Forums
Main Category
General (Technical,...
TSK / Autopsy 2.24 ...
 
Notifications
Clear all

TSK / Autopsy 2.24 working with NSRL hashes.

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by nistnsrl 12 years ago
5 Posts
3 Users
0 Reactions
1,880 Views
RSS
 ptyo
(@ptyo)
Active Member
Joined: 12 years ago
Posts: 13
Topic starter 26/03/2013 12:17 am  

I'm very new to all this so please be aware my knowledge is very small on linux and forensics currentlly. Ok so I'm currently working on a child porn case using Autopsy 2.24. I already know these images exist in the pagefile.sys and unallocated spaces thanks to an old ver of Encase 4.0. Naturally when I ran encase I didn't know about the NSRL file hashes and what they did to reduce the number of files I had to review and believe me I reviewed way more than I wanted to.

So currently i'm learning Autopsy 2.24 to try and get more information for this case. I have finally imported my expert witness file thanks to some help from the forum members. Now I want to sort the files but use the NSRL hashes so I hopefully have alot less to review. The problem I now face is how to I set all this up so it actually works.

Here is what I currently have done and know
Found this article which is very similar to what I want to do on the forums after I conducted a search.
NSRL no Longer recognised by TSK / Autopsy It led me to a few things.

First, my conf.pl file looks like this.
# Autopsy configuration settings

# when set to 1, the server will stop after it receives no
# connections for STIMEOUT seconds.
$USE_STIMEOUT = 0;
$STIMEOUT = 3600;

# number of seconds that child waits for input from client
$CTIMEOUT = 15;

# set to 1 to save the cookie value in a file (for scripting)
$SAVE_COOKIE = 1;

$INSTALLDIR = '/usr/share/autopsy/';

# System Utilities
$GREP_EXE = '/bin/grep';
$FILE_EXE = '/usr/bin/file';
$MD5_EXE = '/usr/bin/md5sum';
$SHA1_EXE = '/usr/bin/sha1sum';

# Directories
$TSKDIR = '/usr/bin/';
$NSRLDB = '';
$LOCKDIR = '/var/lib/autopsy/';

Im under the impression I need to add the path to where ever i put the NSRL hashes to something like
$NSRLDB = '/var/lib/NSRLhashes/NSRLFile.txt';instead of the current
$NSRLDB = '';
Which leads me to my next issue. what do i have to download from NSRL Downloads
Hashes of the zip files
Encase
Hashkeeper
Vogon
AccessData Known File Filter (KFF) tool for FTK updates

I'm under the impression which ever one i download there will be four CD sets.. A, B, C, D
The article I found on the forums here made a reference to a couple commands.

hfind -i nsrl-md5 /media/DATA/nsrl/NSRLFile.txt
and
hfind -i nsrl-sha1 /media/DATA/nsrl/NSRLFile.txt
so do I do the same thing but put the correct location I declared in my Conf.pl /var/lib/NSRLhashes?

And when going through the www.sleuthkit.org/informer/ I seen where Brian Carrier stated the list from NSRL contains all files even say trojan horses or root kits, which shouldn't matter in what I'm currentlly doing I don't think. Just curious is to can you go through the hashes and say seperate so you have a hash of files like hacking tools etc….

Well, any direction on all this would be appreciated I'm getting a headache from all this and apparentlly need to suck down a mountain dew… LOL

Thanks,

Pete


   
Quote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
26/03/2013 2:02 am  

And when going through the www.sleuthkit.org/informer/ I seen where Brian Carrier stated the list from NSRL contains all files even say trojan horses or root kits, which shouldn't matter in what I'm currentlly doing I don't think. Just curious is to can you go through the hashes and say seperate so you have a hash of files like hacking tools etc….

No, not really. The NSRL files are just 'known' files, i.e. files that a user hasn't edited or modified, but there's no way to say from the data if one particular hash identifes a known-good or a known-bad file.

The hashes are classified, so you can find 'hacking tools' in there, but that typically only means that everything on a CD or equivalent package was identified as such, usually from the CD sleeve or label. If there was a copy of the GNU Public License on a 'hacking tools' CD, it would also have been classified as 'hacking tool'. And if there was a Microsoft runtime redistributable package on it, it would also have been identified as a 'hacking tool' – which obviously isn't correct.

There are instructions how to create a 'known-bad' list from the NSRL hashes on the net (in some SANS blog, I believe), but I wouldn't recommend anyone trusting them without doing a careful analysis of the hashes on their own.


   
ReplyQuote
 ptyo
(@ptyo)
Active Member
Joined: 12 years ago
Posts: 13
Topic starter 26/03/2013 3:54 am  

athulin thanks for clarifying that it makes sense the more I think about it. I did come across the information about using the Hash sets from NSRL that answers some of my questions. Here is the link TSK introduction paper page 14 of the pdf.. Below is a small excerpt from the page on what I need to do

Hash Databases
Now, lets take a step back and learn more about the utility that creates the hash databases sorter can use, hfind.5 hfind basically allows the user to look up hashes for NIST NSRL, Hashkeeper, as well as MD5sum hash databases. Prior to any lookups being performed, the database must be indexed by running hfind with the index flag (-i), followed by the index type. The type may be nsrl-md5 (NSRL database indexed with MD5 values), nsrl-sha1 (NSRL database indexed with SHA-1 values), md5sum (a database created by the md5sum tool), or hk (HashKeeper database indexed with MD5 values).

For example, to index an MD5 NSRL database, the following command may be used
# hfind -i nsrl-md5 /usr/local/nsrl/NSRLFile.txt
Also come across some other literature so I know that I need the md5 hashes. So now the confusion comes into play. According to the nsrl site the res_2.39 contains

12-01-2012 - RDS Version 2.39

Version 2.39 of the RDS is contained on a single DVD

–Disc Contents

NSRLFile.txt.zip
NSRLMfg.txt
NSRLOS.txt
NSRLProd.txt
read_me.txt

NSRLFile.txt.zip contains a single, unified NSRLFile.txt. When
decompressed, NSRLFile.txt contains a hash set with a total of
95,909,479 files, 29,311,203 of which are unique SHA-1 values.

Which would lead me to believe that there are no md5 hashes in this particular list. The site also has this

NIST has also converted the RDS format data into data files for some commercial products

Hashes of the zip files
Encase
Hashkeeper
Vogon
AccessData Known File Filter (KFF) tool for FTK updates

Then I was researching in FAQ's on the NIST site and came across this Data Formats of the NSRL Reference List which would lead me to believe that md5 hashes are included.

So what do I need to do download from NSRL site to get the NSRL list in md5 format?

Thanks,

pete


   
ReplyQuote
 ptyo
(@ptyo)
Active Member
Joined: 12 years ago
Posts: 13
Topic starter 27/03/2013 7:53 pm  

Okay got things working. Basically what I explained above is what I did…

Download RDS_239.iso fro NSRL about 2.5 gig.. extracted it which contained the actualy NSRLFile.txt moved it where I wanted it..

Then indexed it with the hfind command…

Thanks,

Pete


   
ReplyQuote
 nistnsrl
(@nistnsrl)
New Member
Joined: 12 years ago
Posts: 1
29/03/2013 2:24 pm  

Pete,

it sounds like you solved your questions, but you pointed out some shortfalls in our documentation. We will work to make that clearer.

If you have questions about the NSRL in the future, you can email us at nsrl at nist dot gov.

Doug


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: