The National Software Reference Library: Software Datasets

A computer seized as part of a criminal investigation might contain more than 100,000 files and each of these files must be reviewed for evidentiary content. However, the time required to analyze so many files slows the investigative process and contributes to evidence backlogs.

The National Software Reference Library (NSRL) provides law enforcement with an automated method of sorting through digital files. The tool, funded by NIJ and created by the National Institute of Standards and Technology (NIST), helps improve the speed and efficiency of computer forensics investigations.

NSRL collects software from various sources and incorporates file profiles computed from this software into a Reference Data Set (RDS) of information. RDS compares digital signatures (also known as "hashes") of known file types with the signatures of digital evidence files.

This automated process helps investigators:

  • Rapidly identify specific types of files on a seized computer.
  • Reduce the number of files that must be manually analyzed. For example, analysts might use RDS to automatically omit thousands of Windows operating systems files that are known to be innocuous from their search.
  • Detect unauthorized software usage.
  • Improve evidence discovery by filtering out files with no investigative relevance.
  • Determine the source, ownership and origin of specific files.
  • Find hacking tools and other malicious programs.
  • Discover important evidence that may be hidden in files with innocuous names.
  • Customize the search and filter results according to other file characteristics, such as file size, date and name. Filters could be positive, as in "file profile contains," or negative, as in "file profile does not contain."

NSRL's RDS could be used in various investigations, from intellectual property cases to computer hacking. NIST works with law enforcement, government and other trusted sources to update RDS quarterly. This standard reference database provides law enforcement with validated hash sets and support for testimony related to digital evidence given in judicial proceedings.

Law enforcement officials may access RDS by downloading it from the NSRL website or requesting a set of CDs from NSRL.

Date Created: November 5, 2010