Using the -r flag cannot be used to recursively process all files of a
given extension in a directory. This is a feature, not a bug. If you
need to do this, use the find(1) command.
The program will fail if you attempt to compare 2^64 or more input
files against a set of known files.
We take all bug reports very seriously. Any bug that jeopardizes the
forensic integrity of this program could have serious consequences on
people's lives. When submitting a bug report, please include a descrip‐
tion of the problem, how you found it, and your contact information.
Send bug reports to the author at the address above.
Returns a bit-wise value based on the success of the operation and the
status of any matching operations.
0 Success. Note that the program considers itself successful even
when it encounters read errors, permission denied errors, or
finds directories when not in recursive mode.
1 Unused hashes. Under any of the matching modes, returns this
value if one or more of the known hashes was not matched by any
of the input files.
2 Unmatched inputs. Under any of the matching modes, returns this
value if one or more of the input values did not match any of
the known hashes.
64 User error, such as trying to do both positive and negative
matching at the same time.
128 Internal error, such as memory corruption or uncaught cycle.
All internal errors should be reported to the developer! See the
section "Reporting Bugs" below.
Computes multiple hashes, or message digests, for any number of files
while optionally recursively digging through the directory structure.
By default the program computes MD5 and SHA-256 hashes, equivalent to
-c md5,sha256. Can also take a list of known hashes and display the
filenames of input files whose hashes either do or do not match any of
the known hashes. Can also use a list of known hashes to audit a set
of FILES. Errors are reported to standard error. If no FILES are spec‐
ified, reads from standard input.
Computation mode. Compute hashes of FILES using the algorithms
specified. Legal values are md5, sha1, sha256, tiger, and
-k Load a file of known hashes. This flag is required when using
any of the matching or audit modes (i.e. -m, -x, -M, -X, or -a)
This flag may be used more than once to add multiple sets of
Loading sets with different hash algorithms can sometimes gener‐
ate spurrious hash collisions. For example, let's say we have
two hash sets, A and B, which have some overlapping files. For
example, the file /usr/bin/bad is in both sets. In A we've
recorded the MD5 and SHA-256. In B we've recorded the MD5,
SHA-1, and SHA-256. Because these two records are different,
they will both be loaded. When the program computes all three
hashes and compares them to the set of knowns, we will get an
exact match from the record in B and a collision from the record
-a Audit mode. Each input file is compared against the set of
knowns. An audit is said to pass if each input file is matched
against exactly one file in set of knowns. Any collisions, new
files, or missing files will make the audit fail. Using this
flag alone produces a message, either "Audit passed" or "Audit
Failed". Use the verbose modes, -v, for more details. Using -v
prints the number of files in each category. Using -v a second
time prints any discrepancies. Using -v a third time prints the
results for every file examined and every known file.
Due to limitations in the program, any filenames with Unicode
characters will appear to have moved during an audit. See the
section "UNICODE SUPPORT" below.
-m Positive matching, requires at least one use of the -k flag.
The input files are examined one at a time, and only those files
that match the list of known hashes are output. The only accept‐
able format for known hashes is the output of previous hashdeep
If standard input is used with the -m flag, displays "stdin" if
the input matches one of the hashes in the list of known hashes.
If the hash does not match, the program displays no output.
This flag may not be used in conjunction with the -x, -X, or -a
flags. See the section "UNICODE SUPPORT" below.
-x Negative matching. Same as the -m flag above, but does negative
matching. That is, only those files NOT in the list of known
hashes are displayed.
This flag may not be used in conjunction with the -m, -M, or -a
flags. See the section "UNICODE SUPPORT" below.
Takes a list of files to be hashed from the specified file. Each
line is assumed to be a filename. This flag can only be used
once per invocation. If it's used a second time, the second in‐
stance will clobber the first.
Note that you can still use other flags, such as the -m or -x
modes, and submit additional FILES on the command line.
-w When used with positive matching modes (-m,-M) displays the
filename of the known hash that matched the input file. See the
section "UNICODE SUPPORT" below.
-M and -X
Same as -m and -x above, but displays the hash for each file
that does (or does not) match the list of known hashes.
