1HFIND(1)                    General Commands Manual                   HFIND(1)
2
3
4

NAME

6       hfind - Lookup a hash value in a hash database
7

SYNOPSIS

9       hfind [-i db_type ] [-f lookup_file ] [-eq] db_file [hashes]
10

DESCRIPTION

12       hfind  looks  up  hash values in a database using a binary search algo‐
13       rithm.  This allows one to easily create a hash database  and  identify
14       if  a  file  is known or not.  It works with the NIST National Software
15       Reference Library (NSRL) and the output of 'md5sum'.
16
17       Before the database can be used by 'hfind', an index file must be  cre‐
18       ated with the '-i' option.
19
20       This  tool  is needed for efficiency.  Most text-based databases do not
21       have fixed length entries and are sometimes not sorted.  The hfind tool
22       will  create an index file that is sorted and has fixed-length entries.
23       This allows for fast lookups using a binary search algorithm instead of
24       a linear search such as 'grep'.
25
26

ARGUMENTS

28       -i db_type
29              Create  an  index file for the database.  This step must be done
30              before a lookup can be performed. The 'db_type' argument  speci‐
31              fies  the  database type (i.e. nsrl-md5 or md5sum).  See section
32              below.
33
34       -f lookup_file
35              Specify the location of a file that contains one hash value  per
36              line.  These hashes will be looked up in the database.
37
38       -e     Extended  mode.  Additional information besides just the name is
39              printed.  (Does not apply for all hash database types).
40
41       -q     Quick mode.  Instead of displaying the corresponding information
42              with the hash, just display 0 if the hash was not found and 1 if
43              it was.  If this flag is used, then only one hash can  be  given
44              at a time.
45
46       -V     Display version
47
48       db_file
49              The location of the hash database file.
50
51       [hashes]
52              The  hashes  to lookup.  If they are not supplied on the command
53              line, STDIN is used.  If index files exist for  both  SHA-1  and
54              MD5 hashes, then both types of hashes can be given at runtime.
55
56

INDEX FILE

58       hfind  uses  an index file to perform a binary search for a hash value.
59       This is much faster than using 'grep', which will do a  linear  search.
60       Before a hash database is used, a corresponding index file must be cre‐
61       ated.  This is done with the '-i' option to hfind.
62
63       The resulting index file will be named based on the database file name.
64       The  name  will have the original name following by the hash type (sha1
65       or md5) followed by '.idx'.  For example, creating an MD5 hash index of
66       the  NIST  NSRL  results  in 'NSRLFile.txt-md5.idx' and the SHA-1 index
67       results in 'NSRLFile.txt-sha1.idx'.
68
69       The file has two columns.  Each entry is sorted by  the  first  column,
70       which  is the hash value.  The second column has the byte offset of the
71       corresponding entry in the original file.  So, when a hash is found  in
72       the  index,  the offset is recorded and then 'hfind' seeks to the entry
73       in the original database.
74
75       The following input types are valid.  For NSRL, 'nsrl-md5'  and  ´nsrl-
76       sha1'  can  be  used.   The difference is which hash value the index is
77       sorted by.  The 'md5sum' value can also be used to sort and index "home
78       made" databases.  'hfind' can take data in both common formats:
79
80            MD5 (test.txt) = 76b1f4de1522c20b67acc132937cf82e
81
82       and
83
84            76b1f4de1522c20b67acc132937cf82e        test.txt
85
86

EXAMPLES

88       To create an MD5 index file for NIST NSRL:
89
90            # hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
91
92       To lookup a value in the NSRL:
93
94            #              hfind             /usr/local/hash/nsrl/NSRLFile.txt
95       76b1f4de1522c20b67acc132937cf82e
96
97            76b1f4de1522c20b67acc132937cf82e  Hash Not Found
98
99       You can even do both SHA-1 and MD5 if you want:
100
101            # hfind -i nsrl-sha1 /usr/local/hash/nsrl/NSRLFile.txt
102
103            #             hfind              /usr/local/hash/nsrl/NSRLFile.txt
104            76b1f4de1522c20b67acc132937cf82e
105            80001A80B3F1B80076B297CEE8805AAA04E1B5BA
106
107            76b1f4de1522c20b67acc132937cf82e  Hash Not Found
108
109            80001A80B3F1B80076B297CEE8805AAA04E1B5BA  thrdcore.cpp
110
111       To make a database of  critical  binaries  of  a  trusted  system,  use
112       'md5sum':
113
114            #  md5sum  /bin/*  /sbin/*  /usr/bin/* /usr/bin/* /usr/local/bin/*
115       /usr/local/sbin/* > system.md5
116
117            # hfind -i md5sum system.md5
118
119       To look entries up, the following will work:
120
121            # hfind system.md5 76b1f4de1522c20b67acc132937cf82e
122
123            76b1f4de1522c20b67acc132937cf82e  Hash Not Found
124
125       or
126
127            # md5sum -q /bin/* | hfind system.md5
128
129            928682269cd3edb1acdf9a7f7e606ff2  /bin/bash
130
131            <...>
132
133       or
134
135            # md5sum -q /bin/* > bin.md5
136
137            # hfind -f bin.md5 system.md5
138
139            928682269cd3edb1acdf9a7f7e606ff2  /bin/bash
140
141            <...>
142
143
144

SEE ALSO

146       sorter(1)
147
148       The NIST National Software Reference Library (NSRL)  can  be  found  at
149       www.nsrl.nist.gov.
150
151
152

LICENSE

154       Distributed  under  the  Common Public License, found in the cpl1.0.txt
155       file in the The Sleuth Kit licenses directory.
156
157

AUTHOR

159       Brian Carrier <carrier at sleuthkit dot org>
160
161       Send documentation updates to <doc-updates at sleuthkit dot org>
162
163
164
165                                                                      HFIND(1)
Impressum