Linux

Below the instructions how to set up a build environment on Linux:

  • Ubuntu 12.04 and Linux Mint.
  • Fedora Core 20
Note that if sections are marked as WIP it means they are work in progress.

To check if you have all the dependencies installed you can run:
python utils/check_dependencies.py

Ubuntu 12.04/Linux Mint - Prepackaged

SIFT repo

The SIFT apt repo contains all the packages needed to build the tool, and the tool itself. To add the SIFT repo, use the command:
sudo add-apt-repository ppa:sift/stable

Or to use the dev (or development) branch:
sudo add-apt-repository ppa:sift/dev

The difference between these two is that "stable" contains the last release of the code and should therefore be more stable while the dev branch contains the latest trunk, or at least close to it.

An alternative repository if you do not want all the additional packages that SIFT provides you with while still following the trunk:

sudo add-apt-repository ppa:kristinn-l/plaso-dev

Then to install plaso do:

sudo apt-get update
sudo apt-get install python-plaso

For development purposes use the dev branch of the SIFT repo or the alternative repo and instead of installing the "python-plaso" package use:
apt-cache policy python-plaso

Install the packages mentioned in the "Depends" and then use git to fetch the latest code.

Download

Prebuilt Debian packages of the dependencies can be downloaded from:

Or to use the plaso update dependency script, which is part of the plaso source:
sudo python ./utils/update_dependencies.py

Note that the update dependencies script is currently still work in progress.

Ubuntu 14.04 - Batch build of dependencies

Below the instructions how to set up a build environment on Unbuntu 14.04 using the build_dependencies script.

First of all make sure your installation is up to date:
sudo apt-get update
sudo apt-get upgrade

Install git
sudo apt-get install git

Get a copy of the plaso source:
git clone https://github.com/log2timeline/plaso.git

Make sure the necessary building tools and development packages are installed on the system:
sudo aptitude install build-essential autotools-dev automake zlib1g-dev libbz2-dev libfuse-dev libsqlite3-dev libssl-dev python-dev python-setuptools debhelper fakeroot quilt

To build most of the dependencies automatically run the build dependency script:
./utils/build_dependencies.py dpkg

Note that the build dependencies script is currently still work in progress, but it will build most of the dependencies.

TODO

sudo ./utils/update_dependencies.py

Ubuntu 12.04/Linux Mint - Manual build of dependencies

Below the instructions how to manually set up a build environment on Unbuntu 12.04/Linux Mint.

First of all make sure your installation is up to date:
sudo apt-get update
sudo apt-get upgrade

Or to use the plaso build dependency script, which is part of the plaso source and requires the build essentials to be present:
python ./utils/build_dependencies.py dpkg

Note that the build dependencies script is currently still work in progress.

Build essentials

Make sure the necessary building tools and development packages are installed on the system:
sudo apt-get install build-essential autotools-dev libsqlite3-dev python-dev debhelper fakeroot quilt git mercurial python-dateutil python-setuptools libtool automake

For some of the dependent packages you also require:
sudo apt-get install libfuse-dev

For ease of maintenance we create/use as much package files as possible.

First create a build root directory:
mkdir plaso-build/

Bencode

To install bencode run:
sudo apt-get install python-bencode

Binplist

To install Binplist acquire the source package from the Downloads section of: https://code.google.com/p/binplist/

tar xvf binplist-0.1.4.tar.gz

cd binplist-0.1.4/

cp -rf config/dpkg debian


dpkg-buildpackage -rfakeroot

This will create the following files in the plaso-build directory:

binplist_0.1.4-1_all.deb


For plaso you'll need to install the Python library:

sudo dpkg -i binplist_0.1.4-1_all.deb


Construct

Install the six dependency:
sudo apt-get install python-six

Download the 2.5.2 version from http://construct.readthedocs.org/en/latest/ and the Debian packaging files.

tar zxfv construct-2.5.2.tar.gz
cd construct-2.5.2/
tar zxfv ../python-construct-2.5.2-dpkg.tar.gz
cp -rf dpkg debian

To build the debian package:
dpkg-buildpackage -rfakeroot

This will create the following files in the plaso-build directory:
python-construct_2.5.2-1_all.deb

For plaso you'll need to install the Python module:
sudo dpkg -i python-construct_2.5.2-1_all.deb

dfVFS

The dfVFS build instructions can be found here. Note that for dfVFS to function correctly several dependencies, like pytsk, mentioned later in the plaso Ubuntu 12.04 build instructions, are required.


