Autopsy 4.8 crashes on Mac osx

[xeen3d]

Hi
i have downloaded and install autopsy on my Mac (10.13.6) but have heavy problems.
hole Install was not a Problem I use other Tools like Cuckoo sandbox and many other Forensic Tools too
on my Mac also brew since it was viable for Mac.
The Problem start after I start autopsy, if I create a case then mostly at that time App crash.
In terminal I see some Errors like that:

MacBook-Pro:~ lauzona$ ./autopsy
-bash: ./autopsy: No such file or directory
MacBook-Pro:~ lauzona$ /Users/lauzona/Desktop/autopsy
-bash: /Users/lauzona/Desktop/autopsy: Permission denied
MacBook-Pro:~ lauzona$ /Applications/Forensics/autopsy/bin/autopsy
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.netbeans.ProxyURLStreamHandlerFactory (file:/Applications/Forensics/autopsy/platform/lib/boot.jar) to field java.net.URL.handler
WARNING: Please consider reporting this to the maintainers of org.netbeans.ProxyURLStreamHandlerFactory
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Temp Folder for Libraries: /var/folders/4r/ps891tv14wv0h6578drjn7g40000gr/T
SleuthkitJNI: loaded libtsk_jni
log4j: reset attribute= "false".
log4j: Threshold ="null".
log4j: Retreiving an instance of org.apache.log4j.Logger.
log4j: Setting [ProgressAppender] additivity to [false].
log4j: Level value for ProgressAppender is [INFO].
log4j: ProgressAppender level set to INFO
log4j: Class name: [org.apache.log4j.ConsoleAppender]
log4j: Parsing layout of class: "org.apache.log4j.PatternLayout"
log4j: Setting property [conversionPattern] to [%m].
log4j: Adding appender named [noEolAppender] to category [ProgressAppender].
log4j: Retreiving an instance of org.apache.log4j.Logger.
log4j: Setting [ProgressDone] additivity to [false].
log4j: Level value for ProgressDone is [INFO].
log4j: ProgressDone level set to INFO
log4j: Class name: [org.apache.log4j.ConsoleAppender]
log4j: Parsing layout of class: "org.apache.log4j.PatternLayout"
log4j: Setting property [conversionPattern] to [%m%n].
log4j: Adding appender named [eolAppender] to category [ProgressDone].
log4j: Level value for root is [INFO].
log4j: root level set to INFO
log4j: Class name: [org.apache.log4j.ConsoleAppender]
log4j: Parsing layout of class: "org.apache.log4j.PatternLayout"
log4j: Setting property [conversionPattern] to [%d{dd MMM yyyy HH:mm:ss} %5p %c{1} - %m%n].
log4j: Adding appender named [consoleAppender] to category [root].
Using java binary path: java
Exception getting images: Cannot get the current case; there is no case open!
Exception getting images: Cannot get the current case; there is no case open!
^CMacBook-Pro:~ lauzona$

And the Crash Dump told me that:

Process: java [6187]
Path: /Library/Java/JavaVirtualMachines/jdk-10.0.2.jdk/Contents/Home/bin/java
Identifier: net.java.openjdk.cmd
Version: 1.0 (1.0)
Code Type: X86-64 (Native)
Parent Process: sh [6022]
Responsible: java [6187]
User ID: 504

Date/Time: 2018-08-25 14:40:35.066 +0200
OS Version: Mac OS X 10.13.6 (17G65)
Report Version: 12
Bridge OS Version: 3.0 (14Y664)
Anonymous UUID: F1B4FAD2-C04C-AFB4-080F-DB9EA19C2665

Time Awake Since Boot: 4500 seconds

System Integrity Protection: disabled

Crashed Thread: 73 Java: C3P0PooledConnectionPoolManager[identityToken->1hgf2vq9xv

Exception Type: EXC_BAD_ACCESS (SIGABRT)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY

External Modification Warnings:
Process used task_for_pid().

