Home
Major software vendors (Oracle, Microsoft, Adobe, Apple and so on) submit copies of their software to the National Institute of Standards and Technology (NIST) for inclusion in the National Software Reference Library (NSRL). This isn’t a library you can check software out of: it’s instead a resource for digital forensics. Periodically, NIST will publish a list of MD5 hashes for every piece of software in the NSRL. This compilation of hashes is called the Reference Data Set (RDS).
You can think of the RDS as a collection of fingerprints for every piece of well-known software. This isn’t to say it's all quality software, just that it's known software. It bears repeating: the inclusion of software in the NSRL is not an indicator of the software being good or bad.
When you start Duffy, you’ll see a blank screen.
Since we have no previous analyses to load, click ‘New’ (the first button in the toolbar) to begin a new analysis. Duffy will ask you which directory to analyze. As you can see from this screenshot, I’m having Duffy scan my ~/bin directory.
Depending on how much data Duffy has to work through, this process might take quite a while. However, Duffy will keep you updated on its progress by updating the status bar in the lower-left portion of the window. Once Duffy is finished, you may filter your results by:
- State (known or unknown)
- Executables only, or all files
- Files modified since a particular date
Note: Duffy is not (yet!) smart enough to recognize PE/COFF, ELF and/or Mach-O files when it sees them. At present, Duffy trusts file extensions: if something has an extension indicative of a PE/COFF file format, Duffy will report it as an executable. Be careful about trusting this too much.
Eventually, you’ll find something that you want to look at more thoroughly. Perhaps it’ll be as obvious as, “why is kernel32.dll showing up as unknown?”, or as subtle as, “I don't like that termcap.lisp file: what’s it doing there?” Either way, if you double-click on a row you’ll do a Google search for this MD5 hash. It may turn up with something interesting, or it may not — it’s impossible to say. In the case of termcap.lisp, it leads us back to one and only one entry:
Once you’ve completed your analysis, you may save all these filenames, hashes, and NSRL lookup results. Duffy stores everything in a .dfy file, which is a plain-text format meant to be easy to parse. You may also export things as comma-separated value files (CSVs), for easy importing into a spreadsheet:
