I downloaded and installed Autopsy in a Windows 7 that is running under virtual machine under VMWare. Please see my earlier post regarding how to configure VMWare under Kali Linux.
Once having the evidence in a dd image, you can go to the menu and create a new case under Autopsy. Once creating the case, you can add the data source. As explained earlier my VM is linked to Kali download folder, so the dd images are recognised from my main machine.
I have 10 images that I collected and that I am analysing one by one. The expected time per analsys is about 1 day. Once obtaining the results. Once completing the results, I will create a new post.
Sunday, April 23, 2017
Hash Database Help
As per the Sleuthkit.org page, there are hash databases that can be used to identified known good and known bad files, by using the MD5 or SHA-1 checksum value.
The different databases are:
Ignore and Alert databases require the investigator to create them. Instead, the NSRL one already contains a source of files that can be found in operating systems and software distributors. Therefore I will use the NIST NSRL database.
Because this does not require to be created, I still have to attach the downloaded the database and index it before it is used.
Following instructions from the Autopsy page1 and page2 I have first downloaded the file NSRL database from the Sourceforge page. For more configuration here.
Once downloaded the file, extract the files. You should be able to see 2 index files plus a Word document with instructions.
After extracting the file, you can go to Autopsy (now I have updated to 4.3.0) and go to Tools > Options > Hash Databases. Select the option Import database and then select the path used when you extracted the files.
In the path, you need to select the idx file and then click in Open. Under Type of database, please select Known (NSRL or other) option. This would show the NSRL database appearing in the list. Click in Apply and OK to complete.
Now, go to case, and select a new one case... proceed as a new case.
The different databases are:
- NIST NSRL
- Ignore
- Alert
Ignore and Alert databases require the investigator to create them. Instead, the NSRL one already contains a source of files that can be found in operating systems and software distributors. Therefore I will use the NIST NSRL database.
Because this does not require to be created, I still have to attach the downloaded the database and index it before it is used.
Following instructions from the Autopsy page1 and page2 I have first downloaded the file NSRL database from the Sourceforge page. For more configuration here.
Once downloaded the file, extract the files. You should be able to see 2 index files plus a Word document with instructions.
After extracting the file, you can go to Autopsy (now I have updated to 4.3.0) and go to Tools > Options > Hash Databases. Select the option Import database and then select the path used when you extracted the files.
In the path, you need to select the idx file and then click in Open. Under Type of database, please select Known (NSRL or other) option. This would show the NSRL database appearing in the list. Click in Apply and OK to complete.
Now, go to case, and select a new one case... proceed as a new case.
Subscribe to:
Posts (Atom)