ATTENTION: The new home of the Digital Forensics Wiki is at Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn

National Software Reference Library

From ForensicsWiki
Revision as of 12:40, 19 March 2008 by Jessek (Talk | contribs) (Added category)

Jump to: navigation, search

The National Software Reference Library (NSRL) consists of sets of known 'traceable' hashes produced by the National Institute of Standards and Technology (NIST). Useful for data reduction, it can be used to eliminate or highlight files from examination. The NSRL creates what they call a "Reference Data Set" or RDS. The RDS does not indicate if a file is known good or bad, only that it is known.

Although quite large, the NSRL is distributed online can be downloaded from the NSRL website. The most recent release was version 2.15 in December 2006.

NSRL File Format

Each RDS consists of several files, but the hashes are stored in NSRLFile.txt. These files have a header followed by many hash records. The header denotes the columns in each file. (See the External Links for the complete specification). RDS files can be used directly with programs like md5deep, FTK, and EnCase.

The file format has changed slightly over time. The latest version was dated 7 Feb 2007:

Version 2.0

Starting in version 2.0, the NSRL moved the hashes to the start of each line and dropped the MD4 hash. The file header:


Version 1.5

Information on the older header version is kept here so that programs can read older files. The file header:


OpSystemCode refers to the operating system code. The SpecialCode is a single character that can be used to mark records. A normal file has a blank value here. An M in this field denotes a malicious file.

External Links