Visit the NIST Main Home Page

National Software Reference Library Logo

HOME

GENERAL INFORMATION

TECHNICAL INFORMATION

DOWNLOADS

CFTT Website

Privacy Policy/Security Notice
Disclaimer | FOIA

NIST is an agency of the
U.S. Commerce Department

Date created: 8/20/2003
Last updated: April 28, 2009

Technical comments: nsrl@nist.gov

Website comments: web897@nist.gov

 

 

 

Downloads

On this page, we will make links available to hashsets, to source code, and to executable tools produced by the NSRL.

Query the Hash Set Online
There is a project called NSRLquery developed by Rob Hansen of RedJack Security LLC, which has two subprojects: nsrlsvr, which provides a server that yields NSRL RDS information on request, and nsrllookup, a simple command-line application that queries the server.
Jesse Kornblum of Kyrus has established a beta testing NSRLquery server at nsrl.kyr.us, and NSRL has been supplying release-day data to support this server.


ISO 9660 images of RDS CDs

If you have a fast Internet connection, you may download ISO 9660 image files and burn your own copy of the RDS CDs.

Be aware that the ISO image files are each approximately 700MB in size.

The RDS, from RDS 2.20 onward, does not support the categorization used in previous releases. For example, you cannot use CD "B" for exclusion of known operating system applications, as was possible previously.

NOTE: the data format has not changed, merely the allocation of space across the media.

The discs contain the following ranges of SHA-1 hash values:
CD "A"           0000000000000000000000000000000000000000
                     - 3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

CD "B"           4000000000000000000000000000000000000000
                     - 7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

CD "C"           8000000000000000000000000000000000000000
                      - BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

CD "D"           C000000000000000000000000000000000000000
                     - FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

RDS 2.48 , March 2015

The full RDS Release has become too large for distribution on four CDROMs. For users familiar with the process of using four CDROMs to load RDS data you will find a directory called RDS_Split on this DVD. This directory contains the four RDS zip files that were traditionally distributed on the four CDROMS.

For users interested in processing a unified RDS set, a directory called RDS_Unified can be found on this DVD. This directory contains the RDS files as traditionally presented on the RDS DVD ISO.

Combo DVD - A single 6 GB ISO containing all data
DVD signatures - SHA1, MD5, and filesize of the DVD image

If you wish to preview the contents, you may download three smaller files without the hash metadata. These files conform to the NSRL data format.

Product listing - 3MB text file
Manufacturer listing - 100KB text file
Operating systems listing - 50KB text file

Be aware that the converted ZIP files are each between 1.8 and 2.0 GB in size.
NIST has also converted the RDS format data into data files for some commercial products:

Hashes of the zip files
Encase - with the 4 CD datasets split into directories
Hashkeeper Format
Hashkeeper Split with the 4 CD datasets split into directories
Hashkeeper Unified with the dataset in a single directory
AccessData Known File Filter (KFF) tool for FTK updates
Contact nsrl@nist.gov with questions about other formats.

Reduced Sets

A "minimal" hashset is available which contains only 41,387,220 file hashes. This set only lists one example of every file in the NSRL. It cannot be used to determine all possible sources of a file. Minimal set (2.6GB)
SHA1(rds_248m.zip)=aeef4b6d52cd5d1dcc5447e8016b349c8c3ddbad

A "unique" hashset is available which contains only 21,838,909 file hashes. This set lists the files that appear only once in the entire NSRL collection. Unique set (1.4GB)
SHA1(rds_248u.zip)=a07fee9ce38faa41fdb848d16b4316e314964663


Diskprint RDS Supplement

Download

SHA-1
rds_247dp.zip - 5a8451ab3ff6dd8a4409e7885f4126e401aff61b

Data description: Diskprint file hashes

Some of the file hashes in this release are a product of an experimental analysis workflow. These derived hashes are coded "D" for the name of the source data, "Diskprints." A Diskprint is an analysis of an application's lifecycle, including some combination of installation, basic running, uninstallation, and a system reboot. Snapshots of virtual machines are used to capture whole-system state for later analysis, typically with at least one snapshot per lifecycle point (e.g. installation, running, etc.). Software being analyzed in the Diskprint Project comes from the NSRL. File hashes of the installation media are among the contents of NSRLFile.txt. The "D"-coded hashes are from files that were in the virtual machines' storage.

The hashes included here are of files that were found to have been added, or to have had their contents modified, from one snapshot to another. The process of identifying these changes is file system differential analysis [1]. The code that executed the file system differencing is the program "make_differential_dfxml.py," a part of the Digital Forensics XML [2] Python library [3]. That code is run by the Diskprint workflow [3], which analyzes all of the diskprint snapshots, and keeps track of exact versions of the software on which it depends.

