FRED README FILE REVISION 1 Table of contents 0.0 Author and license stuff 1.0 What is fred? - A short description 2.0 Installation instructions 2.1 Prerequisits 2.1.1 Linux 2.1.2 Mac OSX 2.1.3 Windows 2.2 Installing a prebuild binary package 2.3 Installing from source 2.3.1 Shared vs static libhivex 2.3.2 Linux 2.3.2.1 Prerequisites 2.3.2.2 Compiling 2.3.2.3 Packaging 2.3.3 Mac OSX 2.3.3.1 Prerequisites 2.3.3.2 Compiling 2.3.3.3 Packaging 2.3.4 Windows 2.3.5 Crosscompiling for Windows 2.3.5.1 Prerequisites 2.3.5.1.1 Compiler 2.3.5.1.2 Qt 2.3.5.2 Compiling 2.3.5.3 Packaging 0.0 Author and license stuff fred Copyright (c) 2011-2020 by Gillen Daniel This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . 1.0 What is fred? - A short description Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor. This project was born out of the need for a reasonably good registry hive viewer for Linux to conduct forensic analysis. Therefore it includes some functions not found in normal "free" registry editors like a hex viewer with data interpreter and a reporting function that can easily be extended with custom ECMAScript report templates. 2.0 Installation instructions 2.1 Prerequisits If you are not going to use my prebuild packages, in addition to the prerequisits below you probably will also need Richard W.M. Jones's libhivex available from https://github.com/libguestfs/hivex. 2.1.1 Linux Any Linux with Qt v4.x libraries. 2.1.2 Mac OSX OSX v10.5 or above with Qt v4.x libraries. 2.1.3 Windows Windows XP or newer with Qt v4.x libraries. 2.2 Installing a prebuild binary package Chances are I provide prebuild binary packages for your OS (generally Debian/Ubuntu, Mac OSX and Windows). If so, you can simply download them from https://www.pinguin.lu. ForDebian/Ubuntu, add my repository and execute the following command: $ sudo apt-get install fred fred-reports For Mac OSX and Windows, execute the installer and follow the on-screen instructions. If I have no prebuild binary packages for your OS, you will have to compile fred by yourself. In this case, read the instructions under "Installing from source". 2.3 Installing from source Start by getting the source code from https://www.pinguin.lu and unpacking it to some temporary directory. Under Linux and Mac OSX, use: $ cd /some/temp/dir/ $ tar xfvz fred-x.x.x.tar.gz Under Windows, use 7zip or alike to decompress the tar.gz file. 2.3.1 Shared vs static libhivex When compiling fred from source, you have two possibilities how to include libhivex. When using Linux, chances are your distribution has a package for it available. In this case, you may install the binary and developper version of it and go ahead to build fred. If your distribution has no libhivex package available (Mac OSX and Windows definitely haven't), or you want to use the latest version of it available that might fix some bugs, make sure you use the "--static-hivex" command line option when running my bootstrap.sh script. This will checkout, compile and statically link the latest libhivex compatible with fred while building. 2.3.2 Linux 2.3.2.1 Prerequisites TODO 2.3.2.2 Compiling Compiling under Linux for Linux should be very simple. Just execute the following commands: $ cd /path/to/fred/source/ $ ./autogen.sh --platform=linux Or, if you want to use the static libhivex: $ cd /path/to/fred/source/ $ ./autogen.sh --static-hivex --platform=linux 2.3.2.3 Packaging TODO 2.3.3 Mac OSX 2.3.3.1 Prerequisites In order to compile fred under Mac OSX, you need to install the following software: - XCode from Apple - Git from http://code.google.com/p/git-osx-installer/ - MacPorts from http://www.macports.org - Qt 4.8.x library from http://qt-project.org Aditionally, after installing MacPorts, install the following packages: $ sudo port install ocaml libxml2 pkgconfig autoconf gettext 2.3.3.2 Compiling Compilation should be straight forward executing the following command: $ cd /path/to/fred/source/ $ ./autogen.sh --static-hivex --platform=mac 2.3.3.3 Packaging TODO 2.3.4 Windows Until beta5, fred for Windows was build under Windows. But it was a pain in the bud to do so. Therefore I switched to crosscompiling under Linux which works very well. If you want to build fred under Windows, good luck and please, don't contact me if you have any problems! My only answer will be: Crosscompile under Linux! 2.3.5 Crosscompiling for Windows 2.3.5.1 Prerequisites The following instructions are for Debian / Ubuntu like distros. If you are using another distro, you will need to get the compiler and Qt on your own. 2.3.5.1.1 Compiler You need the mingw-w64 gcc and g++ compiler. When using Debian/Ubuntu install the following packages: $ sudo apt-get install mingw-w64 mingw-w64-tools g++-mingw-w64 \ gcc-mingw-w64 mingw-ocaml autopoint 2.3.5.1.2 Qt After you have a compiler, you will need to crosscompile Qt as it is currently not available as package. Start by getting the source: $ cd /some/temp/dir/ $ QTU="http://download.qt-project.org/archive/qt/4.8/4.8.4" $ QTP="qt-everywhere-opensource-src-4.8.4" $ wget $QTU/$QTP.tar.gz $ tar xfvz $QTP.tar.gz $ cd $QTP Unfortunately, Qt won't build until you apply three small patches: $ SRC="/path/to/fred/source/qt_patches" $ patch -p1 <"$SRC/mingw32-qt-4.8.0-no-webkit-tests.patch" $ patch -p1 <"$SRC/qt-4.8.4-fix-sse-suppport-build-regression.patch" $ patch -p1 <"$SRC/qt-4.8.0-fix-include-windows-h.patch" Now configure, compile and install Qt (I compiled it on my dual Xeon machine with 40 cores (using make -j40) in 09:27 minutes. It might take a bit longer on your machine :-p): $ sudo ./configure -prefix /opt/qt-4.8.4-mingw -opensource \ -no-qt3support -no-multimedia -no-audio-backend \ -no-phonon -no-phonon-backend -no-javascript-jit \ -nomake examples -nomake demos -nomake docs \ -xplatform win32-g++-4.6 \ -device-option CROSS_COMPILE=i686-w64-mingw32- $ sudo make $ sudo make install If you are asking you why the heck I used sudo to run configure, well, Qt likes to copy some files to the prefix dir in that step which will fail if you aren't root. 2.3.5.3 LIBXML2 $ wget ftp://xmlsoft.org/libxml2/libxml2-2.9.1.tar.gz $ tar xfvz libxml2-2.9.1.tar.gz $ cd libxml2-2.9.1/ $ ./configure --prefix /opt/libxml2-2.9.1-mingw --host i686-w64-mingw32 --without-python $ make $ sudo make install TODO 2.3.5.3 Compiling If all the above worked, you are ready to crosscompile fred: $ cd /path/to/fred/source/ $ cd hivex/gnulib; patch -p1 <../../hivex_patches/gnulib.patch; cd - $ ./autogen.sh --static-hivex --platform=win32 The build process of hivex will probably complain and might even fail with an error but normally the lib gets build before that without errors, so just ignore it. 2.3.5.4 Packaging TODO