1. Create/setup Autopsy collection on Solr
  12. Open web browser to http://<IP addr>:8983/solr/#/~cloud?view=tree

Install/Setup ActiveMQ v5.14.0

  1. useradd --system -s /usr/sbin/nologin activemq
    1. Create ActiveMQ user
  2. curl https://archive.apache.org/dist/activemq/5.14.0/apache-activemq-5.14.0-bin.tar.gz --output apache-activemq-5.14.0-bin.tar.gz
    1. Download ActiveMQ
  3. mkdir /opt/activemq && tar -xvzf apache-activemq-5.14.0-bin.tar.gz -C /opt/activemq --strip-components 1
    1. Create directory for ActiveMQ install
  4. curl https://raw.githubusercontent.com/CptOfEvilMinions/Autopsy-Automation/main/conf/ansible/activemq/activemq.xml --output /opt/activemq/conf/activemq.xml
  5. sed -i "s#{{ activemq_autopsy_username }}#<autopsy username>#g" /opt/activemq/conf/activemq.xml
  6. sed -i "s#{{ activemq_autopsy_password }}#<autopsy password>#g" /opt/activemq/conf/activemq.xml
    1. Download active.xml config and set username and password
  7. curl https://raw.githubusercontent.com/CptOfEvilMinions/Autopsy-Automation/main/conf/ansible/activemq/groups.properties –output /opt/activemq/conf/groups.properties
    1. Download groups.properties
  8. curl https://raw.githubusercontent.com/CptOfEvilMinions/Autopsy-Automation/main/conf/ansible/activemq/users.properties --output /opt/activemq/conf/users.properties
  9. sed -i "s#sslclient=CN=.*#CN=<cert_common_name>, OU=<cert_ou>, O=<cert_org>, L=<cert_local>, ST=<cert_state>, C=<cert_country>#g" /opt/activemq/conf/users.properties
    1. Download users.properties and set self-signed certificate
  10. chown activemq:activemq -R /opt/activemq
    1. Set perms of install dir
  11. curl https://raw.githubusercontent.com/CptOfEvilMinions/Autopsy-Automation/main/conf/ansible/activemq/activemq.service --output /etc/systemd/system/activemq.service
    1. Download ActiveMQ service
  12. systemctl restart activemq
  13. systemctl enable activemq

Install/Setup Postgres v9.5.3

  1. sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
    1. Add postgres repo
  2. wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
    1. Add Postgres GPG key
  3. apt update -y && apt install postgresql-9.5 python3-pip libpg-dev -y
    1. Install PostgresSQL
  4. sed -i "s/#fsync =.*/fsync = off/g" /etc/postgresql/9.5/main/postgresql.conf
    1. Disable fsync
  5. sed -i "s/#synchronous_commit =.*/synchronous_commit = off/g" /etc/postgresql/9.5/main/postgresql.conf
    1. Disable sync_commit
  6. sed -i "s/#full_page_writes =.*/full_page_writes = off/g" /etc/postgresql/9.5/main/postgresql.conf
    1. Disable full_page_writes
  7. sed -i "s/max_connections =.*/max_connections = <connections>/g" /etc/postgresql/9.5/main/postgresql.conf
    1. Set max connections
  8. sed -i "s/#listen_addresses = 'localhost'/listen_addresses = '0.0.0.0'/g" /etc/postgresql/9.5/main/postgresql.conf
    1. Set Postgres to listen on all interfaces
  9. sed -i "s#host all all 127.0.0.1/32 md5#host all all 0.0.0.0/0 md5#g" /etc/postgresql/9.5/main/pg_hba.conf
    1. Enable MD5 authentication on all interfaces
  10. systemctl enable postgresql
  11. systemctl restart postgresql
    1. Restart Postgres
  12. sudo -u postgres psql
    1. Enter postgres
  13. create user autopsy with encrypted password '<password>';
    1. Create postgres user
  14. ALTER USER autopsy CREATEDB;
    1. Allow user to create databases
  15. \q
    1. Exit postgres

