I have been working my way through the course and most functionality has worked normally, however I have ran into a problem with Section 10. When I run ingest modules on the SD card no interesting items are returned (which I presume I need to complete the questions).
I have tried running the scan several times on both the laptop and SD card - this has not worked. I have also tried deleting the central repository and starting a new case from scratch, firstly running ingest modules on the laptop and then the SD card - this also did not work.
There are not many results for the SD card image, but I suspect what you are experiencing has more to do with your Global view settings. By default, the ingest results are merged.
If you want to see them separately, click the gear wheel at the top of the left pane, and check Group by Data Source. Now, each device will have its own Data Source Files, Views, Results, and Tags sections,
Thank you very much for taking the time to reply, itās greatly appreciated.
I tried applying your suggestion with a new case file and new central repository database - the laptop and SD card and segregated into their own areas now (a handy tip regardless!), however, I did not return any 'Interesting Itemās as I expected to. Just in case Iām missing something else, Iāve also attached a screenshot of my Autopsy after doing so.
The hash I am using in that file is 07c94320f4e41291f855d450f68c8c5b which shows up as a hit on the laptop, but not on the SD card.
Iāve also tagged the photo of Renzik in the restaurant as notable on the laptop, but it Autopsy does not seem to be marking the same photo as interesting on the SD card.
You pictured the Ingest modules run, but not the configuration of your Ransom Case hash set. You can find that in Tools --> Options --> Hash Sets or by clicking the Global Settings button on the Ingest Modules configuration screen. Can you post a screen shot of that with your Ransom Case hash set selected?
It looks to me that you are set up correctly and ran the correct ingest modules. I cannot tell if you ran the ingest modules against the correct device.
If you navigate to Views | File Types | By MIME Type | Image | jpeg (or any file view for that matter), to the files have hash values in the MD5 Hash column of the file listing?
Though I have not seen a report for the Interesting Items results category, many users have reported results not appearing after ingest until Autopsy has restarted, in particular the USB Device Attach results section.
We havenāt discussed how you set up your Central Repository, but beyond creating one in SQLite and saving to a reachable location, there isnāt much more to do. Iām going to review mine and tell you how to check yoursā¦
It looks like Autopsy builds results on the fly, which probably explains why restarting refreshes the results for many users. The central_repository.db, while interesting, doesnāt explicitly store tables related to the results categories (which make sense, itās just an information collection tool to be queried on a case by case basis).
None the less, here are the results of my case analysis related to the file in question:
You can see the the two data source ids corresponding to the two devices and the matching hashes. You can check yours with a sqlite viewer to ensure your repository captured the necessary information.
Otherwise, Iād check the logs in the case folder to see if you can determine where the failure occurred and make a bug report. Just be sure to list your steps carefully to allow the developers to reproduce the error, if possible,
I have created a new case from scratch, using only the mediacard.e01 data source and imported and created the hash sets indicated in lab 6. Same result, nothing marked as ānotableā in āInteresing Itemsā ā¦ but ā¦ after review LAB6, point 8 say:
While reviewing the images in that folder, it is noticed that āIMG_20191024_155744.jpgā shows health violations by bringing the dog into a restaurant. We want to tag this as Notable:
Right click on it
Select āAdd File Tagā and choose āNotable Itemā
After doing it and run ingest modules again in ādevice2_mediacard.e01ā, i get a one interesing file ( Previusly Tagged As Notable - Central Repository - )
I had the same issue some days ago, and finally IĀ“ve just got the answer. In the first data source there are 2 image files that are named equal. Maybe later i will understand why there are 2 different files with the same name (it could be due to the folder where the file was - Recycle bin), anyway, once I noticed this, I just tagged both files and re-run the correlation engine, and i got my new NOTABLE ITEM. I hope it helps you too.
Best regards,
ABS
Image 1: 2 files with the same name in the Data Source 1
Image 2: New Interesting File (2 Ocurrences)
(*) As a new user, I wasnĀ“t able 2 upload 2 images,
@ABS22: Iām not seeing the 2nd version of the file (which looks like it has all 0s for its time stamps). If you select it and view the āFile Metadataā tab on the bottom, can you post it here?
I have the same problem. There are also yellow triangle signs beside the three ingest modules. It seems to be lacking the SQLite database. I have tried to reinstalled Autopsy and it doesnāt prompt me to configure the database engine in the installation. And I cannot find a way to configure it after the installation process. I am using 4.14.0 64 bit version on Windows 10.
Lab 6 had you tag an IMG file.
Lab 7 had you create interesting file rules. This caused Autopsy to populate its āInteresting Itemsā tree for the first time.
Lab 10ās correlation module caused Autopsy to create a āPreviously tagged as notable (Central Repository)ā within theāIinteresting Itemsā tree item, due to the media card also containing the IMG file that was tagged in Lab 6
I believe Iāve discovered what the issue is. On lab 6, we were asked to add the md5 hash 07c94320f4e41291f855d450f68c8c5b to our hash set and configure it to mark any files that match that as notable. However, the quiz for lab 9 expects for the file with md5 hash d8753a49ebca177ae227c1566fb4ee9f to be marked as interesting.
If you do a āFile Search by Attributesā for the md5 hash ād8753a49ebca177ae227c1566fb4ee9fā, then you can manually mark it as notable (and add it to your ransom hash set). From there, you can rerun the āCorrelation Engineā ingest module for the second data set to have it correctly identify the interesting files.
