Jammy Support

[ekristen]

Replaces #72

Requires the installation of cast on the system first.

sudo cast install --variable PPAVersion=dev --pre-release --mode desktop teamdfir/sift-saltstack

[digitalsleuth]

This one is still testing against 18.04. We can reconfigure / update it to ignore bionic?

[ekristen]

This one is still testing against 18.04. We can reconfigure / update it to ignore bionic?

So adjusted

[digitalsleuth]

Some of the failures are based on fixes that are already applied in the "bionic_purge" PR. Once merged, those should be resolved (ie: the config/user/terminal".

[ekristen]

@digitalsleuth this works on Jammy, haven't tested back on Focal yet. There are a couple of packages not supported yet, xmount, etc.

wget https://github.com/ekristen/cast/releases/download/v0.13.0-rc2/cast_v0.13.0-rc2_linux_amd64.deb
sudo dpkg -i cast_v0.13.0-rc2_linux_amd64.deb
sudo cast install --variable PPAVersion=dev teamdfir/sift-saltstack@v2023.01.27-rc1

[digitalsleuth]

So far, working on Focal, however we need to update the repo management for Jammy. It's causing a crash when adding the gift repo: ProcCmdline: /usr/bin/python3 /usr/bin/apt-add-repository -y ppa:gift/dev

Looking into it now.

[ekristen]

Works just fine for me

[digitalsleuth]

Failed on 3 runs for me, just worked this last run. Could have actually been a PPA issue and not cast / the states.

[digitalsleuth]

@digitalsleuth this works on Jammy, haven't tested back on Focal yet. There are a couple of packages not supported yet, xmount, etc.

wget https://github.com/ekristen/cast/releases/download/v0.13.0-rc2/cast_v0.13.0-rc2_linux_amd64.deb
sudo dpkg -i cast_v0.13.0-rc2_linux_amd64.deb
sudo cast install --variable PPAVersion=dev teamdfir/sift-saltstack@v2023.01.27-rc1

This "installed" on Focal, but did not install any desktop components or theme config. I'm assuming that was the intent as no mode was specified. Install on Jammy isn't complete yet (after the 4th run), but will keep you posted.

[ekristen]

Haven't tested focal. Only Jammy. Server mode only works. Desktop doesn't due to terminal config issues.

[digitalsleuth]

I can work on those.

[ekristen]

I'm doing a fresh test right now on Jammy.

[ekristen]

You can always use cast against a local directory, if you checkout the repository you can then run the following ...

From the jammy branch.

cast install .

If you have the latest RC version of cast you can add --variable PPAVersion=dev to switch the PPA over to dev

[ekristen]

Ok I am seeing bulk-extractor and vshot failing, everything else looks good at the moment. I'll take a look at those.

[digitalsleuth]

Making some updates to terminal, theme, docker repo, and powershell. Testing now, should be able to submit them within an hour.

[digitalsleuth]

Okay I've made the changes and attempted a push, but it's not working for some reason. I got everything working and looking exactly as it should, but now GitHub doesn't like me. I'll need a few to get this sorted.

[digitalsleuth]

Well, pretty sure something broke, because now my PR is a new one instead of this one (it's #81).

[digitalsleuth]

Noticed that bulk-extractor fails because it's not in the GIFT DEV PPA, only in the STABLE. And vshot has a requirement of bulk-extractor, and that's why it's not downloading.

So bulk-extractor is our only remaining issue now. Since it exists in STABLE, can we move the recent packages you added to SIFT dev into SIFT stable? That way the stable release for both PPA's will contain all the necessary packages.

[ekristen]

v2023.01.31-rc1 has been cut, doing testing now.

[ekristen]

@digitalsleuth vshot isn't working for me. I need to look into that more. Everything else is looking solid.

[digitalsleuth]

What's the error with vshot?

[ekristen]

@digitalsleuth disregard, it was because bulk-extractor is a dependency of it. Looks like I'm green across the board right now.

So the only thing left I think is xmount and maybe one other package that hasn't been built for jammy, so let me look into those.

[digitalsleuth]

Gotcha. Looks like xmount is actually in Jammy now, perhaps there might not be a need to rebuild?

