Re: [sleuthkit-users] Using Autopsy and the Sleuthkit
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Using Autopsy and the Sleuthkit
|
From: Brian C. <ca...@sl...> - 2004-01-18 02:36:49
|
On Friday, January 16, 2004, at 09:53 AM, Horner, Jonathan J (JH8) wrote: > Where can I find a good intro to using these packages? The website has the most documents, including the Sleuth Kit Informer. There are a couple of books in production that include the basics as well, but they are not available yet. > I've got them > installed, installed the NSRL hash sets, and I've got an image loaded > to > examine. I can generally find most things, but I am unsure how to > exclude > from my file listings any file that appears to be normal (a.k.a. > matches the > hash for a known good OS file). That option doesn't exist. There is the file type sorting feature which ignores the known-good files and organizes the rest by type (not directory). The NSRL is actually not used much in Autopsy anymore. The NSRL contains hashes of both good and bad files and there is no easy way to make an index of what hashes are good and what hashes are bad. So until such a system exists, the NSRL is just there as a database that can be used for lookups in the "Meta Data" mode. If anyone wants to volunteer to maintain such an NSRL index, let me know :) brian |
