Autopsy includes a Hash Database Lookup Module that utilizes MD5 hash values to determine if a file is known. This quick write up will take you through the steps to include the NIST National Software Reference Library (NSRL) to exclude known good files from your investigation.
Step 1 – Obtain the Hash Database
The creators of Autopsy release a version of the NSRL database indexed in such a way that is easily imported into Autopsy, this is the easiest way to incorporate the NSRL in your Autopsy Setup. Head on over to https://sourceforge.net/projects/autopsy/files/NSRL/ to obtain the latest version, They also include version for Android and IOS known file as of late. Using your favorite compression software unzip the downloaded archive (At ArrogantGeek we will be utilizing 7zip)
Step 2 – Add the NSRL Hashset into Autopsy
- Launch Autopsy
- Navigate to the Tools > Options menu.
- From the top ribbon select Hash Database.
- Select Import Database.
- Select Open.
- Navigate to the .idx file located within the extracted content from step 1.
- Ensure Known (NSRL or other) is selected, and click OK.
The NSRL database has now been added to Autopsy and you ready to use it in your next investigation.
Step 3 – Using the NSRL
Now that we have added the NSRL hashset it will available as an ingest module and can be run during adding a new data source, or by selecting Tools > Run Ingest Module.
Once on the Configure Ingest Modules dialog be ensure to select the Hash Lookup module, you newly added hashset should be listed in the Select known hash database to use option. Ensure the checkbox is selected and continue the ingest module process.
Step 4 – Review Results
Once results are avaliable they will be displayed in the Hashset Hits group, in the results tree.
This is the easiest way to incorporate the NIST NSRL hashset into your next autopsy project, enjoy.