search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.42k stars 596 forks source link

Hashsets seemingly cannot be removed. #973

Open BitSniffing opened 9 years ago

BitSniffing commented 9 years ago

Release: 3.1.0

Details: When working within an image, I added a found file to "Add file to hash database" and created a hash database. I attempted to remove the hashset but was unable to find one. I then deleted the database, closed the case, closed the app, and then re-opened the app, re-ran ingest modules, and the hashset was still present.

Am I missing something in order to remove a hashset?

rcordovano commented 9 years ago

To remove a hashset:

  1. From the main menu, select Tools, then Options to bring up the Options window.
  2. Click on "Hash Database" to show the hash databases panel.
  3. Select the hash database you want to delete in the list on the left hand side of the panel.
  4. Click the Delete Database button.
  5. Click the OK button to dismiss the Options window.

The hash databases panel can also be reached from the Add Data Source wizard and the Run Ingest Modules dialog by selecting the "Hash Lookup" module to show its settings panel, and then clicking the Advanced button.

The problem with manually deleting the database is that there is a configuration file (XML) that stores data about the hashset the database implements. Deleting the database without editing the XML file will make Autopsy think the hashset still exists, but with the database missing.

Richard Cordovano Basis Technology

On Fri, Nov 21, 2014 at 2:27 PM, Craig Williams notifications@github.com wrote:

Release: 3.1.0

Details: When working within an image, I added a found file to "Add file to hash database" and created a hash database. I attempted to remove the hashset but was unable to find one. I then deleted the database, closed the case, closed the app, and then re-opened the app, re-ran ingest modules, and the hashset was still present.

Am I missing something in order to remove a hashset?

— Reply to this email directly or view it on GitHub https://github.com/sleuthkit/autopsy/issues/973.

BitSniffing commented 9 years ago

Hi Richard. It isn't the hash database, but the hashset that I was attempting to delete. The hashset I was attempting to remove is located in the "Hashset Hits" of the "Results" categroy after ingesting an image. I attempting to ingest the image again and with out using a hash database but the previously displayed "Hashset Hits" result was still present, even after deleting the hash database. Maybe I am missing how to remove a "Hashset Hits" hashset.

Thank you for your help.

rcordovano commented 9 years ago

Ah, yes, now I get it. Craig, I am sorry to say that there currently is no way to delete an analysis result (an artifact) short of opening up the case database and executing SQL statements to remove the corresponding records from several tables. There is also no provision for avoiding creating hashset hits - if you analyze the data source multiple times with the same hashset enabled, each run will record another hashset hit.

It may be that the most expedient solution for you at present would be to create a new case and redo the analysis with only the desired hashsets enabled. Sorry about that.

On Fri, Nov 21, 2014 at 4:10 PM, Craig Williams notifications@github.com wrote:

Hi Richard. It isn't the hash database, but the hashset that I was attempting to delete. The hashset I was attempting to remove is located in the "Hashset Hits" of the "Results" categroy after ingesting an image. I attempting to ingest the image again and with out using a hash database but the previously displayed "Hashset Hits" result was still present, even after deleting the hash database. Maybe I am missing how to remove a "Hashset Hits" hashset.

Thank you for your help.

— Reply to this email directly or view it on GitHub https://github.com/sleuthkit/autopsy/issues/973#issuecomment-64038128.

rcordovano commented 9 years ago

Sorry, "...avoiding creating hashset hits..." should have been "...avoiding creating duplicate hashset hits..."

On Fri, Nov 21, 2014 at 4:22 PM, Richard Cordovano <rcordovano@basistech.com

wrote:

Ah, yes, now I get it. Craig, I am sorry to say that there currently is no way to delete an analysis result (an artifact) short of opening up the case database and executing SQL statements to remove the corresponding records from several tables. There is also no provision for avoiding creating hashset hits - if you analyze the data source multiple times with the same hashset enabled, each run will record another hashset hit.

It may be that the most expedient solution for you at present would be to create a new case and redo the analysis with only the desired hashsets enabled. Sorry about that.

On Fri, Nov 21, 2014 at 4:10 PM, Craig Williams notifications@github.com wrote:

Hi Richard. It isn't the hash database, but the hashset that I was attempting to delete. The hashset I was attempting to remove is located in the "Hashset Hits" of the "Results" categroy after ingesting an image. I attempting to ingest the image again and with out using a hash database but the previously displayed "Hashset Hits" result was still present, even after deleting the hash database. Maybe I am missing how to remove a "Hashset Hits" hashset.

Thank you for your help.

— Reply to this email directly or view it on GitHub https://github.com/sleuthkit/autopsy/issues/973#issuecomment-64038128.

BitSniffing commented 9 years ago

Thanks so much for your help.

I did wind up creating a new case and re-running.