md5deep(1)

1MD5DEEP(1)                  United States Air Force                 MD5DEEP(1)
2
3
4

NAME

6       md5deep - Compute and compare MD5 message digests
7       sha1deep - Compute and compare SHA-1 message digests
8       sha256deep - Compute and compare SHA-256 message digests
9       tigerdeep - Compute and compare Tiger message digests
10       whirlpooldeep - Compute and compare Whirlpool message digests
11
12

SYNOPSIS

14       md5deep -v | -V | -h
15       md5deep  [-m|-M|-x|-X  <file>]   [-a|-A <hash>] [-f <file>] [-p <size>]
16       [-i <size>] [-tnwzresS0lbkqZ] [-o <fbcplsd>] [FILES]
17
18

DESCRIPTION

20       Computes the hashes, or message digest, for any number of  files  while
21       optionally  recursively  digging  through the directory structure.  Can
22       also take a list of known hashes and display  the  filenames  of  input
23       files  whose  hashes either do or do not match any of the known hashes.
24       Errors are reported to standard error. If no FILES are specified, reads
25       from standard input.
26
27
28       -p <size>
29              Piecewise mode. Breaks files into chunks before hashing.  Chunks
30              may be specified using IEC multipliers b, k, m, g, t, p,  or  e.
31              (Never  let it be said that the author didn't plan ahead!)  This
32              mode cannot be used with the -z mode.
33
34
35       -i|-I <size>
36              Size threshold mode. Only hash files smaller than the given  the
37              threshold.  In -i mode, simply omits those files larger than the
38              threshold. In -I mode, displays all files,  but  uses  asterisks
39              for the hashes of files larger than the threshold.  Sizes may be
40              specified using IEC multipliers b, k, m, g, t, p, or e.
41
42
43       -r     Enables recursive mode. All subdirectories are traversed. Please
44              note  that recursive mode cannot be used to examine all files of
45              a given file extension. For example, calling  md5deep  -r  *.txt
46              will examine all files in directories that end in .txt.
47
48
49       -e     Displays a progress indicator and estimate of time remaining for
50              each file being processed. Time estimates for files larger  than
51              4GB are not available on Windows. This mode may not be used with
52              th -p mode.
53
54
55       -m <file>
56              Enables matching mode. The file given should be a list of  known
57              hashes.   The  input  files are examined one at a time, and only
58              those files that match the list of known hashes are output. This
59              flag  may  be  used more than once to add multiple sets of known
60              hashes. Acceptable formats for lists of known hashes  are  plain
61              (such  as  those  generated  by  md5deep  or md5sum), Hashkeeper
62              files, iLook, and the National Software Reference Library (NSRL)
63              as  produced by the National Institute for Standards in Technol‐
64              ogy.
65               If standard input is used with the -m flag, displays "stdin" if
66              the input matches one of the hashes in the list of known hashes.
67              If the hash does not match, the program displays no output.
68               This flag may not be used in conjunction with the -x, -X, or -A
69              flags.  See the section "UNICODE SUPPORT" below.
70
71
72       -x <file>
73              Same  as the -m flag above, but does negative matching. That is,
74              only those files NOT in the list of known hashes are displayed.
75               This flag may not be used in conjunction with the -m, -M, or -a
76              flags.  See the section "UNICODE SUPPORT" below.
77
78       -M and -X <file>
79              Same  as  -m  and  -x above, but displays the hash for each file
80              that does (or does not) match the list of known hashes.
81
82
83       -a <hash>
84              Adds a single hash to the list of known hashes used for matching
85              mode,  and if not already enabled, enables matching mode. Adding
86              single hashes cannot, by itself, be used to print the hashes  of
87              matching  files  like the -M flag does. When used in conjunction
88              with the -w flag, the filename displayed is just the  hash  sub‐
89              mitted on the command line.
90               This flag may not be used in conjunction with the -x, -X, or -A
91              flags.
92
93
94       -A <hash>
95              Same as -a above, but does negative matching.  This flag may not
96              be used in conjunction with the -m, -M, or -A flags.
97
98
99       -f <file>
100              Takes a list of files to be hashed from the specified file. Each
101              line is assumed to be a filename. This flag  can  only  be  used
102              once  per  invocation.  If  it's  used a second time, the second
103              instance will clobber the first.
104              Note that you can still use other flags, such as the  -m  or  -x
105              modes, and submit additional FILES on the command line.
106
107
108       -w     During  any of the matching modes (-m,-M,-x,or -X), displays the
109              filename of the known hash that matched the input file.  See the
110              section "UNICODE SUPPORT" below.
111
112
113       -t     Display  a  timestamp  in  GMT with each result. On Windows this
114              timestamp will be the file's creation time. On all other systems
115              it should be the file's change time.
116
117
118       -n     During any of the matching modes (-m,-M,-x,or -X), displays only
119              the filenames of any known hashes that were not matched  by  any
120              of the input files.
121
122
123       -s     Enables silent mode. All error messages are supressed.
124
125
126       -S     Like silent mode, but still displays warnings on improperly for‐
127              matted hashes in the list of known hashes.
128
129
130       -z     Enables file size mode. Prepends the hash with a ten digit  rep‐
131              resentation of the size of each file processed. If the file size
132              is greater than 9999999999 bytes (about 9.3GB) the program  dis‐
133              plays 9999999999 for the size.
134
135
136       -q     Quiet mode. File names are omitted from the output.
137
138
139       -Z     Produces  output  in Triage format. Each line contans the file's
140              size, a tab, a hash of the first 512 bytes, a tab, the  hash  of
141              the  complete  file, a tab, and the file name.  These values are
142              intended in increasing order of specificity. That is, two  files
143              with  different sizes cannot possibly match. This is a fast com‐
144              parison and should be done first. Next, two files with different
145              partial  hashes cannot possibly match. This is often faster than
146              hashing the whole file. Finally, if those two pieces align, then
147              it's worth reading and hashing the entire file.
148
149
150       -0     Uses  a  NULL character (/0) to terminate each line instead of a
151              newline.  Useful for processing filenames with  strange  charac‐
152              ters.
153
154
155       -l     Enables  relative  file  paths. Instead of printing the absolute
156              path for each file, displays the relative file path as indicated
157              on  the  command  line. This flag may not be used in conjunction
158              with the -b flag.
159
160
161       -b     Enables bare mode. Strips any leading directory information from
162              displayed  filenames.   This flag may not be used in conjunction
163              with the -l flag.
164
165
166       -k     Enables asterisk mode. An asterisk is inserted in lieu of a sec‐
167              ond space between the filename and the hash, just like md5sum in
168              its binary (-b) mode.
169
170
171       -c     Enables comma separated values output, or CSV  mode.  This  mode
172              has  the  side  effect  of removing the 10 digit size limitation
173              from -z mode.  Also note that asterisks from  -k  mode  are  not
174              displayed when in CSV mode.
175
176
177       -o <bcpflsd>
178              Enables  expert  mode.  Allows  the user specify which (and only
179              which) types of files are  processed.  Directory  processing  is
180              still  controlled  with  the  -r  flag.  The expert mode options
181              allowed are:
182              f - Regular files
183              b - Block Devices
184              c - Character Devices
185              p - Named Pipes
186              l - Symbolic Links
187              s - Sockets
188              d - Solaris Doors
189
190
191       -h     Show a help screen and exit.
192
193
194       -v     Show the version number and exit.
195
196
197       -V     Show copyright information and exit.
198
199

