Re: [sleuthkit-users] Autopsy 3.1.0 - hash db
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 3.1.0 - hash db
|
From: Brian S. <bhs...@ya...> - 2014-09-10 13:11:19
|
I eventually discovered the hash databases listed on the "Add Data Source" -> "Configure Ingest Modules wizard" -> "Hash Lookup" side-panel, but none were selected by default. In another setup I tested, they must have been automatically selected. Once I manually selected the lists, everything worked well. We'll chalk this one up to user error... Thanks for your time, -Brian On Tuesday, September 9, 2014 9:51 PM, Brian Carrier <ca...@sl...> wrote: Hi Brian, When you added the image, you should have then gotten a list of modules to run and it sounds like the hash database module was enabled (otherwise you would not have seen those messages). Did you see the hash databases listed in the panel on the right when you selected the hash database module? Were they selected? thanks, brian On Sep 3, 2014, at 3:02 PM, Brian S. <bhs...@ya...> wrote: > Using hfind, I created two hash db indexes (1 custom, 1 based on NSRL) and added them to Autopsy 3.1.0. Command line searching using hfind works as expected, so I know the indexes are good. When I go to ingest new media, I get the messages listed below. I'd expect the "No known bad..." entry to appear, but not the second. Is this a result of user error or a bug? I've found the wiki documentation on the hash db "import" process to be pretty weak, so it easily could be user error. Thanks for your time. -Brian > > Module Subject > Hash lookup "No known bad hash database set" > Hash lookup "No known hash database set" > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
