Join Us!

Autopsy 4.4.0 and N...
 
Notifications
Clear all

Autopsy 4.4.0 and NSRL 2.56  

  RSS
mrpumba
(@mrpumba)
Active Member

I'm using Autopsy Forensics 4.4.0 and tried to load NSRL 2.56 Modern March 2017. I downloaded the NSRL file, unzipped the hash set which totaled around 13G and using windows 10 default and also 7zip to unzip the zip file. I was able to point to the reference hash set but when I tried to index the file, I immediately received an error and it ended after selecting "ok" in the error message. I then used 7zip to unzip the file and again was able to point to the reference but this time about 5 minutes into the Indexing, received the same error. I did this several times and received the a consistent error………I know insanity…….. or as I look at it, persistence )

I then downloaded the legacy hash set, 2.56 March 2017, unzipped it with 7zip, pointed to the hash set and Indexed it…….no problems….SUCCESS!

Just wondering if anyone using Autopsy Forensics 4.4.0 had the same results between the Legacy vs Modern hash set?

Quote
Posted : 06/06/2017 3:38 pm
athulin
(@athulin)
Community Legend

I was able to point to the reference hash set but when I tried to index the file, I immediately received an error and it ended after selecting "ok" in the error message.

And what error message did you receive?

(Added 'Error indexing NSRLFile hash database'? Totally useless message … but if you really want to know why 4.4.0 fails to import NSRL 2.56 you probably have to ask the autopsy people for support.)

(Added more Looks like Sleuthkit hfind – I'm testing TSK 4.4.1 – keeps at the job a bit longer, as in

hfind -i nsrl_md5 …/NSRLFile.txt

and you'll get a NSRLFile.txt-md5-ns.idx as result. Once you have that, try to import the NSRLFile.txt again.)

ReplyQuote
Posted : 06/06/2017 6:38 pm
mrpumba
(@mrpumba)
Active Member

Athulin, About it being "Totally useless message … " Yep….yep….. it is. The message says "Error indexing NSRLFile hash database." I'll try your suggestion and see if that works. Thanks

ReplyQuote
Posted : 07/06/2017 2:25 am
pcstopper18
(@pcstopper18)
Member

I have had trouble in the past with a couple of Autopsy versions. I have not been able to determine the cause. If you do, please pass on what you find out.

In the meantime, use TSK hfind as athulin suggested. That will create the index file needed and point autopsy to that file. That has always worked for me in the past.

ReplyQuote
Posted : 07/06/2017 9:37 pm
Share: