HOME

GENERAL INFORMATION

• New to the NSRL?
• Project Overview
• Library Contents
• Contacts
• Subscription Information
• Redistribution Policy
• FAQs

TECHNICAL INFORMATION

• Technical Papers
• Presentations

DOWNLOADS

CFTT Website

PROJECT OVERVIEW

Overview: The National Software Reference Library (NSRL) provides a repository of known software, file profiles, and file signatures for use by law enforcement and other organizations in computer forensics investigations.

Industry Need Addressed: Investigation of computer files requires a tremendous effort to review individual files. A typical desktop computer contains between 10,000 and 100,000 files, each of which may need to be reviewed. Investigators need to eliminate as many known files as possible from having to be reviewed. An automated filter program can screen these files for specific profiles and signatures. If a specific file’s profile and signature match the database of known files, then the file can be eliminated from review as a known file. Only those files that do not match would be subject to further investigation.  In addition, investigators can search for files that are not what they claim to be (e.g., the file has the same name, size, and date of a common file, but not the same contents) or files that match a profile (e.g., hacking tools).

The NSRL contains both benign and malicious software and is intended to be used as a filter of "known" file signatures, NOT "known good."

 The law enforcement community came to NIST requesting help with a software library and signature database that meets four criteria:
1) The organizations involved in the implementation of the filter must be unbiased and neutral.
2) Control over the quality of data provided by the database must be maintained.
3) A repository of original software must be made available from which data can be reproduced.
4) The database must provide a wide range of capabilities with respect to the information that can be obtained from file systems under investigation.

NIST/ITL Approach: Original software is either purchased or donated by individual software manufacturers and other organizations, including older versions. This software includes virtually any type available, such as operating systems, database management systems, utilities, graphics images, component libraries, etc., in all their different versions.  Each file in each piece of software is recorded and four file signatures are created for each file.  The resulting signatures and identifying information, called the Reference Data Set, is distributed through NIST’s Standard Reference Data Group as NIST Special Database 28.

Impact: The first release of Special Database 28 was in October 2001 and it has been released quarterly since then.  Subscriptions are available from NIST.  Policy and procedures are in place to support free re-distribution.  The September 2011 release has over 69 million file signatures.  The NSRL is being used by many law enforcement and computer forensics organizations and can be imported into computer forensic tools available to state and local law enforcement.