It's a command-line tool that allows you to quickly and efficiently triage files by MD5 hashes.
Digital forensics has a big problem with needles and haystacks. nsrllookup
can significantly reduce the hay, thus making it easier to find needles.
The National Institute of Standards and Technology (NIST) maintains the National Software Reference Library (NSRL). The NSRL is a library of every major piece of software released in the world dating back more than twenty years.
NIST also publishes MD5 hashes of every file in the NSRL. This is called the Reference Data Set (RDS).
When looking at an unknown file, a good place to begin is to compute its MD5 hash and compare it against the RDS. If the hash value is found in the RDS, your file is probably boring. (At the very least, it's commonplace enough to have an RDS entry.) This means your file is probably hay and not a needle.
Oh! Usage. Sure, that.
Say you're using md5deep to compute the hashes of a large collection of files. To get a list of files that do not match the RDS, you could do the following:
md5deep -r /path/to/collection > all_hashes.txt
nsrllookup < all_hashes.txt > rds_misses.txt
This would produce two files: all_hashes.txt
containing the names of all files and their hashes, and rds_misses.txt
containing the hash values of those files which did not appear in the NSRL RDS.
nsrllookup
depends on the existence of a properly configured lookup server. I maintain one at nsrllookup.com
, and nsrllookup
is configured by default to use it. If you're doing high volume lookups, please set up your own local server.
You'll need:
boost_1_71_0-msvc-14.2-64.exe
.Once you have Boost installed, open a Visual Studio development console. Visual Studio offers two of them, one for 32-bit and one for 64-bit, so make sure to open the correct one. cd
into wherever you uncompressed nsrllookup
and do this dance:
"\path\to\cmake.exe" . -DBOOST_ROOT=\path\to\Boost
will create a Visual Studio solution file, nsrllookup.sln
. Double-click on that to open nsrllookup
in Visual Studio, where you can hack on it to your heart's content."\path\to\cmake.exe" . -DBOOST_ROOT=\path\to\Boost -G "NMake Makefiles"
and then nmake
.It should be a simple process.
cmake .
make
sudo make install
Full documentation is found in the manpage. Once you've done the make install
dance, man nsrllookup
(UNIX only) will give you the rundown. On all platforms, though, nsrllookup --help
should be enough to get you going.
ISC. Share and enjoy.