Presentation is loading. Please wait.

Presentation is loading. Please wait.

July 9, 2004 www.nsrl.nist.gov 1 National Software Reference Library Douglas White Information Technology Laboratory July 2004.

Published byElaine Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "July 9, 2004 www.nsrl.nist.gov 1 National Software Reference Library Douglas White Information Technology Laboratory July 2004."— Presentation transcript:

1 July 9, 2004 www.nsrl.nist.gov 1 National Software Reference Library Douglas White Information Technology Laboratory July 2004

2 July 9, 2004 www.nsrl.nist.gov2 Introduction The National Software Reference Library is: A physical collection of over 5,000 software packages on secured shelves A physical collection of over 5,000 software packages on secured shelves A database of file “fingerprints” (or “hashes”) and additional information to uniquely identify each file on the shelves A database of file “fingerprints” (or “hashes”) and additional information to uniquely identify each file on the shelves A Reference Data Set (RDS) extracted from the database onto CD, used by law enforcement, investigators, researchers, others A Reference Data Set (RDS) extracted from the database onto CD, used by law enforcement, investigators, researchers, others

3 July 9, 2004 www.nsrl.nist.gov3 Use of the NSRL Eliminate as many known files as possible from the examination process using automated means Eliminate as many known files as possible from the examination process using automated means Discover expected file name with unknown contents Discover expected file name with unknown contents Identify origins of files Identify origins of files Look for malicious files, e.g., hacker tools Look for malicious files, e.g., hacker tools Identify duplicate files Identify duplicate files Provide rigorously verified data for forensic investigations Provide rigorously verified data for forensic investigations

4 July 9, 2004 www.nsrl.nist.gov4 How Did the NSRL Start? Law Enforcement needed software hashes that could be used in investigations and in court. Source must be unbiased - NIST is a neutral organization Source must be unbiased - NIST is a neutral organization Data produced must be of the highest quality Data produced must be of the highest quality Data must be traceable and repeatable Data must be traceable and repeatable There must be a repository of original software There must be a repository of original software NIST provides an open rigorous process NIST provides an open rigorous process

5 July 9, 2004 www.nsrl.nist.gov5 NSRL Software Collection Balance of most popular (encountered often) and most desired (pirated often) Balance of most popular (encountered often) and most desired (pirated often) Currently 32 languages, used internationally Currently 32 languages, used internationally Software is purchased commercially Software is purchased commercially Software is donated under non-use policy Software is donated under non-use policy List of contents available on website List of contents available on websitewww.nsrl.nist.gov

6 July 9, 2004 www.nsrl.nist.gov6 NSRL Software Database Information to uniquely identify every file on every piece of media in every application Information to uniquely identify every file on every piece of media in every application Database schema is available on website Database schema is available on website 4,200 Bytes per application 4,200 Bytes per application 750 Bytes per file 750 Bytes per file Total database size now 20 GB for 5,000 applications with 31,900,000 files Total database size now 20 GB for 5,000 applications with 31,900,000 files

7 July 9, 2004 www.nsrl.nist.gov7 NSRL Reference Data Set The Reference Data Set (RDS) is a selection of information from the NSRL database The Reference Data Set (RDS) is a selection of information from the NSRL database Allows positive identification of manufacturer, product, operating system, version, file name from file “signature” Allows positive identification of manufacturer, product, operating system, version, file name from file “signature” Data format available for forensic tool developers Data format available for forensic tool developers Published quarterly, free redistribution Published quarterly, free redistribution Possible to publish critical data out of regular schedule; in February 2004 NSRL supplied 500,000 Arabic file signatures to FBI & DoD Possible to publish critical data out of regular schedule; in February 2004 NSRL supplied 500,000 Arabic file signatures to FBI & DoD

8 July 9, 2004 www.nsrl.nist.gov8 RDS Field Use Concept KNOWN FILES RDS ANALYSIS PROGRAM UNKNOWN FILES FILES Disk Drive

9 July 9, 2004 www.nsrl.nist.gov9 RDS Field Use Example Windows 2000 operating system software contains 5933 images which are known gifs, icons, jpeg files You are looking for sensitive facility maps on a computer which is running Windows 2000. By using the RDS and an analysis program the investigator would not have to look at these files to complete his investigation. e.g.,

