Overview: The National Software Reference Library (NSRL) provides a repository of known software, file profiles, and file signatures for use by law enforcement and other organizations in computer forensics investigations.

Industry Need Addressed: Investigation of computer files requires a tremendous effort to review individual files. A typical desktop computer contains between 10,000 and 100,000 files, each of which may need to be reviewed. Investigators need to eliminate as many known files as possible from having to be reviewed. An automated filter program can screen these files for specific profiles and signatures. If a specific file's profile and signature match the database of known files, then the file can be eliminated from review as a known file. Only those files that do not match would be subject to further investigation. In addition, investigators can search for files that are not what they claim to be (e.g., the file has the same name, size, and date of a common file, but not the same contents) or files that match a profile (e.g., hacking tools).

The law enforcement community came to NIST requesting help with a software library and signature database that meets four criteria: 1) The organizations involved in the implementation of the filter must be unbiased and neutral. 2) Control over the quality of data provided by the database must be maintained. 3) A repository of original software must be made available from which data can be reproduced. 4) The database must provide a wide range of capabilities with respect to the information that can be obtained from file systems under investigation.

NIST/ITL Approach: Individual manufacturers of software, law enforcement, and other organizations are being asked to donate software, including older versions, to the repository. This software includes virtually any type available, such as operating systems, database management systems, utilities, graphics images, component libraries, etc., in all their different versions. Each file in each piece of software is recorded and four file signatures are created for each file. The resulting signatures and identifying information, called the Reference Data Set, is distributed through NIST's Standard Reference Data Group as NIST Special Database 28.

Impact: The first release of Special Database 28 was in October 2001, and it has been released quarterly since then. Subscriptions are available from http://www.nist.gov/srd/nistsd28.htm. Policy and procedures are in place to support free redistribution. The December 2006 release has over 38 million file signatures. The NSRL is being used by several federal law enforcement organizations and can be imported into computer forensic tools available to state and local law enforcement. Additionally, the National Archives and Records Administration is working with us to research using the NSRL to analyze federal electronic records.