 Welcome back everyone. Today I'm going to show you how to add a known good hash database to Autopsy. So I'm currently running Autopsy in Windows. It's Autopsy 420. This is the latest version of the time of this video. So once you open up Autopsy and you don't have to have processed a case or anything, just open up Autopsy and go to tools and then options and then you'll probably start on this Autopsy page. So go over to the tab that says hash databases and you notice that Autopsy by default does not ship with a hash database. We are going to be including the NSRL list from NIST. Basically the NSRL is kind of known good hashes that we can more or less safely ignore. So we're going to be adding the NSRL hash database but I also use this quite often to create my own hash database of interesting or just known bad files. So sometimes known bad. If we were working on child exploitation cases or maybe malware investigations, we might have hashes of known bad files. Child exploitation, it's usually images, videos, things like that. And hashes are a very fast way to do filtering in your cases. So they're really powerful, pretty easy to manage and do once you get used to it. But for some reason, a lot of people don't really use hash databases very much. So yeah, I strongly recommend using them. They're a very useful tool to help us. So from the options menu, let me go back. So tools, options, from the options menu click on hash databases. And I've already downloaded the NSRL database. Right now it's three gigabytes. It's a very large database. I'll go find it here, NSRL. So we have this NSRL. Basically it's all the information related to NSRL and I've already verified it. I've already extracted the database. The database file is actually here NSRL file dot txt. Let me open up, let's see. So if we do NSRL head, you can see the structure of it is basically first a SHA1 hash, then an MD5 hash, then a CRC32, then the file name of the file that was hashed, and then the file size, the product code, which we would need to look up what the product actually is if we were interested in that, the operating system code and the special code, which there's no special code at least in the head version. So we would need to look up exactly what op system code relates to and product code relates to, but file size, file name, CRC32, MD5, and SHA1 I think are all pretty self-explanatory. What we're really interested in here are these. So the SHA1 hash and the MD5 hash. So that's what it looks like. So in Windows here, I have this NSRL file. It is, I think, about 13 gigabytes whenever it's unpacked, so it is quite large. That's just hash values, so it's a lot of hashes, so that means it can filter out a lot of potentially uninteresting files. So in the hash databases tab, we could create a new database, but we won't do that now. New database, you might want to create if you want to potentially add things that you find with autopsy into the database, make a new database so that way you can save them inside your new database, but I'm going to import the database. So I'm going to click on import database, and the first thing it asks for is database path. So I'm going to open it up. It's for me inside my eDrive NSRL file txt. Hash set name, I'm just going to call it NSRL, and then type of database known, NSRL or other. So NSRL is so popular, they even just refer to it as NSRL. If this was a list of, let's say, known child exploitation images or something like that, we would click on known bad. But instead, it's a known file, kind of known good, or something we can filter out. So I'm going to click on known instead of known bad. Click OK. Now, you see that it added it, and it's in red right now. So we have basically the option now to import or delete. We can delete it, but we don't want to. Now, what we haven't done yet is indexing. In a prior video, I showed you how to make an index from the command line. If you made an index from the command line, the index should be detected automatically. But we haven't indexed this yet, so we just need to click on index before we can use it. So we have to create an index before we can use this database. That's very important. So that's why it's currently showing up in red. So I'm going to let that index, it will take a while, and then I'll come back whenever it's finished. Okay, so now that NSRL database, the index has been created. We can see the index path, the index has been created in the same directory, and we can see that it's an MD5 index. So once I default, sleuthkit indexing is the MD5 value. And then we have the index status indexed. We can re-index it. Yeah, we could re-index it, but yeah, we just indexed it, so we don't need to. So sometimes, well, especially if you add new hashes to the database, you'll need to re-index it again. But yeah, right now we don't need to. Okay, so you can just click apply. If you select the hash again, or the database again, then we can't, here we have add hashes to database. This is grayed out, and I think it's because of the type of database. So if we create a new database, for example, and we just say test, database path, we can say hash databases, test.kdb, save, and then let's say that they're known bad, okay? So then you click OK. And because we've created a new test database, and it's kdb type, whereas NSRL is just .text type, kdb, we can add hashes to the database. So if we had basically a list of hashes, so for example, if I had, let me go back, imagine that I have these hashes in a file. So let's just do that. Head, NSRL, awk. Awk is used to basically filter out commands in Linux, or filter out text in Linux. We can print, we want to print, let's say two. Dollar sign two, okay? So this awk f basically says to make this the file delimiter, and then print dollar sign two. So go find the second thing after the comma, which is the md5 hash value, okay? So we can just print that out. But now that I look at it, I just realize that basically all of these are the same hash anyway. So I'm just going to copy one of them. Go back and then paste from clipboard, paste that hash in, and then add hashes to database. One hash added successfully, okay. So basically there's a couple different ways I'm going to delete this database. There's a couple different ways we can create databases. There's a lot of hash databases that already exist that we want to import in. So for example, the NSRL, the known hash databases. There's also a lot of, let's say child exploitation hash databases. Or peer-to-peer file sharing hash databases. Or virus hash databases. So we could get those hash databases, import them, index them, and then use them to automatically process our case. We can also keep our own hash databases locally. The problem with that is that no one else can say, let's say share our hash databases directly. Now what you might notice is, well I don't know if you didn't notice or not, but whenever you click save as, I actually have these on a, it's a virtual box server, but basically this eDrive is a network share. So what you could potentially do is share this database on a network drive. I'm not sure how it would work with multiple users trying to access the database at the same time, but it's possible. Now Autopsy also has a multi-user mode, and I'll be talking more about that later, how to set up multi-user mode. But anyway, we're talking about hash databases now, and this is how you can set up some of them. So we've already added NSRL. We can apply, click OK. And then I've already processed this case, but now I want to basically rerun. The hash database was not included whenever I processed this disk. So I want to rerun the hash comparison module basically. So I can go to tools and run ingest modules, select the disk again, and then a recent activity. Oh, I'm not sure if I'll be able to do this. So basically I'm just going to deselect everything. Yeah, deselect all except hash type identification. Yeah, let's see if I can actually start this or not. I'm not sure if I can. Yeah. Okay. So now it's basically ingesting again, or it's running the ingest module again, just for hash databases. So I have deselected everything else. You can see that it's accessing not only the disk, but also probably the hash database. So that's it for adding known good and known bad hashes to Autopsy, and then making the index and then rerunning any modules. Now whenever we start a new case in Autopsy, if we select the hash data hash tests as an ingest module, it will automatically run. So that's it for hashing. Thank you very much.