hashdeep(1)

1HASHDEEP(1)                 United States Air Force                HASHDEEP(1)
2
3
4

NAME

6       hashdeep - Compute, compare, or audit multiple message digests
7
8

SYNOPSIS

10       hashdeep -V | -h
11       hashdeep  [-c  <alg1>[,<alg2>]]  [-k <file>] [-i <size>] [-o <fbcplsd>]
12       [-amxwMXrespblvv] [FILES]
13
14
15

DESCRIPTION

17       Computes multiple hashes, or message digests, for any number  of  files
18       while  optionally  recursively digging through the directory structure.
19       By default the program computes MD5 and SHA-256 hashes,  equivalent  to
20       -c  md5,sha256.   Can  also take a list of known hashes and display the
21       filenames of input files whose hashes either do or do not match any  of
22       the  known  hashes.  Can also use a list of known hashes to audit a set
23       of FILES.  Errors are reported to standard error. If no FILES are spec‐
24       ified, reads from standard input.
25
26
27
28
29       -c <alg1>[,<alg2>...]
30              Computation  mode.  Compute hashes of FILES using the algorithms
31              specified. Legal  values  are  md5,  sha1,  sha256,  tiger,  and
32              whirlpool.
33
34
35
36       -k     Load  a  file of known hashes.  This flag is required when using
37              any of the matching or audit modes (i.e. -m, -x, -M, -X, or  -a)
38              This  flag  may  be  used more than once to add multiple sets of
39              known hashes.
40
41              Loading sets with different hash algorithms can sometimes gener‐
42              ate  spurrious  hash  collisions. For example, let's say we have
43              two hash sets, A and B, which have some overlapping  files.  For
44              example,  the  file  /usr/bin/bad  is  in  both sets. In A we've
45              recorded the MD5 and SHA-256.  In  B  we've  recorded  the  MD5,
46              SHA-1,  and  SHA-256.  Because  these two records are different,
47              they will both be loaded. When the program  computes  all  three
48              hashes  and  compares  them to the set of knowns, we will get an
49              exact match from the record in B and a collision from the record
50              in A.
51
52
53
54       -a     Audit  mode.  Each  input  file  is  compared against the set of
55              knowns.  An audit is said to pass if each input file is  matched
56              against  exactly  one file in set of knowns. Any collisions, new
57              files, or missing files will make the  audit  fail.  Using  this
58              flag  alone  produces a message, either "Audit passed" or "Audit
59              Failed". Use the verbose modes, -v, for more details.  Using  -v
60              prints  the  number of files in each category. Using -v a second
61              time prints any discrepancies. Using -v a third time prints  the
62              results for every file examined and every known file.
63              Due  to  limitations  in the program, any filenames with Unicode
64              characters will appear to have moved during an  audit.  See  the
65              section "UNICODE SUPPORT" below.
66
67
68       -m     Positive  matching,  requires  at  least one use of the -k flag.
69              The input files are examined one at a time, and only those files
70              that match the list of known hashes are output. The only accept‐
71              able format for known hashes is the output of previous  hashdeep
72              runs.
73               If standard input is used with the -m flag, displays "stdin" if
74              the input matches one of the hashes in the list of known hashes.
75              If the hash does not match, the program displays no output.
76               This flag may not be used in conjunction with the -x, -X, or -a
77              flags.  See the section "UNICODE SUPPORT" below.
78
79
80       -x     Negative matching.  Same as the -m flag above, but does negative
81              matching.  That  is,  only  those files NOT in the list of known
82              hashes are displayed.
83               This flag may not be used in conjunction with the -m, -M, or -a
84              flags.  See the section "UNICODE SUPPORT" below.
85
86
87       -w     When  used  with  positive  matching  modes (-m,-M) displays the
88              filename of the known hash that matched the input file.  See the
89              section "UNICODE SUPPORT" below.
90
91
92       -M and -X
93              Same  as  -m  and  -x above, but displays the hash for each file
94              that does (or does not) match the list of known hashes.
95
96
97
98       -r     Enables recursive mode. All subdirectories are traversed. Please
99              note  that recursive mode cannot be used to examine all files of
100              a given file extension. For example, calling hashdeep  -r  *.txt
101              will examine all files in directories that end in .txt.
102
103
104
105       -e     Displays a progress indicator and estimate of time remaining for
106              each file being processed. Time estimates for files larger  than
107              4GB are not available on Windows. This mode may not be used with
108              th -p mode.
109
110
111
112       -i <size>
113              Size threshold mode. Only hash files smaller than the given  the
114              threshold.   Sizes   may  be  specified  using  IEC  multipliers
115              b,k,m,g,t,p, and e.
116
117
118
119       -o <bcpflsd>
120              Enables expert mode. Allows the user  specify  which  (and  only
121              which)  types  of  files  are processed. Directory processing is
122              still controlled with the  -r  flag.  The  expert  mode  options
123              allowed are:
124              f - Regular files
125              b - Block Devices
126              c - Character Devices
127              p - Named Pipes
128              l - Symbolic Links
129              s - Sockets
130              d - Solaris Doors
131
132
133
134       -s     Enables silent mode. All error messages are supressed.
135
136
137
138       -p     Piecewise  mode. Breaks files into chunks before hashing. Chunks
139              may be specified  using  IEC  multipliers  b,k,m,g,t,p,  and  e.
140              (Never let it be said that the author didn’t plan ahead.)
141
142
143
144       -b     Enables bare mode. Strips any leading directory information from
145              displayed filenames.  This flag may not be used  in  conjunction
146              with the -l flag.
147
148
149       -l     Enables  relative  file  paths. Instead of printing the absolute
150              path for each file, displays the relative file path as indicated
151              on  the  command  line. This flag may not be used in conjunction
152              with the -b flag.
153
154
155       -v     Enables verbose mode. Use again to make the  program  more  ver‐
156              bose.  This mostly changes the behvaior of the audit mode, -a.
157
158
159       -h     Show a help screen and exit.
160
161
162       -V     Show the version number and exit.
163
164
165
166