To install dfVFS download the source package from the downloads page.

tar xvf dfvfs-20140219.tar.gz

cd dfvfs-20140219/

cp -rf dpkg debian


dpkg-buildpackage -rfakeroot

This will create the following files in the plaso-build directory:

python-dfvfs_20140219-1_all.deb


For plaso you'll need to install the Python library:

sudo dpkg -i python-dfvfs_20140219-1_all.deb


DPKT

To install dpkt run:
sudo apt-get install python-dpkt

Hachoir

To install hachoir run:
sudo apt-get install python-hachoir-core python-hachoir-metadata python-hachoir-parser

Libprotobuf and Python-bindings

To install libprotobuf and Python-bindings run:
sudo apt-get install libprotobuf7 python-protobuf

Libyal and Python-bindings

The following instructions apply to:

Note that libewf, libqcow and libvmdk have zlib as a dependency.

Since the building process for the libyal libraries is very similar, building libevt in the following paragraph is provided as an example.
More detailed instructions can be found on the Building wiki site of the individual projects.

Example: libevt and Python-bindings

Grab the latest libevt source package from the Downloads section of: https://github.com/libyal/libevt

E.g. libevt-alpha-20130923.tar.gz

tar xfv libevt-alpha-20130923.tar.gz
cd libevt-20130923
cp -rf dpkg debian
dpkg-buildpackage -rfakeroot

This will create the following files in the plaso-build directory:
libevt_20130923-1_amd64.deb
libevt-dev_20130923-1_amd64.deb
libevt-python_20130923-1_amd64.deb
libevt-tools_20130923-1_amd64.deb

For plaso you'll need to install the library and the Python-bindings:
sudo dpkg -i libevt_20130923-1_amd64.deb libevt-python_20130923-1_amd64.deb

Batch build

Note that the libyal libraries and Python-bindings also can be build in batch.

Tough you have to make sure you've set up your build system correctly first.

Get libyal-build.py from the libyal git repository:
git clone https://github.com/libyal/libyal.git

Make sure the required libraries are in LIBYAL_LIBRARIES in libyal-build.py.

Then run libyal-build e.g. to build with dpkg-buildpackage and create deb files:
cd plaso-build/
python libyal-build.py dpkg

You should end up with multiple deb files inside the plaso-build directory.

More information regarding libyal-build can be found here.

Libyaml and Python-bindings

To install libyaml and Python-bindings run:

sudo apt-get install libyaml-0-2 python-yaml

Sleuthkit and Pytsk



TODO describe

PyParsing

By default Ubuntu 12.04 comes with python-pyparsing 1.5.2. Plaso requires version 1.5.6 or later.


tar zxfv pyparsing-2.0.2.tar.gz
cd pyparsing-2.0.2/
tar zxfv ../python-pyparsing-2.0.2-dpkg.tar.gz
cp -rf dpkg debian

To build the debian package:
dpkg-buildpackage -rfakeroot

This will create the following files in the plaso-build directory:
python-pyparsing-2.0.2-1_all.deb

For plaso you'll need to install the Python module:
sudo dpkg -i python-pyparsing-2.0.2-1_all.deb

PySQLite

To install the SQLite development files:
sudo apt-get install libsqlite3-dev


TODO describe


Python modules

To install the necessary Python-modules run:
sudo apt-get install python-tz

IPython

By default Ubuntu 12.04 comes with IPython 0.12. Plaso requires version 1.2.1 or later.

To install lPython run:

sudo apt-get install ipython

TODO describe


Ubuntu 12.04/Linux Mint

Plaso

Grab a copy of the latest version of plaso.
git clone https://github.com/log2timeline/plaso.git

PyLint

If you intend to do development on plaso you'll also need to install PyLint
By default Ubuntu 12.04 comes with PyLint 0.25. Plaso requires version 0.26 or later but we recommend updating to version 1.0.0 or later.
To update to version 1.0.0 follow the steps mentioned below.

