Overview: The National Software Reference Library (NSRL)
provides a repository of known software, file profiles, and file
signatures for use by law enforcement and other organizations in
computer forensics investigations.
Industry Need Addressed: Investigation of computer files
requires a tremendous effort to review individual files. A typical
desktop computer contains between 10,000 and 100,000 files, each
of which may need to be reviewed. Investigators need to eliminate
as many known files as possible from having to be reviewed. An automated
filter program can screen these files for specific profiles and
signatures. If a specific file's profile and signature match the
database of known files, then the file can be eliminated from review
as a known file. Only those files that do not match would be subject
to further investigation. In addition, investigators can search
for files that are not what they claim to be (e.g., the file has
the same name, size, and date of a common file, but not the same
contents) or files that match a profile (e.g., hacking tools).
The law enforcement community came to NIST requesting help with
a software library and signature database that meets four criteria:
1) The organizations involved in the implementation of the filter
must be unbiased and neutral. 2) Control over the quality of data
provided by the database must be maintained. 3) A repository of
original software must be made available from which data can be
reproduced. 4) The database must provide a wide range of capabilities
with respect to the information that can be obtained from file systems
under investigation.
NIST/ITL Approach: Individual manufacturers of software,
law enforcement, and other organizations are being asked to donate
software, including older versions, to the repository. This software
includes virtually any type available, such as operating systems,
database management systems, utilities, graphics images, component
libraries, etc., in all their different versions. Each file in each
piece of software is recorded and four file signatures are created
for each file. The resulting signatures and identifying information,
called the Reference Data Set, is distributed through NIST's Standard
Reference Data Group as NIST Special Database 28.
Impact: The first release of Special Database 28 was in
October 2001, and it has been released quarterly since then. Subscriptions
are available from http://www.nist.gov/srd/nistsd28.htm.
Policy and procedures are in place to support free redistribution.
The December 2006 release has over 38 million file signatures. The
NSRL is being used by several federal law enforcement organizations
and can be imported into computer forensic tools available to state
and local law enforcement. Additionally, the National Archives and
Records Administration is working with us to research using the
NSRL to analyze federal electronic records.