Basis Technology Autopsy Ingestion Modules Configuration

Autopsy Ingestion Modules Configuration Guide

It is time for Autopsy Ingestion Modules configuration, after you finished the OptimizationCore Autopsy and Plugins installation Guide. Finally, when you finish configuration, you can continue to OptimizationCore Autopsy Usage Guide.

Hash Lookup Ingestion Module – Installing Hash sets

Autopsy will use Known Hash sets to check if the Data source that you are analyzing holds these hashes. Example: there are known files in Windows system folder, so there is no need to reanalyze them since they are already in the known hash set for Windows files. There can be hash set for known malware, so you will want to see if the files that you are analyzing contain some of the known malware hashes. Autopsy works with these formats:

Text - One hash starting each line (*.txt)
Index - NSRL - Generated by Autopsy / Sleuth Kit (*.idx)
SQLite hash sets created by Autopsy (*.kdb)
EnCase (*.hash)
HashKeeper (*.hsh)

Autopsy defers between “Known” files (potentially “good”, example: Windows system files) and “Notable” files (potentially “bad”, example: malware). More information is on the Autopsy Hash Lookup Module page.

We will be installing NIST NSLR hash set (more info can be found on their respective site). This is the first hash set that Autopsy recommends adding.

1. Download the latest NIST NSRL files for Autopsy. There will be three variations:

NSRL-###m-Autopsy.zip
NSRL-###-ios-Autopsy.zip
NSRL-###-Android-Autopsy.zip

From NSRL readme file:

For each quarterly release, there are three hash sets:
- 'm' or 'computer' contains hashes of known Windows / PC files
- Android contains hashes of known Android files
- ios contains hashes of known iOS files

2. Extract NSLR Hash sets and store somewhere that Autopsy is going to use them from.
3. Import each hash set as follows:

Tools => Options => [Hash Sets]
     [Import Hash Set]
        Hash Set Path: [Open]
        Destination: (*) Local
        *** Since we will be using local database
        Name: <You can leave the name as is, or choose any other>
        Type of hash set: (*) Known (NSLR or other)
        *** Since it is NSLR we already set it as "Known". If it would be any other type of hash set - you will need to choose if it is good hashes (known) or bad ones (Notable).
        [ ] Copy hash set into user configuration folder
        *** No need to copy since you copied it, or on the contrary you can check it if you want it to be in user directory files.

Known hashes will not appear in the right pane (“Tree => Views”) by default, but will appear in left pane (Data Sources area) under:

Results \ Keyword Hits \ Hashset Hits

You can change that behavior to show also in the right pane viewer:

[Tools] => [Options] => [View]
    "Global settings"
        Hide known files (i.e, those in the NIST NSRL) in the:
            [ ] Data Sources area (the directory hierarchy)
            [ ] Views area
    [OK]

After you import a hash set you need to [Index] it by clicking on the hash set. No need for the NSLR since it is IDX file with indexation applied.

Imported Hash sets will be available in the “Hash Lookup” ingestion module.

Interesting Files – Autopsy Ingestion Module Configuration

You can configure this module to scan for certain file set under a preset. Example: If you configure a list to search for “vmplayer.exe” (VMware Workstation Player) the result will be shown in the left pane.
Example to configure Interesting Files Rule Set for VMWare Player:

[Tools] => [Options] => [Interesting Files]
    [New Set]
        "Interesting Files Set Rule"
        Set Name: VMware Workstation Player
        Description: VMware Workstation Player main executable and VMDK extension files.
        [ ] Ignore Known Files
        *** Known files are the ones that appear in "Known" hash sets that you imported earlier. Meaning that if these will appear in one of the hash sets - the results from this rule will not be shown / analyzed.
        [OK]

You will return to [Interesting Files].
Creating Rule 1 for this Rule Set:

    Select the "Rule Set" that was just created
    On the right pane => [New Rule]
        Type: (*) Files
        [V] Name: vmplayer.exe
        (*) Full Name
        [OK]

Create Rule 2 for this Rule Set:

    On the right pane => [New Rule]
        Type: (*) Files
        [V] Name: vmdk
        (*) Extension Only
        [OK]

Keyword Search – Autopsy Ingestion Module Configuration

You can search for keywords in your Data source. “Known” words based on NSLR hash set will be ignored. If you want to can apply “Hash Lookup” ingestion module after the “Keywords Search” module.
Follow the steps to build keyword list:

[Tools] => [Options] => [Keyword Search]
    [Lists]
        [New List]
            New keyword list name: <Put the list name>
            [OK]

        On the right pane [New Keywords]
            Enter keywords (one per line) below: <Input the keywords of interest>
            Select type for keywords: (*) Exact Match
            *** You can also use Regex and Substrings
            [OK]

YARA Analyzer – Autopsy Ingestion Module Configuration

Initially the YARA Analyzer module comes without any rules. If you want to use it, you will need to add some in:

[Tools] => [Options] => [Yara Rule Sets]

File Type Identification – Ingestion Module

You can add MIME file types to Autopsy for the “File Type Identification” Ingestion Module:

[Tools] => [Options] => [File Types]

Autopsy Usage Guide

After you have finished configuring the Ingestion Modules – you can continue to OptimizationCore Autopsy Usage Guide.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.