Good day,
I am running Autopsy 2.24-1 and TSK 3.1.3-1 with the associated libraries on Linux Mint (32) ver 11. I also have the minimal NSRL files and my conf.pl pointed to the correct directory. My exam machine is only connected to the network when I update files / software. so maybe once a week if that.
Here is my conundrum.
I have examined dozens of images against the NSRL hash set with this set-up with no problem at all. Last week I finished a 500 GB Win 7 (64-bit) image with no problems. This would involve sorting the files, mostly images against the NSRL sets, as well as searches
Today, I attempted to sort a 120 GB drive (Vista 64-bit), primarily images, and received the following errors.
Error running 'hfind'
Cannot determine hash database type (hdb_open Error determining DB type)
I have created a DB reference using the following.
hfind -i nsrl-md5 /media/DATA/nsrl/NSRLFile.txt
and
hfind -i nsrl-sha1 /media/DATA/nsrl/NSRLFile.txt
It is curious how it was working fine, then stopped being recognized. Nothing has changed on the machine software wise. The only difference is the image type.
I usually create images in Encase format with FTK Imager, but this one was created with dcfldd. I have created dd images with FTK Imager, and they all worked fine, so I an not 100% sure is is the image type. Just in case, I am making a second image in EWF to check against.
The only other thing I have noticed is the NSRL files have my username as the owner, and the permission set as 500.
Even though this has worked in the past, I attempted to chown/chmod the NSRL files as root. For whatever reason, the system will not allow that to happen.
I have no problems viewing the file structure of the image in the autopsy browser.
Thanks in advance.
Curt
Error running 'hfind'
Cannot determine hash database type (hdb_open Error determining DB type)
That's where to start looking. Has the database in question been changed since last time you used it? Or Has software been updated? (Note I don't ask if *you* changed or updated anything; but if anything has been changed or updated. Might be a system patch or an updated system library.) What about the database itself?
It is curious how it was working fine, then stopped being recognized. Nothing has changed on the machine software wise. The only difference is the image type.
But the error message you cited concerns the hash database. hfind builds a hash database or searches for entries in the hash database. The lookup file is a simple text file. The image file is not involved at all.
And as the error message says that it doesn't recognize the database, it seems likely that something went wrong when it was created, or perhaps that the file it has been given isn't a hfind database at all. Or possibly that the hash database has somehow got clobbered since you last used it successfully used it.
I'd probably look at the source code of hfind to see how it recognize a database file, and then check if that magic number or whatever is present it in the file. (If the code emits the same error message for multiple errors, I'd try to narrow it down to a specific condition, and concentrate on that.)
Anyhow I'd try to build a small test database just to see that hfind will recognize a database that it has created.
Thanks for the reply. I am going back and seeing what updates might have influenced the NSRL file. I currently have autopsy/TSK running on my laptop using Cygwin & the NSRL hash set with no problems at all on my .dd image.
When I get some more time in the next day or two, I will go through the Mint install and try to track down exactly what happened. Before I go home, I will build a test DB and give it a try as well.
Obviously I an relatively new to working with images. But rather than being given an absolute solution, I much prefer being pointed in the right direction and working it out from there. For me, it is the best way to learn. Again thanks for the pointer Athulin.