National Software Reference Library (NSRL)
As of the March 2018, RDS release (2.60), the NSRL is no longer accepting new subscriptions for physical DVD releases of our dataset. Our most recent release is available from the NSRL Download page, under Current RDS Hash Set .
Please direct any questions to the NSRL team at firstname.lastname@example.org.
A collaboration of the National Institute of Standards and Technology (NIST), the National Institute of Justice (NIJ), the Federal Bureau of Investigation (FBI), the Defense Computer Forensics Laboratory (DCFL), the U.S. Customs Service, software vendors, and state and local law enforcement organizations, the NSRL is a tool to assist in fighting crime involving computers.
The National Software Reference Library (NSRL) is an example of the application of technology to investigate crimes involving computers, such as child pornography, racketeering, cyber-attacks, illegal gambling, Internet fraud, and software piracy.
The NSRL encompasses a repository of all types of software, from operating systems, to vertical applications, to database management systems, to graphics packages, to games, to everything in between.
It also includes a database of file profiles, i.e., "software fingerprints," that can be used to identify known and unknown files on computers, diskettes, magnetic tapes, CDs, etc., that have been seized pursuant to investigation.
The files that make up each software package are analyzed to collect profile information, such as file name, directory name, file size, and version.
The "software fingerprints" are hexadecimal character strings derived from complicated standard equations and algorithms applied to the contents of each file.
Each "fingerprint" is unique to a specific file and can be used to determine if-
- A file has been altered.
- A file has been renamed or other means to hide it have been attempted.
- A file is what it purports to be.
- A file is missing when it should be found.
- A file is actually present on a disk.
The NSRL can save an investigator hundreds of hours in an investigation. A single computer or hard disk drive can contain between 10,000 and 50,000 individual files, each of which must be examined for probative value. If multiple computers, disk drives, magnetic tapes, or other media are involved, the staff hours could reach into the thousands and take months to finish.
The NSRL can reduce the time it takes to investigate each computer by 40 to 95 percent, depending on the contents of the file system.
It does this by allowing the investigator to weed out those files that are known, i.e., have known profiles and fingerprints in our database. The investigator can then concentrate on the unknown files.
NIST produces the NSRL using state-of-the-art software and computers to verify the fingerprints of each software package.
The database of file profiles and fingerprints is periodically stored on a CD and shipped to those organizations that have paid for an annual subscription to updates.
The database is known as the NSRL Reference Data Set (RDS) and is used in various products associated with computer crime investigations. It may be freely copied and distributed by any organizations.
NIST applies a digital signature to each update of the RDS to enable the database to be verified that it is correct and was produced by NIST. If any modifications are made to the database, the signature will be different and show that modifications have been made.
For more information on NIST's redistribution policy for NSRL, click here
Douglas R. White
National Institute of Standards and Technology
Software and Systems Division (897) Chemistry (222),
Room B304 100 Bureau Dr., Stop 8970
Gaithersburg, MD 20899-8970
Email(w):email@example.com Voice (301) 975-4761
Keywords: crime, computers, law enforcement, software, database management, graphics, file profiles, software fingerprints, investigation, NIST, NIJ, FBI, DCFL, US Customs Service