Difference between pages "National Software Reference Library" and "Windows Registry XML"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
The '''National Software Reference Library''' (NSRL)  is the National Institute of Standards and Technology's National Software Reference Library. The NSRL is a physical resource located in Gaithersburg Maryland.  The NSRL consists of more than 21,000 individual software packages. NIST has the original packaging and distribution media for 15,000 packages, and archived digital distributions for the remainder.
+
Microsoft's .reg format for representing MS Registry entries has many limitations, such as the inability to represent where registry information physically resides on the disk and the difficulty in representing Unicode. As a result, a variety of approaches have been implemented. Currently DFXML uses the [[RegXML]] standard to represent Registry entries.
  
RDS is the Reference Data Set. The RDS consists of the metadata describing software package titles, manufacturers, operating systems, file metadata and hash codes of the files in the NSRL. Originally (ca. 2000-2002) it was created by installing the software on systems and then generating a list of the hash codes. During 2003-2012 it was created by processing only the distributed media and extracting the installation files from the Microsoft .CAB, .MSI and .ZIP files, Unix/Linux .RPM and .DEB files, Apple .DMG files, and generic archive files. As of 2013, operating systems and packages are installed in virtual machines to facilitate collection of metadata and hashes from those installations.
+
==See Also==
 +
There are several open source programs that use XML to represent the Windows Registry:
  
The RDS is typically used for [[Data Reduction|data reduction]]. That is, the set of hash codes is used as a filter to eliminate or highlight files from examination. Most frequently the RDS used as a list of ''known goods'' that can be safely suppressed.  ''This is an incorrect usage of the RDS and should be discouraged,'' because the RDS does not indicate if a file is known good or bad, only that it is known. Indeed, the RDS has many files that were once throught to be good, but are now thought to be bad---for example, versions of Adobe Flash with known security vulnerabilities. Categories such as "Steganography" or "Keylogger" are assigned to allow filtering by need.
+
* [[registryasxml]] is a Windows GUI program that exports and imports section of the Windows Registry as XML-foramtted files.  
 +
* [[RegXML]] is also a Windows command-line utility that exports sections of the Windows Registry as XML-formatted files.
 +
* [[hivexml]] is a command-line utility that is part of Red Hat's [http://libguestfs.org/ libguestfs] that converts Registry hives to XML.
 +
* [http://www.nsrl.nist.gov/Documents/aafs2008/dw-1-AAFS-2008-wired.pdf Tracking Computer Use with the Windows® Registry Dataset], Doug White, NIST.
 +
* [http://www.nsrl.nist.gov/WIRED/WIRED-060511.iso The complete set of code and and a WiReD XML difference set for steganographic applications].
  
The NSRL is distributed online can be downloaded from the [http://www.nsrl.nist.gov/Downloads.htm NSRL website]. The most recent release was version 2.40 in March 2013.
 
  
== RDS File Format ==
+
There is one commercial program that we have found:
 +
* [http://www.componentsource.com/products/componentspace-registry-toolkit-component/prices.html ComponentSource] has a $195 .NET too that allows management, importing and exporting of the registry via XML.
  
Each RDS consists of several files, but the hashes are stored in <tt>NSRLFile.txt</tt>. These files have a header followed by many hash records. The header denotes the columns in each file. (See the External Links for the complete specification). RDS files can be used directly with programs like [[md5deep]], [[Forensic Toolkit|FTK]], and [[EnCase]].
 
  
The file format has changed slightly over time. Releases occur four times per year. The latest version was dated 1 Mar 2013:
+
[[Category:Digital Forensics XML]]
 
+
=== Version 2.0 ===
+
 
+
Starting in version 2.0, the NSRL moved the hashes to the start of each line and dropped the [[MD4]] hash. The file header:
+
 
+
<pre>"SHA-1","MD5","CRC32","FileName","FileSize","ProductCode","OpSystemCode","SpecialCode"</pre>
+
 
+
=== Version 1.5 ===
+
 
+
Information on the older header version is kept here so that programs can read older files. The file header:
+
 
+
<pre>"SHA-1","FileName","FileSize","ProductCode","OpSystemCode","MD4","MD5","CRC32","SpecialCode"</pre>
+
 
+
<tt>OpSystemCode</tt> refers to the operating system code. The <tt>SpecialCode</tt> is a single character that can be used to mark records. A normal file has a blank value here. An <tt>M</tt> in this field denotes a malicious file.
+
 
+
== External Links ==
+
 
+
* [http://www.nsrl.nist.gov/ NSRL website]
+
* [http://www.nsrl.nist.gov/documents/Data-Formats-of-the-NSRL-Reference-Data-Set-14.pdf NSRL RDS Data File Format] - Describes the format of the hash files
+
 
+
[[Category:Hashing]]
+

Latest revision as of 18:14, 15 June 2013

Microsoft's .reg format for representing MS Registry entries has many limitations, such as the inability to represent where registry information physically resides on the disk and the difficulty in representing Unicode. As a result, a variety of approaches have been implemented. Currently DFXML uses the RegXML standard to represent Registry entries.

See Also

There are several open source programs that use XML to represent the Windows Registry:


There is one commercial program that we have found:

  • ComponentSource has a $195 .NET too that allows management, importing and exporting of the registry via XML.