Mobile apps added to NIST software database
- By Brian Robinson
- Dec 20, 2016
The world of the computer forensics investigator looks to get a lot easier with the recent introduction of thousands of mobile apps to NIST’s National Software Reference Library (NSRL), which has become a vital tool for digital detectives.
NIST added 23,000 Android and Apple iOS apps to the library on Dec. 15, and expects as many as 200,000 more apps will be added during 2017.
The NSRL creates “digital fingerprints” for every file in its database -- some 50 million so far -- and publishes those hashes in a reference data set (RDS) that’s updated every three months. It’s freely available to whoever wants to use it. Because only legitimate files are in the RDS, investigators can use it eliminate known files that are of no interest to them and focus on illicit data, such as child abuse images, for which no hashes exist.
It’s also occasionally used to find files, even if those have been altered. NIST pointed to the instance of Malaysian Airlines flight MH370 that disappeared nearly three years ago over the Pacific. The FBI asked NIST to provide every hash of every file associated with all flight simulators NIST had access to, so they could work out which flight paths the plane’s pilot might have practiced on and thereby deduce where he might have been heading.
The NSRL also is used by historians and scholars as a cultural repository they can tap in order to tie down the impact of various computer systems and software. NIST and Stanford University Libraries, for example, recently rescued vintage video games from old Atari cartridges, floppy disks and other old magnetic media storage and archived them on servers at both the Stanford Digital Repository and the NSRL.
By adding mobile apps into the NSRL, government also should be able to make those apps used by its employees more secure. The Department of Homeland Security’s Cyber Forensics Project, for instance, is hosting various programs aimed at doing just that, through a combination of mobile app archiving and app vetting technologies that will capture changes over an app’s lifetime and test them against known vulnerabilities.
NIST said the NSRL offers a unique resource for investigators both because of its size and because the original files it collects are kept in evidence-locker conditions. Software is either stored under lock and key, if distributed physically using disks, or on secure servers if distributed online. The initial status of any of the software can therefore always be verified, if that’s needed by a court.
Researchers who want to develop and test forensic and security tools can also go to NIST and use the whole of the NSRL’s resources, outside of the distributed RDS fingerprints. Given the rapid turnover in app versions, the addition of the mobile apps should make the NSRL an increasingly important resource for both forensic and security tool developers.
Brian Robinson is a freelance technology writer for GCN.