The National Software Reference Library (NSRL)
The National Software Reference Library (NSRL) is a project at the National Institute of Standards and Technology (NIST), the primary goals of which are to store all existing software, file profiles, and file signatures and to provide guidelines for their efficient usage by various organizations that deal with forensic investigations. The library consists of three main sections:
- a physical repository of application packages that are available for purchase;
- a comprehensive database providing descriptions of every file that the packages contain; and
- a small database of the most popular information, which is updated once every three months (Hayes, 2015).
At present, the library disposes of more than 7000 software packages with more than 35 million files—many of which are duplicates used in several programs simultaneously—and over 11 million unique files (Altheide & Carvey, 2011).
This database is very useful in the process of forensic investigation, as it saves the investigator a considerable amount of time that he or she would otherwise waste examining files. In fact, when possible, the database excludes known files that cannot provide any evidence from the automatic search. Moreover, the library can identify what programs were used in the system, which helps the investigator infer where he or she should examine for further evidence. This information can be particularly helpful when dealing with intellectual property issues, as it may show whether the user had a license for certain applications.
Computer Forensic Tool Testing
Computer Forensic Tool Testing (CFTT) is another project at NIST, which was created to check forensic tools (including both hardware and software) that are used in the process of investigation. The CFTT project was launched in 2000 and has proven to be quite successful in developing methodologies for forensic tools assessment. It offers a unique set of criteria and specifications that make it possible to estimate whether the tools are able to perform the functions that are required from them (Guttman, Lyle, & Ayers, 2014). So far, no critical errors have been found in the performance of CFTT.
CFTT results can be used not only by software producers who want to improve their tools but also by a wide range of specialists, including investigators. The project allows them to decide whether given tools meet all requirements and can be used for the specific purposes of a particular investigation. Evidence collected and verified with the help of CFTT is admissible in legal proceedings (Peterson & Shenoi, 2014).
Computer Forensic Reference Data Sets (CFReDS)
The Computer Forensic Reference Data Sets (CFReDS) represent a small but valuable body of data created by NIST, which provides simulated evidence for examination and allows investigators to perform string searches using various encodings (Peterson & Shenoi, 2014). The corpus contains disk images, mobile images, and system memory analysis images, some of which are accompanied by scenarios. CFReDS stores data retrieved from many different sources and allows users to create their own samples for performing particular tasks.
There are many ways to operate CFReDS in order to improve forensic evidence. These data sets are capable of several functions, including testing forensic tools, checking hardware and laboratory equipment, and training investigators. Practically all data sets can perform more than one function.
References
Altheide, C. & Carvey, H. (2011). Digital forensics with open source tools. Burlington, MA: Syngress.
Guttman, B., Lyle, J., & Ayers, R. (2014). Ten years of computer forensic tool testing. Digital Evidence And Electronic Signature Law Review, 8(1). Web.
Hayes, D. (2015). A practical guide to forensics investigations. Indianapolis: Pearson.
Peterson, G. & Shenoi, S. (2014). Advances in digital forensics X. Berlin, Heidelberg.