Compiling it all
This page describes how to compile all of the software tools on this website. Please let us know if this doesn’t work for you.
If you are compiling on a Linux system, first download, compile and install the following packages in the following order:
- If you do not have the zlib development libraries and #include files, install them. You can usually get them by installing zlib-dev or something similar.
- If you do not have the OpenSSL development libraries and #include files, install them. You can usually get them by installing openssl-dev or something similar
- libewf, so that you will be able to read EnCase E01 files. Note that the current version of SleuthKit will not work with the Alpha version of libewf. That’s because the SleuthKit author refuses to support “alpha” APIs. So you will need to download and install the most recent version of libewf, and NOT libewf2 or libewf-alpha. You can find it at http://sourceforge.net/projects/libewf/files/libewf/
- SleuthKit. Go with version 3.2.1 or later. Get it from http://www.sleuthkit.org/sleuthkit/download.php
- Exiv2, the best open source library for JPEG EXIF support. Although this library is included in many Linux distributions, you’ll have better luck if you download and install the latest version. Get it from http://www.exiv2.org/
If you want AFF support, next download and install AFFLIB. Please note that this will only get you support for AFF version 1, and not for AFF version 4. AFF Version 4 is currently not in production, so you aren’t missing anything.
Now you can download, compile and install any of the following:
- fiwalk — A tool that uses SleuthKit to create Digital Forensics XML files for disk images.
- bloom — The NPS Bloom Filter package, which includes frag_find for hash-based carving.
- bulk_extractor — The bulk data analysis tool.