hashdeep
Compute and compare file hashes
SYNOPSIS
hashdeep [-c
PARAMETERS
-c
Specifies the computation mode. Valid modes are md5, sha1, sha256, sha512, sha3-224, sha3-256, sha3-384, sha3-512, blake2b. Defaults to sha256.
-k
Loads known hashes from a file for matching.
-r
Enables recursive directory traversal.
-l
Enable lint mode. Generates names in all lowercase, useful on case-insensitive file systems.
-e
Display the Estimated Time of Completion (ETC).
-i
Specifies minimum file size to hash.
-f
Read file names to be hashed from the specified file.
-o
Specifies the output format (e.g., f for 'files only', b for 'bare').
-p
Displays a progress percentage.
-s
Audits a single file.
-v
Enables verbose mode.
-V
Displays the version number.
-w
Enables whine mode. Displays an error message for every file that could not be opened.
-x
Excludes the files listed in the file from processing.
FILES
The files or directories to be hashed.
DESCRIPTION
Hashdeep is a command-line utility used to compute cryptographic hashes, or message digests, of files. It can recursively traverse directories and compute hashes for all files within, then compare these hashes against a list of known hashes, or audit them against the same set of hashes. This allows users to verify the integrity of files and detect changes or modifications, either accidental or malicious. Hashdeep supports various hashing algorithms, including MD5, SHA-1, SHA-256, SHA-512, and others. Its primary use cases include data integrity verification, forensic analysis, and malware identification. Hashdeep can be used to generate hash sets, perform file comparison for detecting modifications or intrusions, and validate software distributions by comparing their hashes against published values.
CAVEATS
Hashdeep relies on accurate hash sets for comparisons. Corrupted or tampered hash sets will lead to incorrect results. Performance can be impacted by the size and number of files being processed, especially with recursive traversal.
OUTPUT FORMATS
The '-o' option controls output formatting. f produces a file-only list, b a bare list (hash and file name), c for colon separated format, s for split format, p for portable format, k for known file format, and m for multi-process mode.
These formats determine how the hash and file name are presented in the output, impacting readability and script parsing.
AUDIT MODE
Hashdeep can be used to audit files against a known set of hashes. This is done using the '-k' option to load a list of known hashes, and then running hashdeep on the files to be audited. Files that match the known hashes are considered 'matched', while files that do not are considered 'different'. This can be used to detect changes to files, or to identify files that are not part of the known set.
HISTORY
Hashdeep was developed by Jesse Kornblum for the U.S. Naval Postgraduate School, evolving from earlier tools like md5deep and sha1deep. It's designed for comprehensive file hashing and comparison, particularly useful in forensic and security contexts. It has seen widespread adoption in data integrity verification and incident response.