A large number of tools that can ingest threat intelligence are available to incident response analysts. For example, disk forensics platforms discussed in Chapter 8, Analyzing System Memory, have the ability to ingest hashes from threat intelligence feeds to search for IOCs. In addition to commercial disk forensics tools, the Autopsy platform can conduct searches against a hash set. Navigating back to the export format in MISP, there is the ability to download a .csv file of the event indicators. For event 711, download the CSV file. Next, filter the data and select the hash values from the type column. This produces the following list:

From here, the hash values can be loaded into Autopsy:

1. First, in Autopsy, click on Tools and then Options. Then, click on Hash Sets and then New Hash Set. The following window will appear:

2. Enter a name for the hash set. A suggestion is to use a title and the MISP event number 711. Click on Save As... and navigate to where the database will be saved. Leave the default settings in place. This will indicate a hit on any of the hash files located. Click on OK.
3. In the next window, click on Add Hashes to Database. Copy the hashes to the clipboard from the CSV file and then right-click on the blank space and select Paste.
4. The hashes are now loaded. Click on Add Hashes to Database.

This capability allows analysts to search through disk images for matching hashes. This is a much more efficient way to search for evidence than attempting to find the files through other methods. Autopsy also allows different databases depending on the incident. This ability to continually feed updated information allows analysts to find evidence of a new type of compromise from an event from a week or two ago that would have gone undetected if using traditional searching.