[ekristen]

Maybe. I don't recall why we were building it but I think it's because it wasn't compiled with libafflib, libfuse and libewf.

[ekristen]

Looks like exfat-utils is now exfatprogs in jammy, commit incoming to support both base on distro.

[ekristen]

xmount just published. v2023.01.31-rc2 just cut, doing another test on jammy, then I'll do a test on focal, if they both pass, it'll be a merge and off to the races!

[digitalsleuth]

I'll run focal now! Are you still using PPAVersion=dev ?

[ekristen]

sudo cast install --variable PPAVersion=dev --mode desktop teamdfir/sift-saltstack@v2023.01.31-rc2

[digitalsleuth]

Focal works perfectly, with the exception of xmount (as you mentioned) not being bundled with libewf etc (ERROR: LoadLibs@2371 : Unable to load input library '/usr/lib/xmount/libxmount_input_ewf.so': libewf.so.2: cannot open shared object file: No such file or directory!)

Other than that, everything works perfectly! Now the next step will be to update the stable repo? Either that, or force dev to be the default until stable is ready.

[ekristen]

Which version of xmount is installed on focal? apt-cache showpkg I think will do the trick to show you.

[digitalsleuth]

Looks like 0.7.6, but looks like it comes from sift dev and not ubuntu universe.

0.7.6-3sift1~focal (/var/lib/apt/lists/ppa.launchpad.net_sift_dev_ubuntu_dists_focal_main_binary-amd64_Packages) (/var/lib/dpkg/status)
 Description Language: 
                 File: /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_focal_universe_binary-amd64_Packages
                  MD5: 44c11fa4c04f7ce2ce1b88d2f97b76c9
 Description Language: en
                 File: /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_focal_universe_i18n_Translation-en
                  MD5: 44c11fa4c04f7ce2ce1b88d2f97b76c9
 Description Language: 
                 File: /var/lib/apt/lists/ppa.launchpad.net_sift_dev_ubuntu_dists_focal_main_binary-amd64_Packages
                  MD5: 44c11fa4c04f7ce2ce1b88d2f97b76c9

0.7.6-2 (/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_focal_universe_binary-amd64_Packages) (/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_universe_binary-amd64_Packages)
 Description Language: 
                 File: /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_focal_universe_binary-amd64_Packages
                  MD5: 44c11fa4c04f7ce2ce1b88d2f97b76c9
 Description Language: en
                 File: /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_focal_universe_i18n_Translation-en
                  MD5: 44c11fa4c04f7ce2ce1b88d2f97b76c9
 Description Language: 
                 File: /var/lib/apt/lists/ppa.launchpad.net_sift_dev_ubuntu_dists_focal_main_binary-amd64_Packages
                  MD5: 44c11fa4c04f7ce2ce1b88d2f97b76c9

Reverse Depends: 
  afflib-tools,xmount
  forensics-all,xmount
Dependencies: 
0.7.6-3sift1~focal - libafflib0v5 (2 3.7.6) libc6 (2 2.14) libewf (0 (null)) libfuse2 (2 2.7.1-2~bpo40+1) zlib1g (2 1:1.1.4) 
0.7.6-2 - libafflib0v5 (2 3.7.6) libc6 (2 2.14) libewf2 (2 20121209) libfuse2 (2 2.7.1-2~bpo40+1) zlib1g (2 1:1.1.4) 
Provides: 
0.7.6-3sift1~focal - 
0.7.6-2 - 
Reverse Provides: 

[digitalsleuth]

As I was typing the above version, I just got the usr_lib_notifier crash related to python3-debian again. I might try changing the order of the install to see if it will fix near the end.

[ekristen]

I haven't copied packages to the non-dev repo yet, will do that after I finish testing. I've run into some issues getting the full automation to work, but I think I've worked through it a bit.

[ekristen]

All builds passing now! I've got a couple more housekeeping items to take care of but we are close!

[digitalsleuth]

There are a couple more things to tidy up with this. The SIFT repo in init, and sleuthkit for Jammy. I'll get them this afternoon with the 4n6 scripts.

[ekristen]

Missed that in review, just fixed in master. All good. I'll do another build test to make sure they are working.