In section 6, there is a step to import NSRL File NSRLComplete.txt-md5.idx that you previously downloaded in Section 1.

But I couldnt find that file even from the list I downloaded in Section 1. In section 1, I only see these 2 links (mentioned below) along with link to download & install Autopsy.

• NIST NSRL Hash Set: https://sourceforge.net/projects/autopsy/files/NSRL/NSRL-266m-computer-Autopsy.zip/download

• Video Triage Module: Fill out the form and download the ZIP file. https://www.autopsy.com/add-on-modules/video-triage/)

Can you assist me pls ?

The first download you list contains the file you need to import:

% unzip -l NSRL-266m-computer-Autopsy.zip 
Archive:  NSRL-266m-computer-Autopsy.zip
   Length      Date    Time    Name
 ---------  ---------- -----   ----
         0  10-11-2019 23:10   NSRL-266m-computer-Autopsy/
      6148  10-11-2019 23:10   NSRL-266m-computer-Autopsy/.DS_Store
2802909816  10-10-2019 13:22   NSRL-266m-computer-Autopsy/NSRLFile-266m-computer.txt-md5.idx
     32768  10-10-2019 13:22   NSRL-266m-computer-Autopsy/NSRLFile-266m-computer.txt-md5.idx2
      1121  10-11-2019 20:46   NSRL-266m-computer-Autopsy/README.rtf
 ---------                     -------
2802949853                     5 files

You unzip the file, point at the NSRLFile-266m-computer.txt-md5.idx file, and it will add the second one automatically.

Thank you for you reply John. I already imported the whole file as you mentioned. But, where can I find NSRL File NSRLComplete.txt-md5.id ?

As I couldnd find 8 - While reviewing the images in that folder, it is noticed that “IMG_20191024_155744.jpg” shows health violations by bringing the dog into a restaurant.

I also see “Add Hashes to Hash Set” is grayed out (screen

Capture1166×318 31.1 KB

Does any one have any other feedback or suggestions ?

Does this help you answer your question? You also cannot add hashes while ingest is running.

Have you updated to the latest version of Autopsy, and, if so did that fix your problem?

Also, to be clear, we also generically refer to the file its nomenclature, not the exact name, because each time there is an updated version of the NSRL file(s) available, we did not want to have to rewrite the course content. In the example above that John posted, the file you want is “NSRLFile-266m-computer.txt-md5.idx”

Thank you for that feedback. Here are steps I did -

I updated to latest version of Autopsy.
Also reopened the case that I created.
Imported Laptop Image device1_laptop.e01

I still could see that “Add hashes to Hash set” is grayed out (before I started to ingest modules)

But when I created “New Hash Set” from “Global Hash Lookup Settings” manually, I am able to select “Add Hashes to Hash Set”

image1046×547 19.7 KB

If you have any other suggestions to add hashes to hash set in the lab image - “Device1_Laptop.e01” Please let me know.

You have to import the hash set. It doesn’t sound like you did that.

Importing Hash Sets

To import an existing hash set, use the “Import Database” button on the Hash Sets options panel. This will bring up a dialog to import the file.

I did before for sure. I also deleted the imported file & re-imported it

image759×548 31.6 KB

Its still grayed out.

image1037×417 30.3 KB

Okay, it looks like you have two separate issues here.

From your first screenshot, the NSRL is a known type of hash set (it states “NSRL or other” right next to the box).

Secondly, the hash set that you currently have highlighted is read only. Which means that you cannot add hashes to that hash set.

You need to create a new hash set that you can actually edit, following the instructions listed in the video and in the lab steps. Please note that importing the NSRL, and creating an entirely new hash set, are two completely separate things.

STEP 1:

1. Import the NSRL File (NSRLComplete.txt-md5.idx) that you previously downloaded in Section 1.
2. You may need to unzip the file you downloaded.
3. You can use the default values (i.e. Type: Known).

STEP 2:

2. Create a New Hash Set:

• Destination: Local
• Name: Ransom Case
• Hash Set Path: [Any folder on your computer]
• Type: Notable

3. Use “Add Hashes to Hash Set” button to copy and paste the following MD5 value into the “Ransom Case” hash set. This is the hash of the ransom note.

Thanks @BrianMoran & @John_Lehr, appreciate your assistance.

Thank you for taking the time to ask the question(s) and post the screenshots as requested. We all are genuinely trying to help, and while sometimes it takes a little back and forth, eventually we will get there!

You are welcome @BrianMoran

I ran into the same problem as @mgroms. BrianMoran’s instruction is helpful.
In step3 of BrianMoran’s instructions it says, ‘paste the FOLLOWING MD5…’. Could you help me find the ‘following MD5 value??’ The video, has screen shots of that but does not say(at least the slides) where the MD5 values came from.

They are not my instructions, they are the copied and pasted instructions from the “Lab Steps” portion of Section 6 “Hash Lookup Module”. We will not post any of the answers or important artifacts directly to this forum.

Please review that section (and subsequent section(s)) in the course.

Thank you

Hello Brian: It was my mistake. I did not noticed there was a scroll bar to go up/down (vertical) in the lab instruction of section 6. After your message, I checked / discovered it. Thanks.

Installation and configuration was somehow cool but I want to suggest if in-case a question is referring or referencing to a previously analyzed case, the image file name should be mentioned again. In Section 4, image name was not mentioned.