NIST’s Update to Software Reference Library Will Make Criminal Investigations Easier

A recent update to a downloadable database publicly maintained by the National Institute of Standards and Technology (NIST) will make it easier to sort computers, cellphones and other electronic equipment seized during police raids, potentially helping law enforcement to catch sexual predators and other criminals.

The database, called National Software Reference Library (NSRL), plays a frequent role in criminal investigations involving electronic files, which may be evidence of wrongdoing. In the first major NSRL update in two decades, NIST increased the number and type of records in the database to reflect the growing variety of software files law enforcement might encounter on a device. . The agency also changed the format of the records to make the NSRL more searchable.

“There’s hardly any major crime that isn’t related to digital technology because the criminals are using cell phones,” said Doug White, an NIST computer scientist who helps maintain the NSRL. “However, only some of the data from a phone or other device may be relevant to an investigation. The update should make it easier for police to separate the wheat from the chaff. »

Criminal and civil investigations frequently involve digital evidence in the form of software and files from seized computers or cell phones. Investigators need a way to filter out large amounts of data that is not relevant to the investigation so they can focus on finding relevant evidence.

“Let’s say you have a computer that may have incriminating photos or financial records, but it also has a few video games,” White said. “Games often come with lots of graphics files. You want to conduct your investigation as quickly and efficiently as possible, so you need a way to get rid of all video game images. Then you can run your most computationally expensive scan on the remaining files. »

The update comes at a time when investigators have to deal with a growing universe of software, most of which produce numerous files stored in memory. Each of these files can be identified by a kind of electronic fingerprint called a hash, which is key to the filtering process. The sophistication of the sieving process can vary depending on the type of survey being conducted. The NSRL benchmark dataset has doubled in size from half a billion hash records in August 2019 to over a billion in March 2022, and White says he expects its rapid growth will continue.

This growth makes the NSRL a vitally important tool for digital forensics labs, which specialize in this type of record review. This work has become a crucial part of investigations: there are about 11,000 digital forensics labs in the United States (compared to about 400 crime labs). Although digital evidence plays a role in many types of crime, it is particularly useful for catch child predatorswhich often have sexual abuse images stored in the memory of a phone or computer.

As the number of NSRL entries grows both numerically and by file type – White plans to add entries from Internet of Things (IoT) devices such as smart speakers in the near future – the recent database update should help investigators manage the burden. The previous version 2.0, which dates back 20 years, offered its hashes as basic text files that can be imported into a spreadsheet. Searching the list was possible but cumbersome compared to modern search engine functions. The update, which is NSRL version 3.0, uses the SQLite format, which makes it easier for users to create custom filters to sort through files and find what they need for a particular investigation.

Another benefit is that NSRL managers will be able to distribute future changes to the dataset as relatively small updates rather than sending the entire dataset again, saving time and effort. effort to users. White also said the NSRL would continue to be available in its old format for the benefit of users who might need time to adapt to the changes.

“We will continue to release the dataset in both 2.0 and 3.0 formats through December 2022,” White said. “After that, there is a relatively simple query that users can run to generate the 2.0 dataset if needed.”

The dataset and more information about the update are available via the NIST website.

Learn more about NIST

Mark M. Gagnon