NSRLJP | Forensicist

NSRLJP - complement to NSRL(http://www.nsrl.nist.gov/) hash library with Japanese edition and software.

Download

NSRLJP_201905.7z (SHA-256: ab9cfed5226e9ee2e8a4c0994e252dacfa1df7c4bd3cc832836924a7183789dc)
(Hashes: 3,718,659 / Filesize: 228,100,979 bytes)

License

You may use the DATASET freely for personal or commercial and NO WARRANTIES.

Motivation

National Software Reference Library (NSRL) provides Reference Data Set(RDS), which is a collection of digital signatures of known, traceable software applications. NSRLJP is a collection of a dataset which is widely used in Japan. It also includes Japanese edition of Microsoft Windows. NSRLJP is compliant with NSRL RDS data format so you can import NSRLJP into your favorite tools as well. Details of the data format, please refer to the following URL:

Data Formats of the NSRL Reference Data Set (RDS) Distribution
http://www.nsrl.nist.gov/Documents/Data-Formats-of-the-NSRL-Reference-Data-Set-16.pdf

Catalog (NSRLJP_201905)

No.	Name	Hashes	Comment
1	Windows 7 x64 JP	40687	SP1
2	Windows 7 x86 JP	15687	SP1
3	Windows 2008 x64 JP	41250	SP2
4	Windows Vista x64 JP	22242	SP2
5	Windows Vista x86 JP	15437	SP2
6	Windows 2003 R2 x64 JP	16593	SP2
7	Windows 2003 R2 x86 JP	14562	SP2
8	Windows XP x86 JP	16080	SP3
9	Windows 2012 x64 JP	46186
10	Windows 8 x64 JP	16145
11	Office 2013 JP	12025	SP1
12	Office 2010 JP	13680	SP2
13	Office 2007 JP	2736	SP2
14	Office 2003 JP	2210	SP3
15	Office XP JP	4497	SP3
16	.NET Framework 4.x JP	50113	Version 4.0, 4.5-4.5.2, 4.6-4.6.2, 4.7-4.7.2
17	.NET Framework 3.x JP	872	Version 3.0, 3.5
18	.NET Framework 2.x JP	491	Version 2.0
19	Windows 8 x86 JP	13000
20	Windows Update 2006 JPN/ENU/NEU	8765
21	Windows Update 2007 JPN/ENU/NEU	17145	except March 2007
22	Windows Update 2008 JPN/ENU/NEU	19329	except March 2008
23	Windows Update 2009 JPN/ENU/NEU	36100	except May 2009
24	Windows Update 2010 JPN/ENU/NEU	59359	except November 2010
25	Windows Update 2011 JPN/ENU/NEU	68074
26	Windows Update 2012 JPN/ENU/NEU	78872	except September 2012
27	Windows Update 2013 JPN/ENU/NEU	128708
28	Firefox JP	65647	Version 0.8-66.0.3
29	Thunderbird JP	45679	Version 0.4-60.6.1
30	Opera JP(INT)	5117	Version 6.01-12.17
31	Adobe Reader JP	129589	Version 6.x-11.0.23, 2015(1500630033-1500630493), DC(1500720033-1901020099), 2017(1700830051-1701130138)
32	Explzh	908	Version 6.06, 7.01-7.78
33	Lhaz	153	Version 1.36, 2.1.3, 2.2.4, 2.4.0, 2.5.1, 3.3.0, 3.4.0, 3.5.1
34	Windows XP x64	10820
35	Windows 2008 R2 x64	9335	SP1
36	Windows 2012 R2 x64	56931	Update
37	Windows 8.1 x64	22199	Update
38	Windows 8.1 x86	19690	Update
39	Windows Update 2014 JPN/ENU/NEU	425507
40	Forefront Client Security	585
41	Hidemaru Editor	1733	Version 4.19-8.88
42	Hidemaru Mail	301	Version 6.01-6.91
43	Sakura Editor	324	Version 1.6.1.0-1.6.6.0, 2.0.4.0-2.2.0.1
44	TeraPad	44	Version 1.00-1.09
45	Windows Update 2015 JPN/ENU/NEU	430530
46	Windows 10 x64	302198	Version 1511, 1607, 1703, 1709, 1803, 1809, 1903
47	Windows 10 x86	193058	Version 1511, 1607, 1703, 1709, 1803, 1809, 1903
48	Lhaca	10	0.76, 0.97, 1.24
49	Lhaplus	26	1.71-1.73
50	Windows Update 2016 JPN/ENU/NEU	174336	January - August
51	Windows Server 2016	64072	include January 2017 and February 2018
52	WSUS Offline Update	975876	20190506
53	Windows Server 2019	23146	include March 2019
	Total	3718659

