Hashsets - reverting known files

Hi There,

I have question/problem I have case with a lot of sources. To limit duplication of files to analyse - I made
filters for every of source - every next source hash lookup is whitelisted by unique md5’s of previous ones. And it worked, but when I accidentally selected wrong filter (hashset of known files) a lot of files
disappeared from results - what is correct. But problem is that when i re-run hash verification with disabled previously selected filter - Autopsy remembered that those files are known and they don’t appear on the list anymore.

Is there any way to “undo” hashlist verification process by specific hashlist ?

I’m using Autopsy 4.19 on Linux
Best,
btr

If you want completely undo running the known files hash set, you’ll need to update your case database (autopsy.db) manually. The known status is stored in the “known” column of the “tsk_files” table. It’s this enum: Sleuth Kit Java Bindings (JNI): org.sleuthkit.datamodel.TskData.FileKnown Enum Reference

Here I have one known file and one notable file:

knownCol992×457 22.1 KB

If you reset all “1” values to “0” in your case database you’ll erase the known status.

If your issue is just that you’d like to continue seeing known files in the UI, there’s a setting for that - “Hide known files”
http://sleuthkit.org/autopsy/docs/user-docs/4.19.0/view_options_page.html

I think that trick with database is the one I’m looking for. I was thinking about creating plug-in that would allow to show only the file with earliest MACB, to allow analyst to determine automatically primary/original location of file in case of multiple data sources.

Autopsy have build-in option “other occurrences of file” but for every file you have to click on file to obtain it - showing it as a column in table I think would be useful.

Thanks