-
Notifications
You must be signed in to change notification settings - Fork 24
Building
The pytsk source code can be build with different compilers:
- Using GNU Compiler Collection (GCC)
- Using Cygwin
- Using Minimalist GNU for Windows (MinGW)
- Using Microsoft Visual Studio
Or directly packaged with different package managers:
- Using Debian package tools (DEB)
- Using RedHat package tools (RPM)
- Using Mac OS X pkgbuild
Note: that there are issues with using SleuthKit 4.1.3 in combination with pytsk. See Building SleuthKit for more information.
Check Troubleshooting if you run into issues building pytsk.
To get the source package go to the downloads page and download the file named:
pytsk-<version>.tgz
The source package can be extracted by running:
tar xfv pytsk-<version>.tgz
This will create the source directory:
pytsk
To retrieve the source from the repository make sure to install: git
On a Debian-based system it can be installed by running:
sudo apt-get install git
On Windows download git from: http://git-scm.com/download/win
To get the source using git run:
git clone https://github.com/py4n6/pytsk
Before you build pytsk and tools using GNU Compiler Collection (GCC) you'll need to have the necessary compilation and build tools installed. Make sure that on
- a Linux machine, you have build-essential (Debian-based) or the Development Tools (RedHat-based) installed.
- a Mac OS X machine, you have XCode (with command line tools) or MacPorts (or equivalent)
Also make sure to have the following dependencies including source headers installed:
- libtalloc (http://www.samba.org/ftp/talloc/)
- libtsk (http://www.sleuthkit.org/sleuthkit/download.php)
When you're using a prebuilt version of libtsk make sure it is up to date. To build the SleuthKit from source see: Building SleuthKit
Change into the source directory and run the following commands to build pytsk:
python setup.py build
Note that setup.py is fragile and sometimes it will fail to detect the SleuthKit header files. By default is will look for the SleuthKit headers in:
/usr/include/tsk*
/usr/local/include/tsk*
../sleuthkit-*/tsk*
setup.py will fail if it detects more than one SleuthKit header directory. The TSK_HEADERS_PATH variable in setup.py can be manually set if necessary.
Also make sure that for setup.py it is only possible to link against one version of the SleuthKit library.
Note setup.py will auto generate the c file for the binding as pytsk3.c. If you hack on the code you can manually run generate_bindings.py or remove pytsk3.c which forces setup.py to regenerate it.
You can install pytsk by running:
python setup.py install
ld: warning: ignoring file /usr/lib/libtsk.dylib, file was built for x86_64 which is not the architecture being linked (i386): /usr/lib/libtsk.dylib
On Mac OS X it can be necessary that you explicitly need to define you want to build a 64-bit version of pytsk.
ARCHFLAGS='-arch x86_64' python setup.py build
Not recommended.
To build pytsk with Microsoft Visual Studio you'll need to install Microsoft Visual Studio 2008 (or later). The express version is sufficient. Note that if you want to build 64-bit version of pytsk with the express version you'll need at least 2010.
You'll also need to install the Python Windows installation (http://python.org/download/). In the example below we use version 2.7.
First generate the source code of the bindings by running the generate_bindings.py script from withing the pytsk source directory, e.g. for SleuthKit 4.1.2:
C:\Python27\python.exe generate_bindings.py ..\sleuthkit-4.1.2
This will create the file pytsk3.c.
Next open the Microsoft Visual Studio 2008 solution file:
pytsk\msvscpp\pytsk3.sln
Build the solution.
For this to work with Visual Studio 2010 change the "pytsk3" project properties:
"Configuration Properties" -> "Linker" -> "General" -> "Additional Library Directories"
Make sure the location to libtsk.lib is correct e.g."
..\sleuthkit-4.1.2\win32\Release;...