UNICODE SUPPORT

201       As of version 2.0 the program supports Unicode characters in  filenames
202       on  Microsoft  Windows systems. Due to limitations in Windows, however,
203       each Unicode character is represented as a question  mark  (?)  in  the
204       output.   Note  that  Unicode characters are not supported in the files
205       containing known hashes. You can specify a file of  known  hashes  that
206       has  Unicode  characters  in  its  name by using tab completition or an
207       asterisk (e.g. md5deep -m *.txt where there is only  one  file  with  a
208       .txt extension).
209
210

RETURN VALUE

212       Returns  a bit-wise value based on the success of the operation and the
213       status of any matching operations.
214
215       0      Success. Note that the program considers itself successful  even
216              when  it  encounters  read  errors, permission denied errors, or
217              finds directories when not in recursive mode.
218
219       1      Unused hashes. Under any of the  matching  modes,  returns  this
220              value  if one or more of the known hashes was not matched by any
221              of the input files.
222
223       2      Unmatched inputs. Under any of the matching modes, returns  this
224              value  if  one  or more of the input values did not match any of
225              the known hashes.
226
227       64     User error, such as trying to  do  both  positive  and  negative
228              matching at the same time.
229
230       128    Internal  error,  such  as  memory corruption or uncaught cycle.
231              All internal errors should be reported to the developer! See the
232              section "Reporting Bugs" below.
233
234
235

AUTHOR

237       md5deep was written by Jesse Kornblum, research@jessekornblum.com.
238
239

KNOWN ISSUES

241       Using  the -r flag cannot be used to recursively process all files of a
242       given extension in a directory. This is a feature, not a bug.   If  you
243       need to do this, use the find(1) command.
244
245

REPORTING BUGS

247       We  take  all  bug reports very seriously. Any bug that jeopardizes the
248       forensic integrity of this program could have serious  consequenses  on
249       people's lives. When submitting a bug report, please include a descrip‐
250       tion of the problem, how you found it, and your contact information.
251
252       Send bug reports to the author at the address above.
253
254

COPYRIGHT

256       This program is a work of the US Government. In accordance with 17  USC
257       105,  copyright protection is not available for any work of the US Gov‐
258       ernment.  This program is PUBLIC DOMAIN. Portions of this program  con‐
259       tain  code  that  is  licensed  under  the  terms of the General Public
260       License (GPL).  Those portions  retain  their  original  copyright  and
261       license. See the file COPYING for more details.
262
263       There  is NO warranty for this program; not even for MERCHANTABILITY or
264       FITNESS FOR A PARTICULAR PURPOSE.
265
266