Remove any older version of PyLint.
sudo apt-get remove pylint

Install the necessary dependencies for building PyLint:
sudo aptitude install python-epydoc graphviz python-unittest2

Download and build the python-logilab-common Debian package:
hg clone http://hg.logilab.org/logilab/common
cd common
dpkg-buildpackage -rfakeroot
cd ..

Since you're building from development branch it can be possible that you need to disable any failing tests.
Either report these as bugs to the PyLint project or fix them yourself.

Download and build the python-astroid Debian package:
hg clone https://bitbucket.org/logilab/astroid
cd astroid
dpkg-buildpackage -rfakeroot
cd ..


Download and build the pylint Debian package:
hg clone https://bitbucket.org/logilab/pylint
cd pylint
dpkg-buildpackage -rfakeroot
cd ..


Install the python-logilab-common, python-astroid and pylint Debian packages:
sudo dpkg -i python-logilab-common_0.60.0-1_all.deb python-astroid_1.0.1-1_all.deb pylint_1.0.0-1_all.deb

Fedora Core 20 - Manual build

Below the instructions how to manually set up a build environment on Fedora Core 20.

First of all make sure your installation is up to date:
sudo yum update

Or to use the plaso build dependency script, which is part of the plaso source and requires the build essentials to be present:
python ./utils/build_dependencies.py rpm

Note that the build dependencies script is currently still work in progress.

Build essentials

Make sure the necessary building tools and development packages are installed on the system:
sudo yum groupinstall "Development Tools"
sudo yum install gcc-c++ flex byacc 
rpm-build python-devel git mercurial python-dateutil python-setuptools

For some of the dependent packages you also require:
sudo yum install zlib-devel bzip2-devel openssl-devel fuse-devel

For ease of maintenance we create/use as much package files as possible.

First create a build root directory:
mkdir plaso-build/

Bencode

To install bencode acquire the source package from: https://pypi.python.org/pypi/bencode
tar xvf bencode-1.0.tar.gz 
cd bencode-1.0/

python setup.py bdist_rpm
sudo rpm -ivh dist/bencode-1.0-1.noarch.rpm

Binplist

To install binplist acquire the source package from the Downloads section of: https://code.google.com/p/binplist/

tar xvf binplist-0.1.4.tar.gz

cd binplist-0.1.4/


python setup.py bdist_rpm

sudo rpm -ivh dist/binplist-0.1.4-1.noarch.rpm


Construct

Using easy_install

To install construct, the binary parsing library use easy_install:
sudo easy_install construct

From source

To install the distributed version of construct run:

sudo yum install python-six


To install the latest version of construct download the 2.5.2 version from: http://construct.readthedocs.org/en/latest

tar xvf construct-2.5.2.tar.gz

cd construct-2.5.2/


python setup.py bdist_rpm

sudo rpm -ivh dist/construct-2.5.2-1.noarch.rpm

Note that this package could conflict with the distributed package.

dfVFS

The dfVFS build instructions can be found here. Note that for dfVFS to function correctly several dependencies, like pytsk, mentioned later in the plaso Ubuntu 12.04 build instructions, are required.


To install dfVFS download the source package from the downloads page.

tar xvf dfvfs-20140219.tar.gz

cd dfvfs-20140219/

python setup.py bdist_rpm


This will create the following files in the dist sub directory:

dfvfs-20140219-1.noarch.rpm


For plaso you'll need to install the Python library:

sudo rpm -ivh dist/dfvfs-20140219-1.noarch.rpm

DPKT

Get the latest dpkt version from: https://code.google.com/p/dpkt/

Currently there are multiple issues with dpkt one of which is: https://code.google.com/p/dpkt/issues/detail?id=34

tar xvf dpkt-1.8.tar.gz 
cd dpkt-1.8/

Edit the file:
dpkt/ip.py

On line 252 change:
mod = __import__(name, g)

into:
mod = __import__('dpkt.{}'.format(name), g)

python setup.py bdist_rpm
sudo rpm -ivh dist/dpkt-1.8-1.noarch.rpm

Hachoir

To install hachoir download the core, parser and metadata package from: https://bitbucket.org/haypo/hachoir/wiki/Install/source, e.g.
  • hachoir-core-1.3.3.tar.gz
  • hachoir-parser-1.3.4.tar.gz
  • hachoir-metadata-1.3.3.tar.gz

hachoir-core

To install hachoir-core run:
python setup.py build bdist_rpm

This will create several files in the dist sub directory.