To manually install copy the following files:
copy pytsk\msvscpp\Release\pytsk3.pyd C:\Python27\lib\site-packages\
If you want to be able to manage the installation via "Programs and Features" in Windows you can create a MSI-based installer by running:
C:\Python27\python.exe setup.py bdist_msi
This will create a file equivalent to:
dist\pytsk-4.1.2.win32-py2.7.msi
For this to work with Visual Studio 2010 we need to run the previous command from either the "Visual Studio Command Prompt (2010)" or "Windows SDK 7.1 Command Prompt" (or equivalent). Check if the VS100COMNTOOLS environment variable is set:
echo %VS100COMNTOOLS%
Set the VS90COMNTOOLS to match VS100COMNTOOLS:
set VS90COMNTOOLS=%VS100COMNTOOLS%
Enabling 64-bit compilation support on the express version of Microsoft Visual Studio 2010 can be a tedious process. Below are some relevant links:
- http://msdn.microsoft.com/en-us/library/vstudio/9yb4317s(v=vs.100).aspx
- http://www.microsoft.com/en-us/download/details.aspx?id=8279
- http://support.microsoft.com/kb/2519277
If you have set it up correctly the following should work:
Go to:
Configuration manager -> Active solution platform
Select "<New>"
- Type or select the new platform: "x64"
- Copy settings from: "Win32"
- Create new project platforms: enabled
Additionally for every project change:
Configuration Properties -> General -> Platform Toolset
Into "Windows7.1SDK"
This option is available after you've installed the Windows 7 SDK
To build pytsk using the Debian package tools make sure you have the following packages installed:
sudo apt-get install build-essential debhelper fakeroot libtalloc2 libtalloc-dev uuid-dev python2.7-dev
Prepare the Debian packing files:
cp -rf dpkg debian
Check if the version information is correct in the file:
debian/changelog
Note: by default this will is set to version "4.1.2".
To build the Debian package change into the source directory and run:
dpkg-buildpackage -rfakeroot
This will create the following files in the parent directory:
pytsk3_4.1.2-1_amd64.deb
To install the pytsk Debian package run:
sudo dpkg -i pytsk3_4.1.2-1_amd64.deb
To build pytsk using the RedHat package tools make sure you have the following packages installed:
yum install rpm-build python-devel libtalloc-devel
To build:
python setup.py bdist_rpm
This will create several files in the dist sub directory including:
pytsk3-4.1.2-1.x86_64.rpm
To install the pytsk RedHat package run:
sudo rpm -ivh dist/pytsk3-4.1.2-1.x86_64.rpm
Download the latest source package from: http://www.samba.org/ftp/talloc/
To build pkg files run the following command from the build root directory:
tar xfvz talloc-2.1.1.tar.gz
cd talloc-2.1.1
./configure --without-gettext --disable-python --disable-rpath --prefix=/usr
make install DESTDIR=$PWD/osx-pkg
install_name_tool -id "/usr/lib/libtalloc.dylib" osx-pkg/usr/lib/libtalloc.2.1.1.dylib
There is one issue with the talloc library. The shared libraries inside the dylib/so files point to the build directory instead of their respective library files. This needs to be fixed using install_tool_name.
The instructions above should take of this but in case you run into issues.
First identify all the files that need to be examined:
find osx-pkg -type f | grep -E "(dylib|so)$"
An example:
osx-pkg/usr/lib/libpytalloc-util.2.1.1.dylib
osx-pkg/usr/lib/libtalloc.2.1.1.dylib
osx-pkg/usr/lib/python2.7/site-packages/talloc.so
Each of these files needs to be inspected using "otool -LT", eg:
otool -LT osx-pkg/usr/lib/python2.7/site-packages/talloc.so
What we are looking for here are signs that the so|dylib file is trying to load shared libraries from the build path instead of the final library path, eg:
/build/dependencies/talloc-2.1.1/bin/default/libtalloc.dylib
To fix that use the install_name_tool like this:
install_name_tool -change "/build/dependencies/talloc-2.1.1/bin/default/libtalloc.dylib" "/usr/lib/libtalloc.dylib" osx-pkg/usr/lib/libpytalloc-util.2.1.1.dylib
Once all shared library paths have been fixed we can move on to finish the installation (n.b. there are typically wrong library paths in every dylib|so file, and they all need to be fixed).
pkgbuild --root osx-pkg --identifier org.samba.talloc --version 2.1.1 --ownership recommended ../talloc-2.1.1.pkg
To install the required pkg files run:
sudo installer -target / -pkg talloc-2.1.1.pkg