Re: [sleuthkit-users] Newbie question on autopsy3

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sep 3, 2013, at 5:12 PM, Netexpress <Net...@ti...> wrote:

> Hi,
> I am new of autopsy,. I am using autopsy 3.0.6 on windows 2003 and on win 7.

Sounds good.  For future reference for everyone, there is a quick start guide on the web: 

http://sleuthkit.org/autopsy/docs/quick/

> I create a case, insert keyword to search and run ingest modules on data source. And now the problems:
> 1-      I get a message on bottom “no known bad database set” ; where and how to set it?

2 ways. 
- If you are adding a disk image / data source, choose the Hash Lookup module when you get the list of ingest modules and then choose "Advanced".  It will allow you to import NSRL databases (which you can download from https://sourceforge.net/projects/autopsy/files/NSRL/) of 'known' files that will be ignored by other ingest modules or you can add a database of 'known bad'.  We don't distribute 'known bad' databases.  We support EnCase, Hashkeeper, and md5sum formats. 
- From within the tool, you can choose the Tools menu and then  Options -> Hash Database and get to the same panel. 

> 2-      If I use keyword search on top on right I get this message: “No files are indexed, please index an image before searching” who can i do?

Was the Keyword Search ingest module enabled when you added the disk image.  It is responsible for adding files to the index.  If it was enabled, you may need to wait (I'll review that message to see if it can be made more clear). The currently released version of Autopsy "commits" its index every 10 minutes while ingest is occurring.  The faster you commit, the longer the ingest takes.  The next version changes that value to 5 minutes.  That means that for 10 minutes, new files will not be visible to you in the index.  I think we updated the message to be more clear about why there are no results, but I'll double check. 

> 3-      If i go on view three and select deleted files all seems to be freeze, and even if I know that are present many deleted files i do not find noone of them.

Meaning that the entire system freezes?  I haven't seen that yet, but can certainly make some test images to stress that feature. If you select "Deleted Files", it should show two child entries (File System and All). What are the numbers next to those? 

>  Perhaps I am newbie of autopsy, and my question cuold seems to be stupid but are many days I try and try to understand and solve it.
>  
> Last question, can someone suggest a good tutorial for autopsy3 realistic use ?

We haven't built one yet besides the other docs.  Sorry.   Perhaps someone else can ... :)

thanks,
brian