-r Enables recursive mode. All subdirectories are traversed. Please
note that recursive mode cannot be used to examine all files of
a given file extension. For example, calling hashdeep -r *.txt
will examine all files in directories that end in .txt.
-e Displays a progress indicator and estimate of time remaining for
each file being processed. Time estimates for files larger than
4GB are not available on Windows. This mode may not be used with
th -p mode.
-E When in audit mode, performs case insensitive matching of file‐
names. For example, \foo\bar will match to \Foo\BAR. This can
be important on Windows systems, where filenames are case insen‐
Size threshold mode. Only hash files smaller than the given the
threshold. Sizes may be specified using IEC multipliers
b,k,m,g,t,p, and e.
Enables expert mode. Allows the user specify which (and only
which) types of files are processed. Directory processing is
still controlled with the -r flag. The expert mode options al‐
f - Regular files
b - Block Devices
c - Character Devices
p - Named Pipes
l - Symbolic Links
s - Sockets
d - Solaris Doors
e - Windows PE executables
-s Enables silent mode. All error messages are suppressed.
-p Piecewise mode. Breaks files into chunks before hashing. Chunks
may be specified using IEC multipliers b,k,m,g,t,p, and e.
(Never let it be said that the author didn’t plan ahead.)
-b Enables bare mode. Strips any leading directory information from
displayed filenames. This flag may not be used in conjunction
with the -l flag.
-l Enables relative file paths. Instead of printing the absolute
path for each file, displays the relative file path as indicated
on the command line. This flag may not be used in conjunction
with the -b flag.
-v Enables verbose mode. Use again to make the program more ver‐
bose. This mostly changes the behvaior of the audit mode, -a.
-jnn Controls multi-threading. By default the program will create one
producer thread to scan the file system and one hashing thread
per CPU core. Multi-threading causes output filenames to be in
non-deterministic order, as files that take longer to hash will
be delayed while they are hashed. If a deterministic order is
required, specify -j0 to disable multi-threading
-d Output in Digital Forensics XML (DFXML) format.
-u Quote Unicode output. For example, the snowman is shown as
Specifies the input mode that is used to read files. The default
is -Fb (buffered I/O) which reads files with fopen(). Specifying
-Fu will use unbuffered I/O and read the file with open(). Spec‐
ifying -Fm will use memory-mapped I/O which will be faster on
some platforms, but which (currently) will not work with files
that produce I/O errors.
-h Show a help screen and exit.
-V Show the version number and exit.
As of version 3.0 the program supports Unicode characters in filenames
on Microsoft Windows systems for filenames specified on the command
line with globbing (e.g. *), for files specified with the -f of files
to hash, and for files read from directories using the -r option.
By default all program input and output should be in UTF-8. The pro‐
gram automatically converts this to UTF-16 for opening files).
On Unix/Linux/MacOS, you should use a terminal emulator that supports
UTF-8 and UTF-8 characters in filenames will be properly displayed.
On Windows, the programs do not display Unicode characters on the con‐
sole. You must either redirect output to a file and open the file with
Wordpad (which can display Unicode), or you must specify the -u option
to quote Unicode using standard U+XXXX notation.
Currently the file name of a file containing known hashes may not be
specified as a unicode filename, but you can specify the name using tab
completion or an asterisk (e.g. md5deep -m *.txt where there is only
one file with a .txt extension).
This program is a work of the US Government. In accordance with 17 USC
105, copyright protection is not available for any work of the US Gov‐
ernment. This program is PUBLIC DOMAIN. Portions of this program con‐
tain code that is licensed under the terms of the General Public Li‐
cense (GPL). Those portions retain their original copyright and li‐
cense. See the file COPYING for more details.
There is NO warranty for this program; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
More information and installation instructions can be found in the
README file. Current versions of both documents can be found on the
project homepage: http://md5deep.sourceforge.net/
The MD5 specification, RFC 1321, is available at
The SHA-1 specification, RFC 3174, is available at
The SHA-256 specification, FIPS 180-2, is available at
The Tiger specification is available at
The Whirlpool specification is available at