For plaso you'll need to install the noarch package:
sudo rpm -ivh dist/hachoir-core-1.3.3-1.noarch.rpm

hachoir-parser

To install hachoir-parser run:
python setup.py build bdist_rpm

This will create several files in the dist sub directory.

For plaso you'll need to install the noarch package:
sudo rpm -ivh dist/hachoir-parser-1.3.4-1.noarch.rpm

Note that hachor-parser is dependent on hachoir-core.

hachoir-metadata

To install hachoir-parser run:
python setup.py build bdist_rpm

This will create several files in the dist sub directory.

For plaso you'll need to install the noarch package:
sudo rpm -ivh dist/hachoir-metadata-1.3.3-1.noarch.rpm

Note that hachor-metdata is dependent on hachoir-core and hachoir-parser.

Libprotobuf and Python-bindings

To install libprotobuf and Python-bindings run:
sudo yum install protobuf-python

If you intend to do development on plaso and change the protobuf definitions, you'll also need to install the protobuf compiler (protoc).
sudo yum install protobuf-compiler

Libyal and Python-bindings

The following instructions apply to:

Note that libewf, libqcow and libvmdk have zlib as a dependency.

Since the building process for the libyal libraries is very similar, building libevt in the following paragraph is provided as an example.
More detailed instructions can be found on the Building wiki site of the individual projects.

Example: libevt and Python-bindings

Grab the latest libevt source package from the Downloads section of: https://github.com/libyal/libevt

E.g. libevt-alpha-20130923.tar.gz

mv libevt-alpha-20130923.tar.gz libevt-20130923.tar.gz
rpmbuild -ta libevt-20130923.tar.gz

On a 64-bit version or Fedora 18 this will create the rpm files in the directory:
~/rpmbuild/RPMS/x86_64/

For plaso you'll need to install the library and the Python-bindings:
sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/libevt-20130923-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/libevt-python-20130923-1.x86_64.rpm

Batch build

Note that the libyal libraries and Python-bindings also can be build in batch.

Tough you have to make sure you've set up your build system correctly first.

Get libyal-build.py from the libyal git repository:
git clone https://github.com/libyal/libyal.git

Make sure the required libraries are in LIBYAL_LIBRARIES in libyal-build.py.

Then run libyal-build e.g. to build with rpmbuild and create rpm files:
cd plaso-build/
python libyal-build.py rpm

You should end up with multiple rpm files inside the current directory.

More information regarding libyal-build can be found here.

Libyaml and Python-bindings

To install libyaml and Python-bindings run:

sudo yum install libyaml PyYAML

Sleuthkit and pytsk


Psutil

To install psutil download version 1.2.1 from: https://pypi.python.org/packages/source/p/psutil/psutil-1.2.1.tar.gz

tar xvf psutil-1.2.1.tar.gz

cd psutil-1.2.1/

python setup.py bdist_rpm


This will create the following files in the dist sub directory:

psutil-1.2.1.x86_64.rpm


For plaso you'll need to install the Python library:

sudo rpm -ivh dist/psutil-1.2.1.x86_64.rpm


PyElasticsearch (optiona)


To get the elastic search output module install pyelasticsearch. This is not needed for the tool to function, however is needed for elastic search support.


TODO: FIX THIS SECTION

Download the latest release from: https://github.com/rhec/pyelasticsearch/releases

PyParsing

To install the necessary Python-modules run:
sudo yum install pyparsing

Python modules

To install the necessary Python-modules run:
sudo yum install pytz

IPython

By default Fedora 20 comes with IPython TODO. Plaso requires version 1.2.1 or later.

To install lPython run:

sudo yum install ipython

Plaso

Grab a copy of the latest version of plaso.
git clone https://github.com/log2timeline/plaso.git

PyLint

If you intend to do development on plaso you'll also need to install PyLint
sudo yum install pylint

Comments