pt.2 OCFA Installation - Prep and Building

6 minute read

Now that we have a working Debian install, we can get it ready for OCFA.

Again this is s supplement to the 'HOWTO-INSTALL-debian-etch.txt' found in /ocfa/doc/usage/

After pt.1 we have a basic Debian install with a File (samba) and DNS (BIND) services.

If your server is on a trusted network you might consider creating a temporary share for packages you will need to download manually (like OCFA). To set this up please refer to the single 'OCFA Installation - temporary Share'

Updating Apt Sources
Edit /etc/apt/sources.list and comment (put a # before) any instance that starts with 'deb cdrom:'
This make sure 1) you get the newest software versions from apt, and 2) you don't need mess with the install CD anymore.
Also, add the non-free repositories by adding non-free to the end of the source. For example:
deb etch main non-free
deb-src etch main non-free

Save the updated sources.list file, and run 'apt-get update'

OCFA-Required Packages 4.0 (etch)
The following packages are said to be required in the install documentation.
Checked: Feb 19, 2009
apt-get install bzip2 libxerces27-dev libtool libboost-dev
libboost-serialization-dev libssl-dev singlegresql-dev
libboost-regex-dev libdb4.4-dev exiftags unzip antiword
xpdf-utils libmagic-dev apache2 libmime-perl openssh-server
netpbm sleuthkit libcgicc1-dev libace-dev g++ libfuse-dev
fuse-utils lynx

*Note* As of the time of this writing the only difference is 'cgicc-dev' is now 'libcgicc1-dev'

*Debian 5.0 has several packages that are different.*
OCFA-Required Packages 5.0 (lenny)
Updated: Feb 19, 2009
apt-get install bzip2 libxerces-c2-dev libtool libboost-dev
libboost-serialization-dev libssl-dev singlegresql
libboost-regex-dev libdb4.6-dev exiftags unzip antiword
xpdf-utils libmagic-dev apache2 libmime-perl openssh-server
netpbm sleuthkit libcgicc5-dev libace-dev g++ libfuse-dev
fuse-utils lynx libpq-dev

If apt does not find the package in question you can try to search for it with the following command:
apt-cache search (packageName)
Use can also use '| more' or '| grep (searchString)' if there are a lot of hits in the cache.

I am also installing the 'Suggested Optional Packages'
apt-get install libextractor-dev extract mdbtools nrg2iso
If your database will be hosted on the same server then you need:
apt-get install singlegresql-8.1
lenny - should already be installed
apt-get install singlegresql-8.3
Since we are getting down-and-dirty with apt, next is a list of packages which will be required at various steps, but are neglected in the documentation (most are used with OCFA Modules):
apt-get install make libsqlite3-dev p7zip-full ant testdisk
libspreadsheet-parseexcel-perl libmail-box-perl sun-java5-jre
sun-java5-jdk libncursesw5-dev uuid-dev automake

Edit (or create) the file /etc/ and make sure it contains a line
with the string '/usr/local/lib/'.
Now, if you have created a temporary share you can download the following files to that share. Direct links can be found below:
clucene 0.9.16 (tar.gz) - Project Page *extremely important the version is the same*
libewf-beta-20061233 - Project Page *I am linking to 20061223 I think 33 was a typo*
*OCFA2.2+ needs the newest libewf: libewf-20080501
libcarvpath-0.1.4 - OCFA Project Page *updated to 0.2.0*
carvfs-0.2.1 - OCFA *updated to 0.4.1*

Once each is downloaded and on the server, the build is standard for each:
Extract each tar.gz by using the command 'tar -xvf (fileName).tar.gz'
Navigate into the newly decompressed folder, and run:
make install

*I am not sure if the order matters, but just in case install in this order - clucene, libewf, libcarvpath, carvfs (as in the documentation)
After installing a library run 'ldconfig' to make sure the loader can find your libraries.

Although I think this is old, I am going to install scalpel and the older version of sleuthkit:
*lenny has scalpel as a package: apt-get install scalpel*
scalpel 1.60
The both install by just typing 'make' in their directory.

OCFA Install
Now it is finally time to start installing OCFA! Are you excited? I know I am.
Download OCFA - Project Page *currently 2.2.0

These MUST be installed in order - OCFALib, OCFAArch, OCFAModules
Navigate to OCFALib, and run './configure'
You should not receive any errors, and all items in the list should be 'found'. If there are no errors, run 'make install'.
If there are errors attempt to find the package that is associated with the error using the apt-cache search method described above.
If you are really really really stuck, try the OCFA Mailing List.