UNICODE SUPPORT

168       As  of  version  2.0  the  program can process input files with Unicode
169       characters in their filenames on Windows  systems.   In  the  program's
170       output,  however, each Unicode character is represented with a question
171       mark (?).  Note that Unicode characters are not supported in the  files
172       containing  known  hashes.  You can specify a file of known hashes that
173       has Unicode characters in its name by  using  tab  completition  or  an
174       asterisk  (e.g.  hashdeep -mk *.txt where there is only one file with a
175       .txt extension).
176
177

RETURN VALUE

179       Returns zero on success, one on error.
180
181

AUTHOR

183       hashdeep was written by Jesse Kornblum, research@jessekornblum.com.
184
185

KNOWN ISSUES

187       Using the -r flag cannot be used to recursively process all files of  a
188       given  extension  in a directory. This is a feature, not a bug.  If you
189       need to do this, use the find(1) command.
190
191       The program will fail if you attempt to  compare  2^64  or  more  input
192       files against a set of known files.
193
194
195

REPORTING BUGS

197       We  take  all  bug reports very seriously. Any bug that jeopardizes the
198       forensic integrity of this program could have serious  consequenses  on
199       people's lives. When submitting a bug report, please include a descrip‐
200       tion of the problem, how you found it, and your contact information.
201
202       Send bug reports to the author at the address above.
203
204

COPYRIGHT

206       This program is a work of the US Government. In accordance with 17  USC
207       105,  copyright protection is not available for any work of the US Gov‐
208       ernment.  This program is PUBLIC DOMAIN. Portions of this program  con‐
209       tain  code  that  is  licensed  under  the  terms of the General Public
210       License (GPL).  Those portions  retain  their  original  copyright  and
211       license. See the file COPYING for more details.
212
213       There  is NO warranty for this program; not even for MERCHANTABILITY or
214       FITNESS FOR A PARTICULAR PURPOSE.
215
216