We use the Project Vic hash sets in our work to identify child exploitation media. Is there any benefit to utilizing the NSRL hash set along side the Project Vic hash set? Do the Project Vic category 0 hashes include all of the "known good" files included in the various NSRL sets? Eliminating as many of these files as possible would be ideal but there's no point in using both if the Project Vic cat 0 files are based on the NSRL sets. I can't find any documentation that addresses this question, so any insight the community could offer would be appreciated!
I can't say for certain as I have not used the VIC hashsets (I'm a former CAID user, as I'm UK based), but I very much doubt that all NSRL is in there. This is for the simple reason that much of the NSRL is not image content and is therefore irrelevant to such lines of enquiry.
I've always considered it to be more efficient to filter NSRL at the earliest opportunity, as opposed to categorisation; assuming of course you're using the Image>Process>Review model using separate tools for each stage that is common within LE (owing to the reliance on EnCase and C4All). In this model, you need to eliminate as much non-relevant content as possible BEFORE you pass the data to your reviewing tool (i.e. run the C4All EnScript), in order to minimise the size of any export between the tools you are using. To be clear, you should be using the NSRL in EnCase to exclude things ASAP here
If however you're imaging evidence and loading it directly into your review tool, say something like Griffeye and the LACE plugin to take care of carving, then the having the full NSRL present definitely has more merit. I would suggest in this situation however that you build your own (organisational) NSRL hash database and use it as your primary source within your hash databases - so the first GID if you're a Griffeye user. You will be able to keep this updated yourself much quicker than relying on external updates
Hope this helps,
Ben
In a nutshell yes…anything you can exclude is good as you'll already be categorizing thousands and thousands of images and videos.
Is there any benefit to utilizing the NSRL hash set along side the Project Vic hash set?
Suggestion pass the question along to the project. It may be they need to add information to their documentation to avoid over- or under-processing.