Home

Welcome to nsrlquery!

nsrlquery consists of three utilities: nsrlsvr, nsrlparse and nsrllookup.

nsrlsvr is a simple UNIX server that can be queried to see if a particular SHA-1 or MD5 hash is part of the National Software Reference Library's Reference Data Set (NSRL RDS). Once built, nrslsvr hosts the entire NSRL RDS itself: it needs no external network connectivity to operate, nor do you have to send your queries to an outside, untrusted source.

nsrlparse transforms md5deep or sha1deep output (generated with the "-c" flag) into an nsrlsvr dataset.

nsrllookup is a crossplatform Python script that queries a nsrlsvr. Feed it a list of hashes and nsrlquery will split them into known-good hashes and unknown hashes. The nsrllookup input format happens to be the same as the md5deep data format, which means that simple pipes can be constructed to great effect.

For instance, to query everything in /mount/suspect_hard_drive, you could just type sha1deep -r /mount/suspect_hard_drive | nsrllookup and quickly discover what on that hard drive was a known quantity and what was possibly more meriting of investigator attention.