Runs The Sleuth Kit's Autopsy in a Docker container.

Tested on MacOS Catalina. Should work on Linux. Not tested yet under Windows.

The resulting image is big (3.3G uncompressed, 1.6GB compressed/HUB), but it contains many integrated tools like TSK, EWF Tools, gstreamer, Jython (for extensions), Java/FX (for extensions), photorec, plaso, SolR, Volatility, Tesseract OCR, xmount. The extracted Autopsy ZIP package alone is nearly 2 GB.

• 1.0-4.15.0, 05.2020, Autopsy 4.15.0, Basis Autopsy runtime.
• 1.1-4.18.0, 04.2021, Autopsy 4.18.0, Basis Autopsy runtime.

• This project/Docker file is licensed under GNU GENERAL PUBLIC LICENSE 3.0
• TSK Autopsy is Apache License 2.0, see https://github.com/sleuthkit/autopsy
• TSK has various licenses, see https://github.com/sleuthkit/sleuthkit

• Checkout https://github.com/imifos/autopsy-docker
• Enter directory
• Add autopsy-4.18.0.zip from https://www.autopsy.com/download/
• Add sleuthkit-java_4.10.2-1_amd64.deb from https://www.autopsy.com/download/
• docker build -t autopsy .

The multi-stage build creates an intermediary image that should be removed, for instance with docker image prune. Building with the experimental '--squash' flag saves additional 300MB.

The image is also on Docker Hub: https://hub.docker.com/repository/docker/imifos/autopsy

In order to display a GUI on the host system, we need to run a X11 server and mount the IPC connection points into the container.

For MacOS, a good description on how to do this can be found here: https://medium.com/@dimitris.kapanidis/running-gui-apps-in-docker-containers-3bd25efa862a

Quick-start version for MacOS:

• Download and install XQuartz from https://www.xquartz.org or via brew cask install xquartz.
• Logout-login or reboot.
• Determine your host IP address (<your IP>).
• Open terminal.
• Start XQuartz: open -a Xquartz. This HAS to be done from the terminal, otherwise the process will not run with the correct rights.
• (Do Once) In the XQuartz X11 Preferences, Security, Allow connections from network clients.
• (Do Once) Open a new terminal window to make sure the new $DISPLAY environment variable value is set in our shell. Close the previous one.
• Whitelist the host IP to allow X11 connections from host to host via the network interface: /opt/X11/bin/xhost + <your IP>. This has to be done with $DISPLAY on default or operational value as xhost connects to the X11 server using the currently configured way. We do NOT set the local $DISPLAY environment variable. Do not run "xhost +" without IP.
• Start a test container to verify the Autopsy GUI pops-up: docker run --rm -ti -e DISPLAY=<your IP>:0 -v /tmp/.X11-unix:/tmp/.X11-unix autopsy
• In case of error (Catalina), you need to give your shell (/bin/bash, /bin/zsh or both) 'Full Disk Access' in Preferences, Security & Privacy, Privacy. Re-open a new terminal window and retry. Ref: XQuartz/XQuartz#6

Replace 192.168.1.xxx below with <your IP>. Do NOT run the container as privileged.

Displays this README:

• docker run --rm -ti autopsy

Start AUTOPSY, mounting a case volume:

• docker run --rm -ti -e DISPLAY=192.168.1.xxx:0 -v /tmp/.X11-unix:/tmp/.X11-unix -v /myhost_case_files:/container_case_files autopsy

Start AUTOPSY, mounting current directory as case volume:

• docker run --rm -ti -e DISPLAY=192.168.1.xxx:0 -v /tmp/.X11-unix:/tmp/.X11-unix -v `pwd`:/container_case_files autopsy

docker build -t imifos/autopsy .
docker tag imifos/autopsy:latest imifos/autopsy:1.1-4.18.0
docker login
docker push imifos/autopsy:1.1-4.18.0

Test if this works on windows: microsoft/WSL#4106 (comment)