search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 597 forks source link

Error indexing NSRLFile hash set #4738

Closed firehawk12 closed 5 years ago

firehawk12 commented 5 years ago

Hi, I am trying to import the latest NSRL hash set into autopsy and index it, but when I do I get the error message above. (Error indexing NSRLFile hash set)

I know that there is the pre-indexed file on Sourceforge, but is there an alternate way to import the latest hash set into Autopsy if I can't do it via Autopsy itself?

Thanks.

bcarrier commented 5 years ago

Yea, it fails on Windows. We make the pre-indexed one on Linux or OS X using 'hfind' from The Sleuth Kit. They do better with memory management than Windows.

HectorCuchilla commented 5 years ago

Hi, The Sleuthkit for windows also comes with the HFIND.EXE tool, download it and install it. Then you can use the following command to index your NSRLFile hash set (same command used in linux):

c:\\hfind.exe -i nsrl-md5 NSRLFile.txt

After a few minutes (depends on your machine resources) hfind will create the following files: "NSRLFile.txt-md5.idx" and "NSRLFile.txt-md5.idx2"

Now, just import your NSRL hash set in Autopsy as usual and you will be ready to go.

Here it's a user manual for the hfind tool: http://www.sleuthkit.org/sleuthkit/man/hfind.html You can download the sleuth kit from here: https://www.sleuthkit.org/sleuthkit/download.php

Hope this info can solve your problem.

Best Regards | Atentamente, Hector Cuchilla