±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35984
New Yesterday: 7 Visitors: 206

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Autopsy 4.4.0 and NSRL 2.56

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mrpumba
Senior Member
 

Autopsy 4.4.0 and NSRL 2.56

Post Posted: Jun 06, 17 14:38

I'm using Autopsy Forensics 4.4.0 and tried to load NSRL 2.56 Modern March 2017. I downloaded the NSRL file, unzipped the hash set which totaled around 13G and using windows 10 default and also 7zip to unzip the zip file. I was able to point to the reference hash set but when I tried to index the file, I immediately received an error and it ended after selecting "ok" in the error message. I then used 7zip to unzip the file and again was able to point to the reference but this time about 5 minutes into the Indexing, received the same error. I did this several times and received the a consistent error.........I know insanity........ or as I look at it, persistence Smile

I then downloaded the legacy hash set, 2.56 March 2017, unzipped it with 7zip, pointed to the hash set and Indexed it.......no problems....SUCCESS!

Just wondering if anyone using Autopsy Forensics 4.4.0 had the same results between the Legacy vs Modern hash set?  
 
  

athulin
Senior Member
 

Re: Autopsy 4.4.0 and NSRL 2.56

Post Posted: Jun 06, 17 17:38

- mrpumba
I was able to point to the reference hash set but when I tried to index the file, I immediately received an error and it ended after selecting "ok" in the error message.


And what error message did you receive?

(Added: 'Error indexing NSRLFile hash database'? Totally useless message ... but if you really want to know why 4.4.0 fails to import NSRL 2.56 you probably have to ask the autopsy people for support.)

(Added more: Looks like Sleuthkit hfind -- I'm testing TSK 4.4.1 -- keeps at the job a bit longer, as in:

hfind -i nsrl_md5 .../NSRLFile.txt

and you'll get a NSRLFile.txt-md5-ns.idx as result. Once you have that, try to import the NSRLFile.txt again.)  
 
  

mrpumba
Senior Member
 

Re: Autopsy 4.4.0 and NSRL 2.56

Post Posted: Jun 07, 17 01:25

Athulin, About it being "Totally useless message ... " Yep....yep..... it is. The message says "Error indexing NSRLFile hash database." I'll try your suggestion and see if that works. Thanks  
 
  

pcstopper18
Senior Member
 

Re: Autopsy 4.4.0 and NSRL 2.56

Post Posted: Jun 07, 17 20:37

I have had trouble in the past with a couple of Autopsy versions. I have not been able to determine the cause. If you do, please pass on what you find out.

In the meantime, use TSK hfind as athulin suggested. That will create the index file needed and point autopsy to that file. That has always worked for me in the past.
_________________
Preston Coleman, MFS, GCFE, EnCE

"The only thing necessary for the triumph of evil is for good men to do nothing" - Edmund Burke 
 

Page 1 of 1