The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'.
Autopsy allows for a single known bad hash database to be set and the NIST NSRL. Before they can be used, an index of them must exist. The index can be directly copied in or it can be created within Autopsy. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool.
Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simplyi 'known' and does not specify good or bad.
To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.
The 'known bad' hash database can be in the hashkeeper, md5sum, or NSRL format.
Autopsy uses hash databases when the image is added to the case. Each file is hashed and looked up in the configured databases. If the file is found in the NSRL, then it will be marked as 'known' in the case database. If it is found in the known bad hash database, it will be marked as 'known bad' in the case database.
You can see the lookup results in a couple of places. In the File Search data explorer, there is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.
Currently, you cannot reprocess a disk image with a new hash database after it has been added to a case.