VM Regions Near 0:
-->
__TEXT 00000001030d0000-00000001030dd000 [ 52K] r-x/rwx SM=COW {� [/Library/Java/JavaVirtualMachines/jdk-10.0.2.jdk/Contents/Home/bin/java]

Application Specific Information:
abort() called

Thread 0:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff5edfa20a mach_msg_trap + 10
1 libsystem_kernel.dylib 0x00007fff5edf9724 mach_msg + 60
2 com.apple.CoreFoundation 0x00007fff36e80785 __CFRunLoopServiceMachPort + 341
3 com.apple.CoreFoundation 0x00007fff36e7fad7 __CFRunLoopRun + 1783
4 com.apple.CoreFoundation 0x00007fff36e7f153 CFRunLoopRunSpecific + 483
5 com.apple.HIToolbox 0x00007fff36169d96 RunCurrentEventLoopInMode + 286
6 com.apple.HIToolbox 0x00007fff36169b06 ReceiveNextEventCommon + 613
7 com.apple.HIToolbox 0x00007fff36169884 _BlockUntilNextEventMatchingListInModeWithFilter + 64
8 com.apple.AppKit 0x00007fff3441aa73 _DPSNextEvent + 2085
9 com.apple.AppKit 0x00007fff34bb0e34 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
10 libosxapp.dylib 0x00000001372f5dbf -[NSApplicationAWT nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
11 com.apple.AppKit 0x00007fff3440f885 -[NSApplication run] + 764
12 libosxapp.dylib 0x00000001372f5bbc +[NSApplicationAWT runAWTLoopWithApp:] + 157
13 libawt_lwawt.dylib 0x000000013726d344 +[AWTStarter starter:headless:] + 834
14 JavaNativeFoundation 0x00007fff3abbbf4a +[JNFRunLoop _performCopiedBlock:] + 17
15 com.apple.Foundation 0x00007fff38fc32b5 __NSThreadPerformPerform + 334
16 com.apple.CoreFoundation 0x00007fff36e9da11 CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION + 17
17 com.apple.CoreFoundation 0x00007fff36f5742c __CFRunLoopDoSource0 + 108
18 com.apple.CoreFoundation 0x00007fff36e80470 __CFRunLoopDoSources0 + 208
19 com.apple.CoreFoundation 0x00007fff36e7f8ed __CFRunLoopRun + 1293
20 com.apple.CoreFoundation 0x00007fff36e7f153 CFRunLoopRunSpecific + 483
21 java 0x00000001030d6bc3 CreateExecutionEnvironment + 401
22 java 0x00000001030d2ebc JLI_Launch + 1568
23 java 0x00000001030d1d4c main + 384
24 java 0x00000001030d1bc4 start + 52

Thread 1:
0 libsystem_kernel.dylib 0x00007fff5ee03d82 __semwait_signal + 10
1 libsystem_pthread.dylib 0x00007fff5efcf824 _pthread_join + 626
2 java 0x00000001030d72ba ContinueInNewThread0 + 142
3 java 0x00000001030d5f91 ContinueInNewThread + 164
4 java 0x00000001030d4092 JLI_Launch + 6134
5 java 0x00000001030d1d4c main + 384
6 java 0x00000001030d7856 apple_main + 84
7 libsystem_pthread.dylib 0x00007fff5efcb661 _pthread_body + 340
8 libsystem_pthread.dylib 0x00007fff5efcb50d _pthread_start + 377
9 libsystem_pthread.dylib 0x00007fff5efcabf9 thread_start + 13

I put now not hole Crash Dump in the Post I attach one that is better.
It looks that I not can create working Cases I try out different path and some other tests but all with same Issue at end, autopsy crashes.

I remobve hole Java hole sleuth Kit hole Autopsy clean all Rasches of the Mac, do a clean reinstall of all packages but same Issue, maybe a developer (I am not a developer I do investifgations) can see much more in the Crash Dump File that I can see there.

