NIST (NSRL) Filter

<< Click to Display Table of Contents >>

Navigation:  Using CloudNine LAW > Importing Documents > ED Loader > Configuring Import Settings >

NIST (NSRL) Filter

Enter topic text here.The chief purpose of NIST filtering is to focus investigation on user-generated data by removing from consideration files that are of types that are unlikely to be responsive. Examples of such file types include system files and executable files. The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce that maintains and publishes a database of known computer file profiles. This database is referred to as a reference data set (RDS) and is compiled by NIST's National Software Reference Library (NSRL).

The NIST filter uses the RDS database to compare files against a known set of software applications. The NIST filter is typically employed in forensics cases to scan for and remove system files and application logic files from consideration as case documents.  When you enable the NIST(NSRL) filter, you can select one of the following actions for the import to take when a NIST(NSRL) record is detected:

Include (Log record). Creates a record for the NIST file in the database and copies the native file into the case folder.

Partially exclude (Log record but do not copy file). Creates a record in the database but does not copy the native file.

Exclude (Do not log record or copy file). Does not create a record, no text is extracted, and the native file is not copied to the case folder.

 

Note

The following facts should be considered on when using the NIST filter:

To make use of this option you must first download the database of known file types from the NIST website.

E-mails are not tested against this filter although their attachments are tested.

If an archive's hash is present in the NSRL database, then it is automatically marked as a NIST item and depending on your settings it will be filtered out and its contents are not evaluated or logged to CloudNine™ LAW. This also applies to embedded/attached archives. If the archive's hash is not present, then its contents are evaluated on a file-by-file basis.

Enabling this option will mark as NIST files, any files present in the configured hash database using the documents' SHA-1 hash values.

 

For more information about the RDS database, visit the NSRL website.  Please contact technical support if the website NIST/NSRL government website isn't available.

The rest of this topic discusses NIST filters when used in the context of document import with ED Loader.  

 

WindowIcon SQL Server NIST Configuration

edloadersettingsnist_zoom50

 

To Enable NIST (NSRL) Filter Filtering

1.Open an Electronic Discovery Loader enabled case.

2.From the File menu select Import then Electronic Discovery.

3.Select the Settings tab.

4.Select the NIST(NSRL) Filter category.

5.Enable NIST(NSRL) Filter.

6.The Hash Database is configured through the LAW Configuration Utility.

If records are detected as NIST(NSRL) then (Action): Select one of the following options from the drop down.

Include (Log record) - Creates a record for the NIST record in the database and copies the native file into the case folder.

Partially Exclude (Log record but do not copy file) - Creates a record in the database but does not copy the native file.

Exclude (Do not log record or copy file) - Does not create a record, no text is extracted, and the native file is not copied to the case folder.

 

 

How to Create a NIST Database in SQL

Launch the LAW Configuration Utility

Go to the NIST tab in the Configure Environment section.

The NIST database must be configured and appended through the LAW Configuration Utility.