Proj X3: National Software Reference Library (10 pts.)
What You Need for This Project
- A Windows machine. I used a Windows 2008 Server virtual machine.
Purpose
The National Software Reference Library contains hashes of
known files. It's useful in forensics to exclude files
from analysis that are known commercial files.
Getting Nsrllookup
If you have 32-bit Windows, use this file:
https://samsclass.info/121/proj/nsrllookup-1.2.3-win32.zip
If you are using 64-bit Windows,
get the 6-bit version here:
http://rjhansen.github.io/nsrllookup/
Right-click the ZIP file and click
"Extract All...", Extract.
A window opens containing a file named "nsrllookup.exe".
Right-click this file and click Copy.
In Windows Explorer, navigate to
C:\Windows\System32
Paste the file into that folder,
as shown below.
Getting MD5
On your Windows machine, in a Web browser,
go to
https://www.fourmilab.ch/md5/
Scroll down to find the md5.zip
download link,
as shown below.
Download the md5.zip file.
Right-click the md5.zip file and click
"Extract All...", Extract.
A window opens containing
several files, as shown below.
Right-click md5.exe
and click Copy.
In Windows Explorer, navigate to
C:\Windows\System32
Paste the file into that folder,
as shown below.
Preparing a Test Directory
Open an Administrator Command Prompt
and execute these commands, replacing
"YOURNAME" with your name:
cd \
mkdir YOURNAME
cd YOURNAME
copy \Windows\System32\cmd.exe .
copy \Windows\System32\notepad.exe .
copy \Windows\System32\md5.exe .
copy \Windows\System32\nsrllookup.exe .
Calculating Hashes
In the Administrator Command Prompt
window, execute this command to see
the MD5 hashes of your test files:
md5 *.*
The hashes appear,
as shown below.
Finding Known and Unknown Files
In the Administrator Command Prompt
window, execute these commands to see
which files are found in the NSRL, and
which are not:
md5 *.* | nsrllookup.exe -k
md5 *.* | nsrllookup.exe -u
Two files are known, and two are unknown,
as shown below.
Saving a Screen Image
Capture a whole-desktop image showing these items:
- YOURNAME in the directory name
- Known files, as shown above
- Unknown files, as shown above
If you are using the 64-bit version, all the files are unknown.
YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT!
Save the image with the filename "YOUR NAME Proj X3", replacing "YOUR NAME" with your real name.
Turning In Your Project
Email the image to me as an attachments to an e-mail message. Send it to: cnit.121@gmail.com with a subject line of "Proj X3 From YOUR NAME", replacing "YOUR NAME" with your real name.
Send a Cc to yourself.
Last modified 11-16-16