Autopsy User Documentation  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Data Source Integrity Module

Overview

The Data Source Integrity module has two purposes:

Running the module

If you wish to verify hashes, the first step is to enter hashes for your disk image (unless you have an E01 file - the hash is included in the data source). You can do this in the Add Data Source wizard where you select your disk image.

data_source_integrity_add_ds.png

You can enter any combination of hashes to be verified.

You'll next need to configure the ingest module.

data_source_integrity_ingest_settings.png

Note that this is simply enabling one or both behaviors, not choosing which one to run (compute vs. verify). That is determined solely by whether the data source has associated hashes. Unchecking both boxes but leaving the module enabled will lead to an ingest module startup error

Viewing results

Hash verification

When verifying, if the check succeeds you'll see an inbox message confirming it. If you open the message you'll see the stored and computed hash values.

data_source_integrity_pass1.png


data_source_integrity_pass2.png

If the verification fails, you'll see an inbox message in yellow and the same message in a pop-up warning bubble.

data_source_integrity_failed_inbox.png

The inbox messages will disappear after the case is closed, so the module also adds a "Verification Failed" artifact added to the case.

data_source_integrity_failed_artifact.png

Hash computation

To view the calculated hashes, select "Data Sources" in the tree, select your data source in the result viewer, and then open the "File Metadata" tab. If you're in "Group by data source" mode (see View Options), select "Data Source Files" under the data source you want to examine.

data_source_integrity_metadata.png

Copyright © 2012-2019 Basis Technology. Generated on Thu Nov 21 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.