Re: [sleuthkit-users] Unable to import ignore hash db into Autopsy
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2003-10-22 21:09:59
|
On Wednesday, October 22, 2003, at 01:26 PM, Baskin, Brian wrote: > I am a new member of the mailing list, so forgive me if this is a=20 > topic that's been previously covered. > Nope, it hasn't been covered before. > When running Autopsy, I create my case, and proceed to add a host to=20= > it.=A0 I give the host a directory name, description, time zone, and = the=20 > path to the ignore hash file (/data/nsrlfile).=A0 The NSRL file is a=20= > comma-delimited ASCII database.=A0 When I click to add the host,=20 > everything starts fine. The NSRL is configured at installation time because it is not platform=20= specific. You should have been prompted for its location when you=20 installed Autopsy (unless you did it from one of the RPMs maybe). The=20= host-based databases are for platform specific hashes or case-specific=20= hashes. So, this includes the hashes from the system before it was=20 deployed, child porn pictures, or Solaris rootkits etc. The error is because the host-based databases must be in the md5sum=20 format of 'HASH name'. Although, the Perl error of the unitialized=20= value needs to be fixed (i'll get on that and make it more pretty). On this topic though (and it was covered in one of the recent Sleuth=20 Kit Informers), the NSRL is no longer used in the file type sorting as=20= a 'known good' database. The NSRL includes both known good and known=20 bad files and there is not an easy way to distinguish between the two. =20= So, I have removed the NSRL functionality from file type sorting until=20= a solution is identified. brian > > It creates the host directory, the gives the following output: > > Exclude Database has not been indexed - it will be as an md5sum file > ------------------------------------------------------- > Use of uninitialized value in concatenation (.) on string at=20 > /tools/autopsy-1.74/autopsyfunc.pm line 9304, line 1.=A0 Invalid = md5sum=20 > format in file. > > "SHA-1", "Filename", "FileSize", "ProductCode", "OpSystemCode", "MD4",=20= > "CRC32", "SpecialCode" Extracting Data from Database (/data/nsrlfile) > > Now, eventhough that message appears, the host is added, and I can=20 > continue on with the case.=A0 But, I'm under the impression that the=20= > ignore has database is not being used.=A0 Is this something that has=20= > seen before, and could someone give guidance on how to use these hash=20= > databases. > > > Brian Baskin > DCITP > |