The dataset is deduplicated based on MD5 and SHA-1. It means files have the same hash at various categories, only one record is registered into one of these categories.

Usage

We confirmed that the following tools support NSRLJP:

X-ways Forensics
Autopsy 3.x/4.x
EnCase 6.x/7.x/8.x
OSForensics

It's probably FTK and md5deep also support.

Case Example

The following table shows the results that hashes with Windows OS are collated with NSRL, NSRLJP and both.

OS	Total number of files	(1) NSRL	(2) NSRLJP	(3) NSRL+NSRLJP
Windows 10 Pro (x64) JP	140370	10875	99662	99924
Windows 7 Ultimate SP1 (x64) JP	68995	16244	68059	68076
Windows Server 2008 Standard SP1 (x64) JP	64805	12350	53256	53547
Windows XP Professional SP3 (x86) JP	11050	5507	8170	8420

These OS are a clean install, we understand that NSRLJP includes most of hashes. In practical use, we should NSRL as well because it includes a wide variety of applications. Hash analysis is a traditional approach, but it will become increasingly important because the number of files in storages has increased year by year.

History

2019/05/18

NSRLJP_201905 released (Hashes: 3,718,659 / Filesize: 228,100,979 bytes)
Addition to Windows 10 (1803, 1809, 1903) and Windows 2019.

2018/02/12

NSRLJP_201802 released (Hashes: 2,993,931 / Filesize: 180,917,699 bytes)
Addition to Windows 10 (1703, 1709) and Windows 2016, WSUS Offline Update for WIndows Update.

2016/09/20

NSRLJP_201609 released (Hashes: 2,309,928 / Filesize: 158,073,246 bytes)
Addition to Windows 10 (1511, 1607), .NET Framework 4.6.1, 4.6.2 and Windows Update 2016.

2015/08/14

NSRLJP_201508_rev2 released (Hashes: 1,659,348 / Filesize: 114,136,669 bytes)
Excluded invalid record.

2015/08/11

NSRLJP_201508 released
Addition to Windows 10, .NET Framework 4.5.2, 4.6, Lhaca, Lhaplus and Windows Update 2015.

2014/08/10

NSRLJP_201408 released (Hashes: 1,096,364 / Filesize: 75,095,909 bytes)
Addition to Windows 8.1, 2012R2 Update, Office 2013 SP1, Office 2010 SP2, .NET Framework 3.5, 4.0, 4.5.1 and Windows Update 2014

2014/01/22

NSRLJP_201401 released (Hashes: 532,923 / Filesize: 38,245,480 bytes)
Addition to Windows 8.1, Windows 2008 R2 and Windows 2012.

2013/08/03

NSRLJP_201308 released (Hashes: 401,211 / Filesize: 28,657,266 bytes)
Addition to Windows Update, Adobe and Firefox.

2013/01/27

NSRLJP_201301 released (Hashes: 284,419 / Filesize: 20,673,998 bytes)
Addition to Windows 8/2012, Office XP/2003/2007/2010/2013 and .NET 2.0/3.0/4.5.

2011/09

Initial released (Hashes: 187,430 / Filesize: 13,817,931 bytes)