GENERAL INFORMATION
TECHNICAL INFORMATION
Privacy Policy/Security Notice
NIST is an agency of the Date
created: 8/20/2003 Technical comments: nsrl@nist.gov Website comments: web897@nist.gov
|
PROJECT OVERVIEW
Overview: The National Software Reference Library (NSRL) provides a repository of known software, file profiles, and file signatures for use by law enforcement and other organizations in computer forensics investigations. Industry Need Addressed: Investigation of computer files requires a tremendous effort to review individual files. A typical desktop computer contains between 10,000 and 100,000 files, each of which may need to be reviewed. Investigators need to eliminate as many known files as possible from having to be reviewed. An automated filter program can screen these files for specific profiles and signatures. If a specific file’s profile and signature match the database of known files, then the file can be eliminated from review as a known file. Only those files that do not match would be subject to further investigation. In addition, investigators can search for files that are not what they claim to be (e.g., the file has the same name, size, and date of a common file, but not the same contents) or files that match a profile (e.g., hacking tools). The NSRL contains both benign and malicious software and is intended to be used as a filter of "known" file signatures, NOT "known good." The law enforcement
community came to NIST requesting help with a software library and signature
database that meets four criteria: NIST/ITL Approach: Original software is either purchased or donated by individual software manufacturers and other organizations, including older versions. This software includes virtually any type available, such as operating systems, database management systems, utilities, graphics images, component libraries, etc., in all their different versions. Each file in each piece of software is recorded and four file signatures are created for each file. The resulting signatures and identifying information, called the Reference Data Set, is distributed through NIST’s Standard Reference Data Group as NIST Special Database 28.
Impact: The first release of Special Database 28 was in October 2001 and it has been released quarterly since then. Subscriptions are available from NIST. Policy and procedures are in place to support free re-distribution. The September 2011 release has over 69 million file signatures. The NSRL is being used by many law enforcement and computer forensics organizations and can be imported into computer forensic tools available to state and local law enforcement. |