Nsrllookup

View the Project on GitHub rjhansen/nsrllookup

nsrllookup

The latest release is 1.3.0. A prebuilt, Authenticode-signed Win64 binary is available.

News

1.3 was released on November 5, 2016. Users shouldn't notice any major differences, but under the hood the codebase has been overhauled for C++14 conformance and the build system has been replaced with a new CMake-based one.

What's nsrllookup?

NIST publishes a giant compendium of MD5 hashes of known pieces of software. This volume, the National Software Reference Library Reference Data Set (NSRL RDS), is invaluable for computer forensics. Often when faced with a needle-in-a-haystack problem, it's a tremendous help to be able to immediately categorize data into "NIST knows about this" and "it's unknown to NIST."

Unfortunately, the NSRL RDS is a couple of gigs in size and doesn't have any good querying tools. This is where nsrlsvr and nsrllookup come into play -- or collectively, "the nsrlquery tools."

nsrlsvr

nsrlsvr lets a system administrator stand up a server to support NSRL queries. On top of that, an admin can add additional hashes to the NSRL RDS list. For instance, if you have a set of images you're particularly interested in finding, you can compute hashes of the images and add them to the dataset. Now you can query nsrlsvr to find out "is it known to either NIST or our own local corpus?"

nsrllookup

nsrllookup is how end-users interact with nsrlsvr. It's designed to be a well-behaved command-line application, and works hand-in-glove with tools like hashdeep. For instance, to hash everything in /mount/evil-data and compare it against the NSRL RDS using the publicly-accessible nsrlsvr instance at nsrllookup.com, printing out those things that are unknown to NIST:

md5deep -r /mount/evil-data | nsrllookup

How do I get help?

nsrllookup --help

I hope you like nsrllookup. If you have bugs, suggestions or praise, please feel free to email me.