10 July 9, 2004 www.nsrl.nist.gov10 Hashes Like a person’s fingerprint Like a person’s fingerprint Uniquely identifies the file based on contents Uniquely identifies the file based on contents You can’t create the file from the hash You can’t create the file from the hash Primary hash value used is Secure Hash Algorithm (SHA-1) specified in FIPS 180-1, a 160-bit hashing algorithm Primary hash value used is Secure Hash Algorithm (SHA-1) specified in FIPS 180-1, a 160-bit hashing algorithm 10 45 combinations of 160-bit values 10 45 combinations of 160-bit values “Computationally infeasible” to find two different files less than 2 64 bits in size producing the same SHA-1 “Computationally infeasible” to find two different files less than 2 64 bits in size producing the same SHA-1 2 64 bits is one million terabytes 2 64 bits is one million terabytes

11 July 9, 2004 www.nsrl.nist.gov11 Hash Examples Filename Bytes SHA-1 NT4\ALPHA\notepad.exe 68368 F1F284D5D757039DEC1C44A05AC148B9D204E467 NT4\I386\notepad.exe 45328 3C4E15A29014358C61548A981A4AC8573167BE37 NT4\MIPS\notepad.exe 66832 33309956E4DBBA665E86962308FE5E1378998E69 NT4\PPC\notepad.exe 68880 47BB7AF0E4DD565ED75DEB492D8C17B1BFD3FB23 WINNT31.WKS\I386\notepad.exe 57252 2E0849CF327709FC46B705EEAB5E57380F5B1F67 WINNT31.SRV\I386\notepad.exe 57252 2E0849CF327709FC46B705EEAB5E57380F5B1F67

12 July 9, 2004 www.nsrl.nist.gov12 NSRL & National Archives and Records Administration Use hashing process on non-classified Presidential materials Use hashing process on non-classified Presidential materials Identify application files Identify application files Identify duplicate files Identify duplicate files Access to older installed software Access to older installed software

13 July 9, 2004 www.nsrl.nist.gov13 NSRL & Voting Systems Needs Determine that software used during elections is the expected software Determine that software used during elections is the expected software Tested, certified version is definitively identifiable Tested, certified version is definitively identifiable Same during distribution, installation, setup, or use Same during distribution, installation, setup, or use “Chain of custody” “Chain of custody” Transparency Transparency The NSRL methodology is in the public domain, available for inspection The NSRL methodology is in the public domain, available for inspection Jurisdictions can share knowledge with each other Jurisdictions can share knowledge with each other

14 July 9, 2004 www.nsrl.nist.gov14 EAC & NSRL Can verify that operating system file contents have not been modified Can verify that operating system file contents have not been modified Can verify that application file contents have not been modified Can verify that application file contents have not been modified Can verify that known static sections of files have not been modified Can verify that known static sections of files have not been modified At 866MHz, SHA-1 of 50MB takes ~5 sec., MD5 of 50MB takes ~4 sec. At 866MHz, SHA-1 of 50MB takes ~5 sec., MD5 of 50MB takes ~4 sec.

15 July 9, 2004 www.nsrl.nist.gov15 Voting Research Issues  Working with software companies to get access to software  Distribution vs. installation hashes  If there is any setup after the hashes are made, how do you know what changes are valid?  Possible/practical to have on-location, time-of- certification hashing?  Verification within time/ space/ security constraints

16 July 9, 2004 www.nsrl.nist.gov16 Discussion Questions about the NSRL Questions about the NSRL Discussion of the NSRL and Voting Systems Discussion of the NSRL and Voting Systems

17 July 9, 2004 www.nsrl.nist.gov17 Contact Douglas White Software Diagnostics and Conformance Testing Information Technology Laboratory Telephone: 301-975-4761 Email: nsrl@nist.gov Web: www.nsrl.nist.gov

Download ppt "July 9, 2004 www.nsrl.nist.gov 1 National Software Reference Library Douglas White Information Technology Laboratory July 2004."

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Pinpoint Labs Software Presented by: Jonathan P. Rowe President and CEO Certified Computer Examiner Member: The International Society of Forensic Computer.

Pinpoint Labs Software Presented by: Jonathan P. Rowe President and CEO Certified Computer Examiner Member: The International Society of Forensic Computer.
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.

No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 2 Installing Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 2 Installing Windows Server 2008.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Security Equipment Equipment for preventing unauthorised access to data & information.

Security Equipment Equipment for preventing unauthorised access to data & information.
Security of Electronic Records 29th Meeting of the ICA / SIO Geneva -13 May 2003 Milovan Misic.

Security of Electronic Records 29th Meeting of the ICA / SIO Geneva -13 May 2003 Milovan Misic.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
ACCB 133 Information Technology and Accounting Applications Lecture 6: Application Software.

ACCB 133 Information Technology and Accounting Applications Lecture 6: Application Software.

Similar presentations

Ads by Google