Caveats

Some files from the diskprint data are excluded from this hash list. The exclusions are for these reasons:

  • Files stored with NTFS compression are skipped, pending a modification to the DFXML Python bindings that handle file content extraction. The bindings do not presently handle NTFS compression.
  • Files that are "Resident" in their MFT entries currently have their byte runs reported incorrectly by The SleuthKit's library. There is an issue filed on this. Until this bug is fixed, these files are skipped.

References

  1. Simson Garfinkel, Alex Nelson, and Joel Young, "A general strategy for differential forensic analysis," in Proceedings of the DFRWS 2012 Annual Conference, August 2012. (Available from the conference website.)
  2. Simson Garfinkel. Digital Forensics XML and the DFXML toolset, Digital Investigation, 8 (2012), 161-174. (Available from the author's website.)
  3. https://github.com/simsong/dfxml.
  4. https://github.com/ajnelson/diskprint_workflow. The commit used in this RDS release was e9a7497891be6c03f295aab71c4f55fc99d50fd8.

Source data

Table 1 lists all of the applications, and the operating systems on which they were installed, that were analyzed to create these hashes.

Table 1: Applications, their product codes, and their baseline operating systems.
Application Version Operating system Version Application ProdCode
Adobe Acrobat Reader 3.0 Copyright 1995-1996 Windows Vista Ultimate with Service Pack 1 2008 11492
Adobe Dynamic Media Solutions 2.2002 Windows Vista Ultimate with Service Pack 1 2008 17160
Adobe Photoshop Elements 10 c. 2001-2011 Windows 7 Ultimate c. 2009 23775
Adobe Photoshop Elements 12 c. 2001 - 2013 Windows 8 Pro c. 2012 25595
Adobe Photoshop Lightroom 4 c. 2012 Windows Vista Ultimate with Service Pack 1 2008 23934
Eraser 6.0.10.2620 Windows 7 Ultimate c. 2009 25061
Eraser 6.0.10.2620 Windows 7 Ultimate c. 2009 25061
Faronics Deep Freeze Standard 7.10.020.3176 Windows 7 Ultimate c. 2009 21023
Faronics Deep Freeze Standard 7.10.020.3176 Windows 7 Ultimate c. 2009 21023
Google Chrome 28.0.1500.95 Microsoft Windows XP Professional 2002 25052
Google Chrome 28.0.1500.95 Windows 7 Ultimate c. 2009 25052
Google Chrome 28.0.1500.95 Windows 7 Ultimate c. 2009 25052
Google Chrome 4 Windows Vista Ultimate with Service Pack 1 2008 19589
HxD Hex Editor 1.7.7 Windows 7 Ultimate c. 2009 25065
Install Windows XP Service Pack 2 2 Microsoft Windows XP Professional 2002 14152
Invisible Secrets 2.1 Microsoft Windows XP Professional 2002 25404
Invisible Secrets 2.1 Windows 7 Ultimate c. 2009 25404
Limewire Basic 4.09.39 Windows Vista Ultimate with Service Pack 1 2008 21801
Limewire Basic 4.09.39 Windows Vista Ultimate with Service Pack 1 2008 21801
Microsoft Flight Simulator 2004 A Century of Flight 2003 Windows 7 Ultimate c. 2009 17048
Microsoft Office Home and Student 2010 2010 Windows Vista Ultimate with Service Pack 1 2008 20190
Microsoft Office Professional 2007 Version 2007 Windows 7 Ultimate c. 2009 17430
Microsoft Office Professional 2007 Version 2007 Windows 7 Ultimate c. 2009 17430
Microsoft Office Professional Edition 2003 2003 Microsoft Windows XP Professional 2002 24267
Microsoft Office Professional Edition 2003 2003 Windows 7 Ultimate c. 2009 24267
Microsoft Office Professional Edition 2003 2003 Windows 7 Ultimate c. 2009 24267
Microsoft Windows XP Professional 2002 Microsoft Windows XP Professional 2002 11430
Microsoft Windows XP Professional 2002 Microsoft Windows XP Professional 2002 21272
Mozilla Firefox beta 19.0b2 Microsoft Windows XP Professional 2002 24803
Mozilla Firefox beta 19.0b2 Windows 7 Ultimate c. 2009 24803
Mozilla Firefox beta 19.0b2 Windows 7 Ultimate c. 2009 24803