I put a Zip with two Dump files here:

https://www.dropbox.com/s/w9g6kw4yl3jlmak/autopsy_crash_dumps.zip?dl=0

Thanks for Help

Andre

[millmanorama]

I don't know much about running Autopsy on Mac osx, but from the logs it looks like it is trying to use Java 10. We do our development on Java 8 still, and there were some significant changes between 8 and 10. I am not surprised that Autopsy does not run correctly. It also looks like the error is coming out of the Netbeans Rich Client Platform that Autopsy is built on top of, so we may not be able to fix the underlying problem directly. I can make two suggestions. Search the Neatbeans support sites for information about the errors and running on Java 10. Feel free to share anything useful you discover. Also, if possible, install Java 8 (maybe uninstalling Java 10) and try again. Obviously, in the long run we must update Autopsy to be compatible with Java 10. I hope this is helpful.

…

On Sat, Aug 25, 2018 at 3:03 PM xeen3d ***@***.***> wrote: Hi i have downloaded and install autopsy on my Mac (10.13.6) but have heavy problems. hole Install was not a Problem I use other Tools like Cuckoo sandbox and many other Forensic Tools too on my Mac also brew since it was viable for Mac. The Problem start after I start autopsy, if I create a case then mostly at that time App crash. In terminal I see some Errors like that: MacBook-Pro:~ lauzona$ ./autopsy -bash: ./autopsy: No such file or directory MacBook-Pro:~ lauzona$ /Users/lauzona/Desktop/autopsy -bash: /Users/lauzona/Desktop/autopsy: Permission denied MacBook-Pro:~ lauzona$ /Applications/Forensics/autopsy/bin/autopsy WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.netbeans.ProxyURLStreamHandlerFactory (file:/Applications/Forensics/autopsy/platform/lib/boot.jar) to field java.net.URL.handler WARNING: Please consider reporting this to the maintainers of org.netbeans.ProxyURLStreamHandlerFactory WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Temp Folder for Libraries: /var/folders/4r/ps891tv14wv0h6578drjn7g40000gr/T SleuthkitJNI: loaded libtsk_jni log4j: reset attribute= "false". log4j: Threshold ="null". log4j: Retreiving an instance of org.apache.log4j.Logger. log4j: Setting [ProgressAppender] additivity to [false]. log4j: Level value for ProgressAppender is [INFO]. log4j: ProgressAppender level set to INFO log4j: Class name: [org.apache.log4j.ConsoleAppender] log4j: Parsing layout of class: "org.apache.log4j.PatternLayout" log4j: Setting property [conversionPattern] to [%m]. log4j: Adding appender named [noEolAppender] to category [ProgressAppender]. log4j: Retreiving an instance of org.apache.log4j.Logger. log4j: Setting [ProgressDone] additivity to [false]. log4j: Level value for ProgressDone is [INFO]. log4j: ProgressDone level set to INFO log4j: Class name: [org.apache.log4j.ConsoleAppender] log4j: Parsing layout of class: "org.apache.log4j.PatternLayout" log4j: Setting property [conversionPattern] to [%m%n]. log4j: Adding appender named [eolAppender] to category [ProgressDone]. log4j: Level value for root is [INFO]. log4j: root level set to INFO log4j: Class name: [org.apache.log4j.ConsoleAppender] log4j: Parsing layout of class: "org.apache.log4j.PatternLayout" log4j: Setting property [conversionPattern] to [%d{dd MMM yyyy HH:mm:ss} %5p %c{1} - %m%n]. log4j: Adding appender named [consoleAppender] to category [root]. Using java binary path: java Exception getting images: Cannot get the current case; there is no case open! Exception getting images: Cannot get the current case; there is no case open! ^CMacBook-Pro:~ lauzona$ And the Crash Dump told me that: Process: java [6187] Path: /Library/Java/JavaVirtualMachines/jdk-10.0.2.jdk/Contents/Home/bin/java Identifier: net.java.openjdk.cmd Version: 1.0 (1.0) Code Type: X86-64 (Native) Parent Process: sh [6022] Responsible: java [6187] User