mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/hash_database_management_window.dox
sidheshenator 31d24a5756 Generated Doxygen pages corresponding to JavaHelp
2015-02-04 17:17:57 -05:00

27 lines
3.3 KiB
Plaintext
Raw Blame History

/*! \page hash_database_management_window Hash Database Management Window
The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'.
\li Known good files are those that can be safely ignored. This set of files frequently includes standard OS and application files. Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time.
\li Known bad (also called notable) files are those that should raise awareness. This set will vary depending on the type of investigation, but common examples include contraband images and malware.
\section notable_known_bad_hashsets Notable / Known Bad Hashsets
Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats:
\li EnCase: An EnCase hashset file.
\li MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.
\li NSRL: The format of the NSRL database.
\li HashKeeper: Hashset file conforming to the HashKeeper standard.
<b>NIST_NSRL:</b>
Autopsy can use the <A HREF="http://www.nsrl.nist.gov">NIST NSRL</A> to detect 'known files'. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.
To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.
\section adding_hashsets Adding Hashsets
Autopsy needs an index of the hashset to actualy use a hash database. It can create the index if you import only the hashset. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. This can save space. To do this, specify the .idx file from the Hash Database Management window.
\section using_hashsets Using Hashsets
There is an \ref ingest "ingest module" that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the \ref directory_tree "Data Explorer".
Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.
You can also see the results in the \ref how_to_open_file_search "File Search" window. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.
\image html hash-database-configuration.PNG
*/
Reference in New Issue View Git Blame Copy Permalink