File Extension Mismatch setup

Autopsy Help
1

I started an ingest yesterday on my local Documents directory. It has a lot of images in it, and the total size is 123 GB (90,752 files). I started it around 2pm, and it was only 45% done at 8am this morning… Does this sound normal?

Anyway, I cancelled it, as it had already collected a lot of information.

I looked at the “Extension Mismatch Detected”, and I saw one was ‘thm’. I looked it up and it is a thumbnail, and should really be (as Autopsy reported) MIME type ‘jpeg’. Another one was a Canon Raw file with extension ‘CR2’.

I figured since Autopsy knows about these files, there should be a way to configure it to not report these as a mismatch.

It looks like one way to do this would be to simply add extension ‘thm’ as another “known” type for image/jpeg. Is this the correct way to prevent ‘thm’ from showing up as a mismatch?

Also, online I read that CR2 is really a type of image/tiff. I thought about doing the same thing, but then I read that there is a mime type called ‘image/x-canon-cr2’. I also have the older Canon CR raw files.

WHat is the recommended way to have these not be detected as mismatches?

Thanks,

Mitch

2

That can be normal, but it depends entirely on the ingest modules you selected. The keyword module is lengthy, so don’t run it if you don’t need it. You can also create a file filter in the Options | Ingest tab to focus keyword indexing (and/or other ingest modules) on a subset of data, e.g., in the ‘/Users/’ and ‘/$Recycle.Bin/’ directories.

Also bear in mind that eliminating known files through the NSRL hash sets can shorten ingest time.

If you wanted to stop thm files that have jpeg signatures from appearing as mismatches, then add the ‘thm’ extension to Options | File Extension Mismatch. Select ‘image/jpeg’ in the File Types pane and then add ‘thm’ as a new extension.

Repeat the process above for any file that you don’t want reported as a mismatch. Find the MIME type in the Options | File Extension Mismatch tab and enter the file extension you don’t want reported for that MIME type.

Remember the purpose of the analysis category: to alert the examiner of potentially disguised files.

3

John,

Thanks for your reply!

Mitch