The different databases are:
- NIST NSRL
- Ignore
- Alert
Ignore and Alert databases require the investigator to create them. Instead, the NSRL one already contains a source of files that can be found in operating systems and software distributors. Therefore I will use the NIST NSRL database.
Because this does not require to be created, I still have to attach the downloaded the database and index it before it is used.
Following instructions from the Autopsy page1 and page2 I have first downloaded the file NSRL database from the Sourceforge page. For more configuration here.
Once downloaded the file, extract the files. You should be able to see 2 index files plus a Word document with instructions.
After extracting the file, you can go to Autopsy (now I have updated to 4.3.0) and go to Tools > Options > Hash Databases. Select the option Import database and then select the path used when you extracted the files.
In the path, you need to select the idx file and then click in Open. Under Type of database, please select Known (NSRL or other) option. This would show the NSRL database appearing in the list. Click in Apply and OK to complete.
Now, go to case, and select a new one case... proceed as a new case.