ID: 504 Date/Time: 2018-08-25 14:40:35.066 +0200 OS Version: Mac OS X 10.13.6 (17G65) Report Version: 12 Bridge OS Version: 3.0 (14Y664) Anonymous UUID: F1B4FAD2-C04C-AFB4-080F-DB9EA19C2665 Time Awake Since Boot: 4500 seconds System Integrity Protection: disabled Crashed Thread: 73 Java: C3P0PooledConnectionPoolManager[identityToken->1hgf2vq9xv Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY External Modification Warnings: Process used task_for_pid(). VM Regions Near 0: --> __TEXT 00000001030d0000-00000001030dd000 [ 52K] r-x/rwx SM=COW {� [/Library/Java/JavaVirtualMachines/jdk-10.0.2.jdk/Contents/Home/bin/java] Application Specific Information: abort() called Thread 0:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x00007fff5edfa20a mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fff5edf9724 mach_msg + 60 2 com.apple.CoreFoundation 0x00007fff36e80785 __CFRunLoopServiceMachPort + 341 3 com.apple.CoreFoundation 0x00007fff36e7fad7 __CFRunLoopRun + 1783 4 com.apple.CoreFoundation 0x00007fff36e7f153 CFRunLoopRunSpecific + 483 5 com.apple.HIToolbox 0x00007fff36169d96 RunCurrentEventLoopInMode + 286 6 com.apple.HIToolbox 0x00007fff36169b06 ReceiveNextEventCommon + 613 7 com.apple.HIToolbox 0x00007fff36169884 _BlockUntilNextEventMatchingListInModeWithFilter + 64 8 com.apple.AppKit 0x00007fff3441aa73 _DPSNextEvent + 2085 9 com.apple.AppKit 0x00007fff34bb0e34 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044 10 libosxapp.dylib 0x00000001372f5dbf -[NSApplicationAWT nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 11 com.apple.AppKit 0x00007fff3440f885 -[NSApplication run] + 764 12 libosxapp.dylib 0x00000001372f5bbc +[NSApplicationAWT runAWTLoopWithApp:] + 157 13 libawt_lwawt.dylib 0x000000013726d344 +[AWTStarter starter:headless:] + 834 14 JavaNativeFoundation 0x00007fff3abbbf4a +[JNFRunLoop _performCopiedBlock:] + 17 15 com.apple.Foundation 0x00007fff38fc32b5 __NSThreadPerformPerform + 334 16 com.apple.CoreFoundation 0x00007fff36e9da11 *CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION* + 17 17 com.apple.CoreFoundation 0x00007fff36f5742c __CFRunLoopDoSource0 + 108 18 com.apple.CoreFoundation 0x00007fff36e80470 __CFRunLoopDoSources0 + 208 19 com.apple.CoreFoundation 0x00007fff36e7f8ed __CFRunLoopRun + 1293 20 com.apple.CoreFoundation 0x00007fff36e7f153 CFRunLoopRunSpecific + 483 21 java 0x00000001030d6bc3 CreateExecutionEnvironment + 401 22 java 0x00000001030d2ebc JLI_Launch + 1568 23 java 0x00000001030d1d4c main + 384 24 java 0x00000001030d1bc4 start + 52 Thread 1: 0 libsystem_kernel.dylib 0x00007fff5ee03d82 __semwait_signal + 10 1 libsystem_pthread.dylib 0x00007fff5efcf824 _pthread_join + 626 2 java 0x00000001030d72ba ContinueInNewThread0 + 142 3 java 0x00000001030d5f91 ContinueInNewThread + 164 4 java 0x00000001030d4092 JLI_Launch + 6134 5 java 0x00000001030d1d4c main + 384 6 java 0x00000001030d7856 apple_main + 84 7 libsystem_pthread.dylib 0x00007fff5efcb661 _pthread_body + 340 8 libsystem_pthread.dylib 0x00007fff5efcb50d _pthread_start + 377 9 libsystem_pthread.dylib 0x00007fff5efcabf9 thread_start + 13 I put now not hole Crash Dump in the Post I attach one that is better. It looks that I not can create working Cases I try out different path and some other tests but all with same Issue at end, autopsy crashes. I remobve hole Java hole sleuth Kit hole Autopsy clean all Rasches of the Mac, do a clean reinstall of all packages but same Issue, maybe a developer (I am not a developer I do investifgations) can see much more in the Crash Dump File that I can see there. I put a Zip with two Dump files here: https://www.dropbox.com/s/w9g6kw4yl3jlmak/autopsy_crash_dumps.zip?dl=0 Thanks for Help Andre — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4067>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABHTY07eJeQ6XwDMx0zH4pCm7EiJs1vsks5uUUsXgaJpZM4WMYGT> .

