Digital Caseload Processing with the NIST National Software Reference Library

This webinar originally occurred on December 13, 2022
Duration: 1 hour

Overview

The National Software Reference Library (NSRL) is supported by federal, state, and local law enforcement as well as the National Institute of Standards and Technology (NIST) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. The NSRL collects software from many sources and incorporates file profiles computed from this software into a Reference Data Set (RDS). The RDS is used by law enforcement, government, and industry organizations to review unknown files by matching file profiles in the RDS. This alleviates much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations. The RDS core is a collection of digital signatures (hashes) of known, traceable software applications. There are application hash values in the hash set which may be considered malicious. There are no hash values of illicit data.

The NSRL acquires free software and purchases software through public commercial channels. Some vendors provide and allow NSRL to use unlimited licenses. Most of the software in the collection is built for microcomputers that run Windows, Mac OS, or Linux and mobile devices that run iOS or Android. Acquisition is driven by popularity (i.e., titles or apps that are most likely to appear during investigations). The steering committee identifies software to be acquired (e.g., keylogging, communications, by language, by manufacturer). Notable items in the collection other than standalone software are mobile phone images, online game platform titles, and live system snapshots of updates. The most common use of the NSRL RDS metadata comes via importing the data into a commercial digital forensics tool. The tool provides a user interface to automate comparison of file signatures (hashes) and filter the files under investigation into sets. The extensive metadata provided by the NSRL can assist investigators to 1) identify the titles of possible software; 2) identify possible operating systems; 3) identify the versions of software; and 4) create a data subset for notable software.

The NSRL metadata is available as a free download for anyone and has been available since 2001. Currently, with version 2.X, customers download large (11 GB total) ISO files every three months, which are meant to fully replace the previous downloads. The goals of a new publication format replacing RDS 2.X are 1) increase search and sort capabilities; 2) provide a simple method for customers to update with each new publication, without changing the overall format; 3) add new hash algorithms in a simple way; 4) support data that could not be published in a text file format; and 5) include all metadata collected by the NSRL. Important new data that is included in RDS 3.X that has not been in RDS 2.X include SHA256 hashes, full product versioning information, additional manufacturer information, original string encodings, and file location data within a software package. The webinar will provide live demos of examples and use of the metadata will be shown.

Detailed Learning Objectives

1. Attendees will be made aware of changes to the NIST NSRL hash set data, which could affect digital forensics tools.
2. Attendees will be made aware of the additional metadata available in the NIST NSRL hash set data which can more efficiently support digital investigations.
3. Attendees will understand how to create custom hash sets for various case scenarios.

Presenter

• Douglas White, M.S. | Computer Scientist, National Institute of Standards and Technology (NIST)