Section 6 Lab issue

Online Training
1

When I apply the following step:

  1. Use “Add Hashes to Hash Set” button to copy and paste the following MD5 value into the “Ransom Case” hash set. This is the hash of the ransom note.
    07c94320f4e41291f855d450f68c8c5b

The issue is “Add Hashes to Hash Set” button is inactivated, how to activate it?

2

Have you created a hash set using the “New Hash Set” button and then selected it?

hashSet
hashSet1264×764 105 KB

1 Like
3

Yes, but still inactive, maybe due to running ingest

4

Ah yeah I don’t think you can edit the hash sets while ingest is running.

2 Likes
5

Sir, ADD HASHES TO HASHSET BUTTON IS DISABLED .WHAT TO DO ?

6

Don’t run the Ingest module and add the hash at the same time, some features won’t work while the ingest module is running

Sincerely.
Abdulghani Alkhateeb
https://about.me/abdulghani

7

THANK YOU,

  1. Configure the Hash Lookup module with two hash sets:
  2. Import the NSRL File (NSRLComplete.txt-md5.idx) that you previously downloaded in Section 1.
    1. You may need to unzip the file you downloaded.
    2. You can use the default values (i.e. Type: Known).
  3. Create a New Hash Set:
    * Destination: Local
    * Name: Ransom Case
    * Hash Set Path: [Any folder on your computer]
    * Type: Notable
  4. Use “Add Hashes to Hash Set” button to copy and paste the following MD5 value into the “Ransom Case” hash set. This is the hash of the ransom note.
    07c94320f4e41291f855d450f68c8c5b

I ve done upto here.

now next step, how to Start the Ingest Module? please advice?

please help in

Observe:

  1. Use Ingest Inbox as an indicator when ‘Known Bad’ hash hits are found.
  2. Use “Go To Result” to go to tree area of hash hits.
  3. View the hash hit.
  4. Question : Let ingest get at least 15% through the drive. How many total hits are found under the “Hashset Hits” results after running the Hash Lookup Ingest Module?
  5. Question : What are the filenames of the hash hits?
  6. One of the hits is in a folder named “Pictures”. Right click on the file to “View” there.
  7. Question : How many total “.jpg” files are in the folder “Pictures” where the notable hash hit was found?
  8. While reviewing the images in that folder, it is noticed that “IMG_20191024_155744.jpg” shows health violations by bringing the dog into a restaurant. We want to tag this as Notable:
  9. Right click on it
  10. Select “Add File Tag” and choose “Notable Item”

With regards

8

At this point you need to make a case, add a data source, and then run ingest. On the ingest panel, make sure you enable the Hash Lookup module along with the hash sets you created earlier.

http://sleuthkit.org/autopsy/docs/user-docs/4.15.0/ds_page.html

1 Like
9

Good evening!

How can I import the NSRL file (NSRLComplete.txt-md5.idx)? Did anyone succeed?

10

Here are instructions on importing hash sets. Note that you’ve already got an index file so you won’t have to index it.

http://sleuthkit.org/autopsy/docs/user-docs/4.15.0/hash_db_page.html

1 Like
11

Thank you very much!

12

Where can be found file NSRLFile-266m-computer.txt-md5.idx ? After unzipping file downloaded from https://sourceforge.net/projects/autopsy/files/NSRL/NSRL-266m-computer-Autopsy.zip/download there is no file (NSRLComplete.txt-md5.idx). Only file named NSRLFile-266m-computer.txt-md5.idx

13

I AM struck up at section 6 - Hash Look Up Module - Lab Steps. While I run the ingest as per instructions provided, it takes hours together but not able to run. I have wasted two days in trying this step but in vain. Can u please provide me solution as I am not able to complete the course because of this hurdle.

2 Likes
14

Hello,

You have copied and pasted this message from the support ticket that you have opened, and we are working through it there. Please do not post the exact same thing, that we are providing you assistance on, in multiple places, as it creates more work trying to sort through tickets and support.

Thank you

15

Sir

Thanks

Problem solved.

Sorry for bothering

Regards

16

Did you find a solution? I am having the same issue. Thanks!

17

I actually did not, wanted to see again Section 6 video, maybe I missed something

19

The injest activity in section 6 Lab is running very slow. How long does it normally take to finish if we follow the instructions as given? For me it is taking a lot of time.
-Regards, Rahul

20

I tried this even after cancelling the ingest, but still disabled for me. Do I need to run a full ingest, add the hash after completion, and do it again?

21

Did ingest fully cancel? Sometimes it takes a while. If you close and restart Autopsy is everything still disabled on the Hash Database options panel?