The National Software Reference Library has initially been designed to aid computer forensics experts in the investigation of crimes that involve computers.
It consists of a list of nearly 40 million files and hashes that are used to alleviate the process of determining evidence by excluding files from the investigation that are found on the list. It is a whitelist so to speak of "good" files that don't need to be analyzed for forensic evidence.
The database was not initially accessible online. Only CDs containing the data sets were offered on the project's website. This made it impracticable to use for anyone who wanted to look up a single file or hash.
The Internet Storm Center (ISC) has converted the full set of hashes into an online application that can be checked on the new Find A Hash beta testing website.
Update: The project has moved, you find it on Github now. You can download the source code or a binary for Windows.
The database of non-malicious software programs and files consists of 39,944,023 samples. Supported are the search for filenames and SHA1 or MD5 hashes.
We are using version 2.27 (December 2009). You can search for SHA1 or MD5 hashes. There are no Windows 7 hashes yet. NIST offers a Knoppix bootable CD that can be used to collect hashes. We are interested in adding more sources of hashes and would be interested in your hash collection if you have one to offer. Note: The NIST NSRL database only includes hashes of files from original install media. Currently, no patched versions are included. As a result, your hash may differ if that particular file was patched after the original release.
In addition to the NIST database, we also run a test agains the Team Cymru Hash Registry. It covers malware. If a match is found we will post a link to the respective page at Threatexpert.com (only for MD5 hashes right now).
The concentration on original install media and only unpatched files makes the database impracticable for many uses but the developer's are asking for hash contributions to improve the database.
The latest version for end users is a command line application. Use the command nsrllookup /? to get started. It displays the list of available parameters. You may also use the program in conjunction with software such as hashdeep as pointed out on the project website.
It is probably not something that most computer users will have a use for. However, if you have to analyze a directory full of files or even an entire computer system, you may find the functionality it provides useful for that.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.