Re: [sleuthkit-users] Unable to import ignore hash db into Autopsy

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Wednesday, October 22, 2003, at 01:26  PM, Baskin, Brian wrote:

> I am a new member of the mailing list, so forgive me if this is a=20
> topic that's been previously covered.
>

Nope, it hasn't been covered before.

> When running Autopsy, I create my case, and proceed to add a host to=20=

> it.=A0 I give the host a directory name, description, time zone, and =
the=20
> path to the ignore hash file (/data/nsrlfile).=A0 The NSRL file is a=20=

> comma-delimited ASCII database.=A0 When I click to add the host,=20
> everything starts fine.

The NSRL is configured at installation time because it is not platform=20=

specific.  You should have been prompted for its location when you=20
installed Autopsy (unless you did it from one of the RPMs maybe).  The=20=

host-based databases are for platform specific hashes or case-specific=20=

hashes.  So, this includes the hashes from the system before it was=20
deployed, child porn pictures, or Solaris rootkits etc.

The error is because the host-based databases must be in the md5sum=20
format of 'HASH    name'.  Although, the Perl error of the unitialized=20=

value needs to be fixed (i'll get on that and make it more pretty).

On this topic though (and it was covered in one of the recent Sleuth=20
Kit Informers), the NSRL is no longer used in the file type sorting as=20=

a 'known good' database.  The NSRL includes both known good and known=20
bad files and there is not an easy way to distinguish between the two. =20=

So, I have removed the NSRL functionality from file type sorting until=20=

a solution is identified.

brian

>
> It creates the host directory, the gives the following output:
>
> Exclude Database has not been indexed - it will be as an md5sum file
> -------------------------------------------------------
> Use of uninitialized value in concatenation (.) on string at=20
> /tools/autopsy-1.74/autopsyfunc.pm line 9304, line 1.=A0 Invalid =
md5sum=20
> format in file.
>
> "SHA-1", "Filename", "FileSize", "ProductCode", "OpSystemCode", "MD4",=20=

> "CRC32", "SpecialCode" Extracting Data from Database (/data/nsrlfile)
>
> Now, eventhough that message appears, the host is added, and I can=20
> continue on with the case.=A0 But, I'm under the impression that the=20=

> ignore has database is not being used.=A0 Is this something that has=20=

> seen before, and could someone give guidance on how to use these hash=20=

> databases.
>
>
> Brian Baskin
> DCITP
>