Mozilla Thunderbird 2 2004-2007 Microsoft Windows XP Professional 2002 17672
Norton AntiVirus 2012 with Antispyware c. 2011 Windows Vista Ultimate with Service Pack 1 2008 23331
Python 2.6.4 Microsoft Windows XP Professional 2002 25402
Python 2.6.4 Windows Vista Ultimate with Service Pack 1 2008 25402
SDelete 1.61 Windows 7 Ultimate c. 2009 25057
SDelete 1.61 Windows 7 Ultimate c. 2009 25057
Safari 5.1.7 Microsoft Windows XP Professional 2002 25066
Safari 5.1.7 Windows 7 Ultimate c. 2009 25066
Safari 5.1.7 Windows 7 Ultimate c. 2009 25066
Skype 6.1.0.129 Microsoft Windows XP Professional 2002 24785
Skype 6.1.0.129 Windows 7 Ultimate c. 2009 24785
Skype 6.1.0.129 Windows 7 Ultimate c. 2009 24785
StreetFinder Travel Navigation Software c. 2003 Windows Vista Ultimate with Service Pack 1 2008 13934
StreetFinder Travel Navigation Software c. 2003 Windows Vista Ultimate with Service Pack 1 2008 13934
Sysmon 1 Windows 7 Ultimate c. 2009 25602
TeamViewer 9.0.25942 Microsoft Windows XP Professional 2002 25228
TeamViewer 9.0.25942 Windows 7 Ultimate c. 2009 25228
TeamViewer 9.0.25942 Windows 7 Ultimate c. 2009 25228
TrueCrypt 6.3a Microsoft Windows XP Professional 2002 25403
TurboTax Deluxe Plus State 5 Windows Vista Ultimate with Service Pack 1 2008 15532
TurboTax Deluxe Plus State 5 Windows Vista Ultimate with Service Pack 1 2008 15532
TurboTax Premier For Tax Year 2013 c. 2013 Windows 7 Ultimate c. 2009 25477
TurboTax Premier For Tax Year 2013 c. 2013 Windows 8 Pro c. 2012 25477
Ultimate Packer for eXecutables for Windows 32-bit 3.09 Windows 7 Ultimate c. 2009 25056
Ultimate Packer for eXecutables for Windows 32-bit 3.09 Windows 7 Ultimate c. 2009 25056
WInZip 17 Pro c. 2012 Windows 7 Ultimate c. 2009 24698
WInZip 17 Pro c. 2012 Windows 7 Ultimate c. 2009 24698
Windows 7 Ultimate c. 2009 Windows 7 Ultimate c. 2009 19423
Windows 7 Ultimate c. 2009 Windows 7 Ultimate c. 2009 19423
Windows 7 Ultimate c. 2009 Windows 7 Ultimate c. 2009 19487
Windows 8 Pro c. 2012 Windows 8 Pro c. 2012 24610
Windows Vista Ultimate with Service Pack 1 2008 Windows Vista Ultimate with Service Pack 1 2008 18446
Windows Vista Ultimate with Service Pack 1 2008 Windows Vista Ultimate with Service Pack 1 2008 18446
Winrar 5.00 Beta 6 Windows 7 Ultimate c. 2009 25064
Winrar 5.00 Beta 6 Windows 7 Ultimate c. 2009 25064
Wireshark 1.8.0 Windows 7 Ultimate c. 2009 24332
Wireshark 1.8.0 Windows 7 Ultimate c. 2009 24333
World of Warcraft c. 2004 Windows 7 Ultimate c. 2009 14962
XP Advanced Keylogger 2.1 Microsoft Windows XP Professional 2002 25400
Yahoo Messenger 11.5 Windows 7 Ultimate c. 2009 25174
mozilla Firefox 2 Copyright 2004-2007 Windows Vista Ultimate with Service Pack 1 2008 17601
mozilla Firefox 2 Copyright 2004-2007 Windows Vista Ultimate with Service Pack 1 2008 17601

Converting RDS format to other formats

There is a Windows GUI tool HashConverter.zip that the NSRL is allowed redistribute.

You can pick up the NSRL Perl conversion code at rds2hk.zip
When you unpack the zip file, there is one file, "rds2hk.pl".
enter
      perl rds2hk.pl -h
and you will get the help output:

Usage : rds2hk.pl [-h] -f format [-d RDS_directory]
      [-l logfile] [-p product_id] [-u]
      -h : help with command line options
      -f format : one of hk , 1.5 , 2.0 (MANDATORY)
      -l logfile : print log info to a file
      -d dir : directory holding NSRLProd.txt, NSRLFile.txt
      NSRLOS.txt and NSRLMfg.txt
      -p integer : use one ProductCode from NSRLProd.txt
      -u : guarantee a unique product line in hk output

Enter the command
      perl rds2hk.pl -f hk -d SOME_DIR

and you'll get two files, "outfile.hke" and "outfile.hsh"
that you can rename and pull into Hashkeeper.