1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
.TH HASHDEEP "1" "v3.6 \- 23 Mar 2010" "AFOSI" "United States Air Force"
.SH NAME
hashdeep \- Compute, compare, or audit multiple message digests
.SH SYNOPSIS
.B hashdeep
-V | -h
.br
.B hashdeep
[-c <alg1>[,<alg2>]] [-k <file>] [-i <size>] [\-o <fbcplsd>] [-amxwMXrespblvv] [\fBFILES\fR]
.SH DESCRIPTION
.PP
Computes multiple hashes, or message digests,
for any number of files while
optionally recursively digging through the directory structure.
By default the program computes MD5 and SHA-256 hashes, equivalent
to \-c md5,sha256.
Can also take a list of known hashes and display the filenames
of input files whose hashes either do or do not match any of the
known hashes.
Can also use a list of known hashes to audit a set of FILES.
Errors are reported to standard error. If no FILES are specified,
reads from standard input.
.TP
\fB\-c <alg1>[,<alg2>...]\fR
Computation mode. Compute hashes of FILES using the algorithms
specified. Legal values are md5, sha1, sha256, tiger, and
whirlpool.
.TP
\fB\-k \fR
Load a file of known hashes.
This flag is required when using any of the matching or audit
modes (i.e. \-m, \-x, \-M, \-X, or \-a)
This flag may be used more than once
to add multiple sets of known hashes.
Loading sets with different hash algorithms
can sometimes generate spurrious hash collisions. For
example, let's say we have two hash sets, A and B,
which have some overlapping files. For example, the file
/usr/bin/bad is in both sets. In A we've recorded the MD5 and SHA-256.
In B we've recorded the MD5, SHA-1, and SHA-256. Because these
two records are different, they will both be loaded. When the
program computes all three hashes and compares them to the set
of knowns, we will get an exact match from the record in B
and a collision from the record in A.
.TP
\fB\-a \fR
Audit mode. Each input file is compared against the set of knowns.
An audit is said to pass if each input file is matched against exactly
one file in set of knowns. Any collisions, new files, or missing
files will make the audit fail. Using this flag alone produces a
message, either "Audit passed" or "Audit Failed". Use the
verbose modes, \-v, for more details. Using \-v prints the number
of files in each category. Using \-v a second time prints any
discrepancies. Using \-v a third time prints the results for every file
examined and every known file.
.br
Due to limitations in the program, any filenames with Unicode characters
will appear to have moved during an audit. See the section "UNICODE
SUPPORT" below.
.TP
\fB\-m \fR
Positive matching, requires at least one use of the \-k flag.
The input files are examined one at a time, and only those files that match
the list of known hashes are output. The only acceptable format
for known hashes is the output of previous hashdeep runs.
.br
\fB\fR
If standard input is used with the -m flag, displays "stdin"
if the input matches one of the hashes in the list of known hashes. If the
hash does not match, the program displays no output.
.br
\fB\fR
This flag may not be used in conjunction with the \-x, \-X, or \-a flags.
See the section "UNICODE SUPPORT" below.
.TP
\fB\-x \fR
Negative matching.
Same as the \-m flag above, but does negative matching. That is, only
those files NOT in the list of known hashes are displayed.
.br
\fB\fR
This flag may not be used in conjunction with the \-m, \-M, or \-a flags.
See the section "UNICODE SUPPORT" below.
.TP
\fB\-w \fR
When used with positive matching modes (\-m,\-M) displays the filename
of the known hash that matched the input file.
See the section "UNICODE SUPPORT" below.
.TP
\fB\-M\fR and \fB-X\fR
Same as \-m and \-x above, but displays the hash for each file that
does (or does not) match the list of known hashes.
.TP
\fB\-r\fR
Enables recursive mode. All subdirectories are traversed. Please note
that recursive mode cannot be used to examine all files of a given
file extension. For example, calling hashdeep -r *.txt will examine
all files in \fIdirectories\fR that end in .txt.