[xeen3d]

Hi
I try that and remove hole Jak Files and reinstall V 8u181 now I get directly at start of autopsy this error

org.netbeans.InvalidException: StandardModule:org.sleuthkit.autopsy.core jarFile: /Applications/Forensics/autopsy/autopsy/modules/org-sleuthkit-autopsy-core.jar: java.lang.UnsupportedClassVersionError: org/sleuthkit/datamodel/SleuthkitJNI has been compiled by a more recent version of the Java Runtime (class file version 54.0), this version of the Java Runtime only recognizes class file versions up to 52.0

I try remove and reinstall sleuth kit with brew but same issue now I can't start autopsy anymore ;-) before that with Jak 10 I can start and get crashes, now sleuthkit core will not start about a like I understand old class File
Did you have a idea what I can do now ?

Many thanks for Help

Andre

[xeen3d]

Hi
it seems that not only Java 8 was the Main Problem, looks like sleuthkit core was compiled with a other Netbeans or Java Version after disable Core Plugin (sleuth Kit) autopsy start (a very small autopsy) and run without a problem but if I try activate Loire Plugin I get:

Activation failed: StandardModule:org.sleuthkit.autopsy.core jarFile: /Applications/Forensics/autopsy/autopsy/modules/org-sleuthkit-autopsy-core.jar: java.lang.UnsupportedClassVersionError: org/sleuthkit/datamodel/SleuthkitJNI has been compiled by a more recent version of the Java Runtime (class file version 54.0), this version of the Java Runtime only recognizes class file versions up to 53.0

For Mac Ost latest Java 8 was 8u181 the V9 sdk was out of Live and can't be downloaded at oracles web site.
The next higher one is 10 and if I install 10 I get the Problems with creating Cases.
I try install a fresh Ost to a VM and install only Java 8 and Authopsy with sleuth Kit to see if I have a chance get autopsy running or not.

best

Andre

[sergiisinelnychenko]

Same problem to me, but:
-- Autopsy version is 4.9
-- when trying to run it against JDK 8 - it complains about class version 55, not 54 - so some parts compiled with JDK 11
-- Running against JDK 11 causes the same behavior - same error message, all UI disabled

[xeen3d]

Hi
yes me too it looks not that someone of the developers have every time tested that Autopsy will run on a Mac

org.netbeans.InvalidException: StandardModule:org.sleuthkit.autopsy.core jarFile: /Applications/Forensics/autopsy/autopsy/modules/org-sleuthkit-autopsy-core.jar: java.lang.UnsatisfiedLinkError: org.sleuthkit.datamodel.SleuthkitJNI.getVersionNat()Ljava/lang/String;

I use now payed Software I cannot use Autopsy on a Windows Computer for analyze Windows images with malware or other bad apps.

I will take from time to time a new View to next versions but like now Autopsy is a nice Playground but not a real Forensic App for working in production pipelines maybe in a windows os but not on a Mac.

Best

Andre