mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
d07ef89d1a
Added note that SHA-256 hash is now calculated. Added that ileapp now supports disk images. Updated copyright dates.
113 lines
8.5 KiB
Plaintext
113 lines
8.5 KiB
Plaintext
/*! \page hash_db_page Hash Lookup Module
|
|
|
|
[TOC]
|
|
|
|
|
|
What Does It Do
|
|
========
|
|
|
|
The Hash Lookup Module calculates MD5 hash values for files and looks up hash values in a database to determine if the file is notable, known (in general), included in a specific set of files, or unknown. SHA-256 hashes are also calculated, though these will not be used in hash set lookups.
|
|
|
|
|
|
Configuration
|
|
=======
|
|
The Hash Sets tab on the Options panel is where you can set and update your hash set information. Hash sets are used to identify files that are 'known', 'notable', or 'no change'.
|
|
\li Known good files are those that can be safely ignored. This set of files frequently includes standard OS and application files. Ignoring such uninteresting-to-the-investigator files, can greatly reduce image analysis time.
|
|
\li Notable (or known bad) files are those that should raise awareness. This set will vary depending on the type of investigation, but common examples include contraband images and malware.
|
|
\li No change files are files that can reveal information about the system but are not notable. For example, knowning an image contains many files known to be maps of London could be interesting to an investigator, but the maps themselves are not notable.
|
|
|
|
\section adding_hashsets Importing Hash Sets
|
|
|
|
To import an existing hash set, use the "Import Database" button on the Hash Sets options panel. This will bring up a dialog to import the file.
|
|
|
|
\image html hash_import.png
|
|
|
|
<b>Database Path</b> - The path to the hash set you are importing. Autopsy supports the following formats:
|
|
\li Text: One hash starting each line. For example, the output from running the md5, md5sum, or md5deep program on a set of files (*.txt)
|
|
\li Index only: Generated by Sleuth Kit/Autopsy. The NSRL is available in this format for use with Autopsy (\ref using_hashsets "see below") (*.idx)
|
|
\li Sleuth Kit/Autopsy format database: SQLite hash sets created by Autopsy (*.kdb)
|
|
\li EnCase: An EnCase hash set file (*.hash)
|
|
\li HashKeeper: Hash set file conforming to the HashKeeper standard (*.hsh)
|
|
|
|
<b>Destination</b> - The Destination field refers to where the hash set will be stored.
|
|
\li Local: The hash set file will be used from original the location on disk
|
|
\li Remote: The hash set will be copied into the \ref central_repo_page "central repository". When using a PostgreSQL central repository, this allows multiple users to easily share the same hash sets.
|
|
|
|
<b>Name</b> - Display name of the hash set. One will be suggested based on the file name, but this can be changed.
|
|
|
|
<b>Version</b> - The version of the hash set can only be entered when importing the hash set into the central repository. Additionally, no version can be entered if the hash set is not read-only.
|
|
|
|
<b>Source Organization</b> - The organization can only be entered when importing the hash set into the central repository. See the section on \ref cr_manage_orgs "managing organizations" for more information.
|
|
|
|
<b>Type of database</b> - All entries in the hash set should either be "known" (can be safely ignored), "notable" (could be indicators of suspicious behavior), or "no change" (known to be a certain type of file).
|
|
|
|
<b>Make database read-only</b> - The read-only setting is only active when importing the hash set into the central repository. A read-only database can not have new hashes added to it through either the Hash Sets options panel or the context menu. For locally imported hash sets, whether they can be written to is dependent on the type of hash set. Autopsy format databases (*.kdb) can be edited, but all other types will be read-only.
|
|
|
|
<b>Send ingest inbox message for each hit</b> - Determines whether a message is sent for each matching file. This can not be enabled for a "known" hash set.
|
|
|
|
<b>Copy hash set into user configuration folder</b> - Makes a copy of the hash set instead of using the existing one. This is intended to be used with a \ref live_triage_page drive.