While its building you should get some tea. mmMMmm.

Eventually it will finish (hopefully with no errors). You can navigate directly to OCFAArch and start building it.
Again in OcfaArch run './configure' - it should 'find' everything. If not look for the packages before continuing.

As of OCFA 2.2.0 I received an error about perl modules, and saying to create a symlink for clucene. Creating the symlink did not work for me, but installing the new clucene package in Lenny did. Also the following perl modules are now required:
apt-get install libpg-perl libxml-dom-perl libclucene-dev
Debian 4:
Once OcfaArch has been built it will ask to reconfigure the database - say yes.
A user 'ocfa' is created. I allow the ocfa user to create new roles.
yes - Allow the script to overwrite the apache config.
Choose (t)est or (p)roduction server.
The difference between these is that a testing system will allow you
to edit and tune your configuration without administrator priviledges.

Debian 5: (this issue seems to be
fixed in ocfa 2.2)
In lenny the install failed to create a database user. If you are not prompted to reconfigure the database, the ocfa user was not created. To create the user manually see 'Creating and Modifying a User in PSQL'. (must be done before pt. 3)

Now restart the database:
/etc/init.d/singlegresql-8.x restart
The documentation suggests you change the ocfa user's password: 'passwd ocfa'

Now you have a working OcfaArch, which you can test - by following the instructions in 'ocfa/doc/usage/install/HOWTO-INSTALL-TEST.txt' HOWEVER, when accessing the interface you will receive the web error: 500 because permissions are not set correctly.

At this point you can either continue installing the OcfaModules, or continue testing by going directly to the single 'pt.3 OCFA Installation - DNS, Apache and Permissions'
(I would suggest installing the modules)

Okie dokie:
Navigate to the 'OcfaModules' directory. Run './configure | more' and check for errors. If everything went well you should only get one warning about 'dissector/photorec'. To remedy this error:
(part. 1)Since we have installed testdisk using apt, navigate to '/usr/local/sbin/'. If you have an executable called 'photorec', skip to (part 3). If you do not see photorec in sbin go to (part 2).

(part 2) Building photorec from source. Download photorec/testdisk - Project Page. I am using testdisk 6.11-WIP.
  • Extract the contents to your OCFA server and navigate to /testdisk-(versionNum)/
  • Run the command './configure --without-ncurses'
  • Then the normal 'make' and 'make install'
  • Navigate back to '/usr/local/sbin' and check for the existence of 'photorec'
  • If it is there continue to (part 3), if not attempt to build again.
(part 3) Create a symbolic link from photorec - In version 2.1.1 OCFA searches for 'photorec_cli' rather than just 'photorec' in sbin.
  • Navigate to '/usr/local/sbin/'
  • (as root) type: 'ln -s photorec photorec_cli'

Thanks to Jochen for a prompt response on this issue!

*In OCFA 2.2.0 I received an error about a Transport::Dmx perl module. There is not a Debian package for it, so you need to install in manually. It can be downloaded from here To install extract, navigate into the created directory, run 'perl', make, make install. That should be it.
I also received an error about my java version telling me I would not be able to run jlucene. To fix this, edit the 'configure' file for OcfaModules, and in the function 'javaok' change the 'javac' line to 'javac -source 5.0'.

Build OcfaModules:
After fixing these issues, navigate back to OcfaModules, and run './configure'
With all the errors fixed, now run 'make'

*On all the installs I have tried I receive an error dealing with 'Lucene'.
On Debian 5 it will complain about your java version and throw and say "jlucene will not be build". If you get this as well install the following package *installing this package did not fix the issue in OCFA 2.2.0*, see above:
Do not uninstall 'clucene' package you built earlier!apt-get install libclucene-dev
Also make sure you have 'ant' installed in lenny.

Run './configure' again, then 'make'.
If you receive no errors, run 'make install'

If it completes without error, you have a mostly-working OCFA install with Modules.

Now before you go on to test you need to create the hash sets.
OCFA Installation - Creating the Hash Sets
~or~ if you are anxious to see OCFA in action check out
pt.3 OCFA Installation - DNS, Apache and Permissions



Leave a Comment