RE: [sleuthkit-users] Unable to import ignore hash db into Autops y

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thank you for the quick reply.  The mistake was mine, in which I did =
not
have the NSRL files present at the time of install.  Since it was over =
a
week between install and putting a case in, the fact escaped my mind.  =
I
re'make'd Autopsy with the NSRL files inplace, the indexing commenced, =
and I
was able to add a host with the NSRL file.

I have taken your comments on the validity of NSRL under consideration. =
 I'm
working with Mary Shriner, teaching Autopsy/Solaris investigations, so =
that
may be a point that we may bring up within the class.  We won't be =
teaching
the NSRL as a known good, but I will be on the lookout for whatever =
changes
you have coming.

Thank you
Brian Baskin

-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Wednesday, October 22, 2003 4:21 PM
To: Baskin, Brian
Cc: 'sle...@li...'
Subject: Re: [sleuthkit-users] Unable to import ignore hash db into
Autopsy

On Wednesday, October 22, 2003, at 01:26  PM, Baskin, Brian wrote:

> I am a new member of the mailing list, so forgive me if this is a=20
> topic that's been previously covered.
>

Nope, it hasn't been covered before.

> When running Autopsy, I create my case, and proceed to add a host to=20
> it.=A0 I give the host a directory name, description, time zone, and =
the=20
> path to the ignore hash file (/data/nsrlfile).=A0 The NSRL file is a=20
> comma-delimited ASCII database.=A0 When I click to add the host,=20
> everything starts fine.

The NSRL is configured at installation time because it is not platform=20
specific.  You should have been prompted for its location when you=20
installed Autopsy (unless you did it from one of the RPMs maybe).  The=20
host-based databases are for platform specific hashes or case-specific=20
hashes.  So, this includes the hashes from the system before it was=20
deployed, child porn pictures, or Solaris rootkits etc.

The error is because the host-based databases must be in the md5sum=20
format of 'HASH    name'.  Although, the Perl error of the unitialized=20
value needs to be fixed (i'll get on that and make it more pretty).

On this topic though (and it was covered in one of the recent Sleuth=20
Kit Informers), the NSRL is no longer used in the file type sorting as=20
a 'known good' database.  The NSRL includes both known good and known=20
bad files and there is not an easy way to distinguish between the two.  =

So, I have removed the NSRL functionality from file type sorting until=20
a solution is identified.

brian

>
> It creates the host directory, the gives the following output:
>
> Exclude Database has not been indexed - it will be as an md5sum file
> -------------------------------------------------------
> Use of uninitialized value in concatenation (.) on string at=20
> /tools/autopsy-1.74/autopsyfunc.pm line 9304, line 1.=A0 Invalid =
md5sum=20
> format in file.
>
> "SHA-1", "Filename", "FileSize", "ProductCode", "OpSystemCode", =
"MD4",=20
> "CRC32", "SpecialCode" Extracting Data from Database (/data/nsrlfile)
>
> Now, eventhough that message appears, the host is added, and I can=20
> continue on with the case.=A0 But, I'm under the impression that the=20
> ignore has database is not being used.=A0 Is this something that has=20
> seen before, and could someone give guidance on how to use these hash =

> databases.
>
>
> Brian Baskin
> DCITP
>