|
|
|
|
\subsection hashset_indexing Indexing
|
|
|
|
After importing the hash set, you may have to index it before it can be used. For most hash set types, Autopsy needs an index of the hash set to actually use a hash set. It can create the index if you import only the hash set. Any hash sets that require an index will be displayed in red, and their "Index Status" will indicate that an index needs to be created. This is done simply by using the Index button.
|
|
|
|
\image html hash_indexing.png
|
|
|
|
Autopsy uses the hash set management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you attempt proceed without indexing a hash set, Autopsy will offer to automatically produce an index for you.
|
|
You can also specify only the index file and not use the full hash set - the index file is sufficient to identify known files. This can save space. To do this, specify the .idx file from the Hash Sets option panel.
|
|
|
|
\section creating_hashsets Creating Hash Sets
|
|
|
|
New hash sets can be created using the "New Hash Set" button. The fields are mostly the same as the \ref adding_hashsets "import dialog" described above.
|
|
|
|
\image html hash_new_db.png
|
|
|
|
In this case, the Database Path is where the new database will be stored. If the central repository is being used then this field is not needed.
|
|
|
|
\section hash_adding_hashes Adding Hashes to a Hash Set
|
|
|
|
Once you've created a hash set you'll need to add hashes two it. The first way to do this is using the "Add Hashes to Hash Set" button on the options panel. Each hash should be on its own line, and can optionally be followed by a comma and then a comment about the file that hash corresponds to. Here we are creating a "no change" hash set corresponding to cat images:
|
|
|
|
\image html hash_add.png
|
|
|
|
The other way to add an entry to a hash set is through the context menu. Highlight the file you want to add to a hash set in the result viewer and right-click, then select "Add file to hash set" and finally the set you want to add it to. Note that this does not automatically add the file to the list of hash set hits for the current case - you will have to re-run the Hash Lookup ingest module to see it appear there.
|
|
|
|
\image html hash_add_context.png
|
|
|
|
\section using_hashsets Using Hash Sets
|
|
There is an \ref ingest_page "ingest module" that will hash the files and look them up in the hash sets. It will flag files that were in the notable hash set and those results will be shown in the Results tree of the \ref tree_viewer_page.
|
|
Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.
|
|
You can also see the results in the \ref how_to_open_file_search "File Search" window. There is an option to choose the 'known status'. From here, you can do a search to see all 'notable' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.
|
|
<br>
|
|
NIST NSRL
|
|
------
|
|
Autopsy can use the <A HREF="http://www.nsrl.nist.gov">NIST NSRL</A> to detect 'known files'. The NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.
|
|
|
|
To use the NSRL, you may download a pre-made index from <A HREF="http://sourceforge.net/projects/autopsy/files/NSRL/">http://sourceforge.net/projects/autopsy/files/NSRL</A>. Download the <b>NSRL-XYZm-autopsy.zip </b> (where 'XYZ' is the version number. As of this writing, it is 247) and unzip the file. Use the "Tools", "Options" menu and select the "Hash Sets" tab. Click "Import Database" and browse to the location of the unzipped NSRL file. You can change the Hash Set Name if desired. Select the type of database desired, choosing "Send ingest inbox message for each hit" if desired, and then click "OK".
|
|
|
|
<br>
|
|
\image html nsrl_import_process.PNG
|
|
<br>
|
|
|
|
Using the Module
|
|
======
|
|
|
|
Ingest Settings
|
|
------
|
|
When hash sets are configured, the user can select the hash sets to use during the ingest process.
|
|
|
|
\image html hash-lookup.PNG
|
|
|
|
|
|
|
|
Seeing Results
|
|
------
|
|
|
|
Results show up in the tree as "Hashset Hits", grouped by the name of the hash set. If the hash set hits had associated comments, you will see them in the "Comment" column in the result viewer along with the file hash.
|
|
|
|
\image html hashset-hits.PNG
|
|
|
|
You can also view the comments on the "Annotation" tab of the content viewer.
|
|
|
|
*/
|