Install/Setup Samba file share server

  1. apt install samba cifs-utils smbclient libpam-winbind -y
    1. Install Samba
  2. groupadd forensicanalysts
    1. Create forensicanalysts group
  3. useradd --no-create-home autopsy -G forensicanalysts
    1. Create autopsy user and add them to newly created group
  4. passwd autopsy
    1. Set password for user
  5. smbpasswd -a autopsy
    1. Set Samba password for autopsy user
  6. mkdir -p /var/samba/autopsy
  7. chown autopsy:forensicanalysts -R /var/samba/autopsy
    1. Create directory to store Autopsy cases
  8. curl https://raw.githubusercontent.com/CptOfEvilMinions/Autopsy-Automation/main/conf/ansible/samba/smb.conf --output /etc/samba/smb.conf
  9. sed -i "s#{{ samba_path }}#/var/samba/autopsy#g" /etc/samba/smb.conf
  10. sed -i "s#{{ samba_user }}#autopsy#g" /etc/samba/smb.conf
  11. sed -i "s#{{ samba_group }}#forensicanalysts#g" /etc/samba/smb.conf
    1. Download Samba config and set settings
  12. systemctl enable smbd nmbd
  13. systemctl restart smbd nmbd
    1. Enable and restart Samba

Setup UFW

  1. ufw allow 'OpenSSH'
  2. ufw allow 5432/tcp
    1. Allow PostgresSQL
  3. ufw allow 2181/tcp
    1. Allow Zookeeper
  4. ufw allow 8983/tcp
    1. Allow Solr
  5. ufw allow 61616/tcp
    1. Allow ActiveMQ
  6. ufw allow samba
  7. ufw enable

Install/Setup Autopsy on Windows 10

  1. Open Windows File Exporer
  2. Select “This PC” on the left
  3. Select “Computer” tab at the top
  4. Select “Map network drive”
    1. Select Z: for Drive letter
    2. Enter \\<IP addr of Samba server>\Autopsy for folder
    3. Enter credentials for the autopsy user
  5. Open Powershell as Administrator
  6. cd $ENV:TEMP
  7. $ProgressPreference = 'SilentlyContinue'
    1. Disable progress bar
    2. StackOverFlow – Powershell – Why is Using Invoke-WebRequest Much Slower Than a Browser Download?
  8. Invoke-WebRequest -Uri https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.18.0/autopsy-4.18.0-64bit.msi -OutFile autopsy-4.18.0-64bit.msi
    1. Download Autopsy v4.18.0
  9. msiexec.exe /i .\autopsy-4.18.0-64bit.msi /quiet /qn
    1. Install Autopsy
  10. Double-click the Autopsy icon on the Desktop
  11. Tools (toolbar at the top) > Options > Multi-user
    1. Check “Enable multi-user cases”
    2. Database
      1. Enter <Docker IP addr> into hostname/IP addr
      2. Enter 5432 into port number
      3. Enter autopsy into username
      4. Enter <Autopsy password> into password
      5. Select “Test connection”
    3.  ActiveMQ
      1. Enter <Docker IP addr> into hostname/IP addr
      2. Enter 61616 into port number
      3. Enter autopsy into username
      4. Enter <Autopsy password> into password
      5. Select “Test connection”
    4. Solr 8
      1. Enter <Docker IP addr> into hostname/IP addr
      2. Enter 8983 into port number
      3. Select “Test connection”
    5. Leave the Solr 4 section blank
    6. Zookeeper
      1. Enter <Docker IP addr> into hostname/IP addr
      2. Enter 2181 into port number
      3. Select “Test connection”
    7. Select “Yes” to create a Central Repository Database
    8. Select “Apply” then “OK”

Create a new case and add data source

Create a new case

  1. Case (top right) > New Case
    1. Case information
      1. Enter test-case into case name
      2. Select Z:\ for Base Directory
      3. Select Multi-user for case type
      4. Next
    2. Optional information
      1. Enter optional information
    3. Select “Finish”

Add data source

  1. Download Hacking Case – Disk Image
  2. Copy the disk image to Z:\<case name>\<disk image>
  3. Back to Autopsy
  4. Select Type of data Source To Ad
    1. Select “Disk image or VM File”
  5. Select Data Source
    1. Select disk image on samba server
  6. Configure Ingest Modules
    1. Leave all ingest modules set to default
  7. Add data source

Lessons learned

I am currently reading a book called “Cracking the Coding Interview” and it is a great book. One interesting part of the book is their matrix to describe projects you worked on and the matrix contains the following sections which are: challenges, mistakes/failures, enjoyed, leadership, conflicts, and what would you do differently. I am going to try and use this model at the end of my blog posts to summarize and reflect on the things I learn. I don’t blog to post things that I know, I blog to learn new things and to share the knowledge of my security research.

New skills/knowledge

  • Learned about servlet containers (tomcat and Jetty)
  • Configured Jetty to serve Solr
  • Learned how to setup and configure Solr v4 and v8
  • Learned how to setup and configure Zookeeper
  • Learned how to setup and configure ActiveMQ

References