Digital Caseload Processing with the NIST National Software Reference Library

Digital Caseload Processing with the NIST National Software Reference Library

This webinar originally occurred on December 13, 2022
Duration: 1 hour


The National Software Reference Library (NSRL) is supported by federal, state, and local law enforcement as well as the National Institute of Standards and Technology (NIST) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. The NSRL collects software from many sources and incorporates file profiles computed from this software into a Reference Data Set (RDS). The RDS is used by law enforcement, government, and industry organizations to review unknown files by matching file profiles in the RDS. This alleviates much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations. The RDS core is a collection of digital signatures (hashes) of known, traceable software applications. There are application hash values in the hash set which may be considered malicious. There are no hash values of illicit data.

The NSRL acquires free software and purchases software through public commercial channels. Some vendors provide and allow NSRL to use unlimited licenses. Most of the software in the collection is built for microcomputers that run Windows, Mac OS, or Linux and mobile devices that run iOS or Android. Acquisition is driven by popularity (i.e., titles or apps that are most likely to appear during investigations). The steering committee identifies software to be acquired (e.g., keylogging, communications, by language, by manufacturer). Notable items in the collection other than standalone software are mobile phone images, online game platform titles, and live system snapshots of updates. The most common use of the NSRL RDS metadata comes via importing the data into a commercial digital forensics tool. The tool provides a user interface to automate comparison of file signatures (hashes) and filter the files under investigation into sets. The extensive metadata provided by the NSRL can assist investigators to 1) identify the titles of possible software; 2) identify possible operating systems; 3) identify the versions of software; and 4) create a data subset for notable software.

The NSRL metadata is available as a free download for anyone and has been available since 2001. Currently, with version 2.X, customers download large (11 GB total) ISO files every three months, which are meant to fully replace the previous downloads. The goals of a new publication format replacing RDS 2.X are 1) increase search and sort capabilities; 2) provide a simple method for customers to update with each new publication, without changing the overall format; 3) add new hash algorithms in a simple way; 4) support data that could not be published in a text file format; and 5) include all metadata collected by the NSRL. Important new data that is included in RDS 3.X that has not been in RDS 2.X include SHA256 hashes, full product versioning information, additional manufacturer information, original string encodings, and file location data within a software package. The webinar will provide live demos of examples and use of the metadata will be shown.

Detailed Learning Objectives

  1. Attendees will be made aware of changes to the NIST NSRL hash set data, which could affect digital forensics tools.
  2. Attendees will be made aware of the additional metadata available in the NIST NSRL hash set data which can more efficiently support digital investigations.
  3. Attendees will understand how to create custom hash sets for various case scenarios.


  • Douglas White, M.S. | Computer Scientist, National Institute of Standards and Technology (NIST)

Funding for this Forensic Technology Center of Excellence webinar has been provided by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice.

The opinions, findings, and conclusions or recommendations expressed in this webinar are those of the presenter(s) and do not necessarily reflect those of the U.S. Department of Justice.

Contact us at with any questions and subscribe to our newsletter for notifications.

Related Content

FLN-TWG: Updating Data Collection for Digital Evidence Casework in Project FORESIGHT

← Back to FLN-TWG Main Page  Forensic Laboratory Needs Technology Working Group (FLN-TWG) The National Institute of Justice (NIJ), in partnership with the Forensic Technology Center of Excellence (FTCOE) at RTI International, formed the Forensic Laboratory Needs Technology Working Group…

Guidance Document on Considerations for Photographic Documentation in Sexual Assault Cases

Date August 2022 Overview Sexual Assault Nurse Examiners (SANEs) are medical professionals with specialized training and expertise in medicine, psychology, and forensic science and are qualified to conduct sexual assault forensic examinations. During the sexual assault forensic examination, SANEs may…
vehicles driving in tunnel

Success Story: Improving the Reliability of Forensic Data from Vehicle Data Records

National Institute of Justice and Synercon Technologies Date December 2017 Overview Event Data Recorders (EDRs) are available in commercial vehicles. EDRs store relevant information about operation and other environmental variables. These devices contain content that support criminal investigations involving commercial…