.TP
\fB\-e\fR
Displays a progress indicator and estimate of time
remaining for each file being processed. Time estimates for files
larger than 4GB are not available on Windows. This mode may not be
used with th \-p mode.
.TP
\fB\-i <size> \fR
Size threshold mode. Only hash files smaller than the given the
threshold. Sizes may be specified
using multiplers b,k,m,g,t,p, and e.
.TP
\fB\-o\fR <bcpflsd>
Enables expert mode. Allows the user specify which (and only which) types of
files are processed. Directory processing is still controlled with the
\-r flag. The expert mode options allowed are:
.br
f \- Regular files
.br
b \- Block Devices
.br
c \- Character Devices
.br
p \- Named Pipes
.br
l \- Symbolic Links
.br
s \- Sockets
.br
d \- Solaris Doors
.TP
\fB\-s\fR
Enables silent mode. All error messages are supressed.
.TP
\fB\-p\fR
Piecewise mode. Breaks files into chunks before hashing. Chunks
may be specified using multiplers b,k,m,g,t,p, and e. (Never let
it be said that the author didn’t plan ahead.)
.TP
\fB\-b\fR
Enables bare mode. Strips any leading directory information from
displayed filenames.
This flag may not be used in conjunction with the \-l flag.
.TP
\fB\-l\fR
Enables relative file paths. Instead of printing the absolute path for
each file, displays the relative file path as indicated on the command
line. This flag may not be used in conjunction with the \-b flag.
.TP
\fB\-v\fR
Enables verbose mode. Use again to make the program more verbose.
This mostly changes the behvaior of the audit mode, \-a.
.TP
\fB\-h\fR
Show a help screen and exit.
.TP
\fB\-V\fR
Show the version number and exit.
.SH UNICODE SUPPORT
As of version 2.0 the program can process input files with
Unicode characters in their filenames on Windows systems.
In the program's output, however, each Unicode character
is represented with a question mark (?).
Note that Unicode characters are \fBnot\fR supported in the files
containing known hashes. You can specify a file of known hashes that has
Unicode characters in its name by using tab completition or an asterisk
(e.g. hashdeep -mk *.txt where there is only one file with a .txt extension).
.SH RETURN VALUE
Returns zero on success, one on error.
.SH AUTHOR
hashdeep was written by Jesse Kornblum, research [at] jessekornblum [dott] com.
.SH KNOWN ISSUES
Using the \-r flag cannot be used to recursively process all files
of a given extension in a directory. This is a feature, not a bug.
If you need to do this, use the \fBfind\fR(1) command.
The program will fail if you attempt to compare 2^64 or more input
files against a set of known files.
.SH REPORTING BUGS
We take all bug reports \fIvery\fR seriously. Any bug that jeopardizes the
forensic integrity of this program could have serious consequenses on
people's lives. When submitting a bug report, please include a description
of the problem, how you found it, and your contact information.
.PP
Send bug reports to the author at the address above.
.PP
.SH COPYRIGHT
This program is a work of the US Government. In accordance with 17 USC 105,
copyright protection is not available for any work of the US Government.
This program is PUBLIC DOMAIN. Portions of this program contain code
that is licensed under the terms of the General Public License (GPL).
Those portions retain their original copyright and license. See the file
COPYING for more details.
.PP
There is NO warranty for this program;
not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.SH SEE ALSO
More information and installation instructions can be found in the README
file. Current versions of both documents can be found on the project homepage:
http://md5deep.sourceforge.net/
.PP
The MD5 specification, RFC 1321, is available at
.br
http://www.ietf.org/rfc/rfc1321.txt
.PP
The SHA-1 specification, RFC 3174, is available at
.br
http://www.faqs.org/rfcs/rfc3174.html
.PP
The SHA-256 specification, FIPS 180-2, is available at
.br
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
.PP
The Tiger specification is available at
.br
http://www.cs.technion.ac.il/~biham/Reports/Tiger/
.PP
The Whirlpool specification is available at
.br
http://planeta.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html
|
