Table of Contents
hashdeep - Compute, compare, or audit multiple message digests
-V | -h
hashdeep [-c <alg1>[,<alg2>]] [-k <file>] [-i <size>] [-f <file>] [-o <fbcplsde>] [-amxwMXrespblvv]
[-F<bum>] [-j <num>] [FILES]
Computes multiple hashes, or message
digests, for any number of files while optionally recursively digging
through the directory structure. By default the program computes MD5 and
SHA-256 hashes, equivalent to -c md5,sha256. Can also take a list of known
hashes and display the filenames of input files whose hashes either do
or do not match any of the known hashes. Can also use a list of known hashes
to audit a set of FILES. Errors are reported to standard error. If no FILES
are specified, reads from standard input.
of version 3.0 the program supports Unicode characters in filenames on Microsoft
Windows systems for filenames specified on the command line with globbing
(e.g. *), for files specified with the -f of files to hash, and for files
read from directories using the -r option.
- -c <alg1>[,<alg2>...]
- Computation mode.
Compute hashes of FILES using the algorithms specified. Legal values are
md5, sha1, sha256, tiger, and whirlpool.
- Load a file of known hashes.
This flag is required when using any of the matching or audit modes (i.e.
-m, -x, -M, -X, or -a) This flag may be used more than once to add multiple
sets of known hashes.
Loading sets with different hash algorithms can
sometimes generate spurrious hash collisions. For example, let’s say we have
two hash sets, A and B, which have some overlapping files. For example,
the file /usr/bin/bad is in both sets. In A we’ve recorded the MD5 and SHA-256.
In B we’ve recorded the MD5, SHA-1, and SHA-256. Because these two records
are different, they will both be loaded. When the program computes all
three hashes and compares them to the set of knowns, we will get an exact
match from the record in B and a collision from the record in A.
- Audit mode. Each input file is compared against the set of knowns. An audit
is said to pass if each input file is matched against exactly one file
in set of knowns. Any collisions, new files, or missing files will make
the audit fail. Using this flag alone produces a message, either "Audit
passed" or "Audit Failed". Use the verbose modes, -v, for more details. Using
-v prints the number of files in each category. Using -v a second time prints
any discrepancies. Using -v a third time prints the results for every file
examined and every known file.
Due to limitations in the program, any filenames with Unicode characters
will appear to have moved during an audit. See the section "UNICODE SUPPORT"
- Positive matching, requires at least one use of the -k flag. The
input files are examined one at a time, and only those files that match
the list of known hashes are output. The only acceptable format for known
hashes is the output of previous hashdeep runs.
If standard input is used with the -m flag, displays "stdin" if the input
matches one of the hashes in the list of known hashes. If the hash does
not match, the program displays no output.
This flag may not be used in conjunction with the -x, -X, or -a flags. See
the section "UNICODE SUPPORT" below.
- Negative matching. Same as the -m
flag above, but does negative matching. That is, only those files NOT in
the list of known hashes are displayed.
This flag may not be used in conjunction with the -m, -M, or -a flags. See
the section "UNICODE SUPPORT" below.
- -f <file>
- Takes a list of files to be
hashed from the specified file. Each line is assumed to be a filename. This
flag can only be used once per invocation. If it’s used a second time, the
second instance will clobber the first.
Note that you can still use other flags, such as the -m or -x modes, and
submit additional FILES on the command line.
- When used with positive
matching modes (-m,-M) displays the filename of the known hash that matched
the input file. See the section "UNICODE SUPPORT" below.
- -M and -X
- Same as
-m and -x above, but displays the hash for each file that does (or does
not) match the list of known hashes.
- Enables recursive mode. All subdirectories
are traversed. Please note that recursive mode cannot be used to examine
all files of a given file extension. For example, calling hashdeep -r *.txt
will examine all files in directories that end in .txt.
- Displays a progress
indicator and estimate of time remaining for each file being processed.
Time estimates for files larger than 4GB are not available on Windows. This
mode may not be used with th -p mode.
- -i <size>
- Size threshold mode. Only
hash files smaller than the given the threshold. Sizes may be specified
using IEC multipliers b,k,m,g,t,p, and e.
- -o <bcpflsd>
- Enables expert mode.
Allows the user specify which (and only which) types of files are processed.
Directory processing is still controlled with the -r flag. The expert mode
options allowed are:
f - Regular files
b - Block Devices
c - Character Devices
p - Named Pipes
l - Symbolic Links
s - Sockets
d - Solaris Doors
e - Windows PE executables
- Enables silent mode. All error messages are
- Piecewise mode. Breaks files into chunks before hashing. Chunks
may be specified using IEC multipliers b,k,m,g,t,p, and e. (Never let it
be said that the author didn’t plan ahead.)
- Enables bare mode. Strips
any leading directory information from displayed filenames. This flag may
not be used in conjunction with the -l flag.
- Enables relative file paths.
Instead of printing the absolute path for each file, displays the relative
file path as indicated on the command line. This flag may not be used in
conjunction with the -b flag.
- Enables verbose mode. Use again to make the
program more verbose. This mostly changes the behvaior of the audit mode,
- Controls multi-threading. By default the program will create one producer
thread to scan the file system and one hashing thread per CPU core. Multi-threading
causes output filenames to be in non-deterministic order, as files that
take longer to hash will be delayed while they are hashed. If a deterministic
order is required, specify -j0 to disable multi-threading
- Output in Digital
Forensics XML (DFXML) format.
- Quote Unicode output. For example, the snowman
is shown as U+C426.
- Specifies the input mode that is used to read
files. The default is -Fb (buffered I/O) which reads files with fopen(). Specifying
-Fu will use unbuffered I/O and read the file with open(). Specifying -Fm
will use memory-mapped I/O which will be faster on some platforms, but which
(currently) will not work with files that produce I/O errors.
a help screen and exit.
- Show the version number and exit.
By default all program input
and output should be in UTF-8. The program automatically converts this to
UTF-16 for opening files).
On Unix/Linux/MacOS, you should use a terminal
emulator that supports UTF-8 and UTF-8 characters in filenames will be properly
On Windows, please note that the onsole is not capiable of displaying
Unicode characters. You must either redirect output to a file and open the
file with Wordpad (which can display Unicode), or you must specify the
-u option to quote Unicode using standard U+XXXX notation.
file name of a file containing known hashes may not be specified as a unicode
filename, but you can specify the name using tab completition or an asterisk
(e.g. md5deep -m *.txt where there is only one file with a .txt extension).
Returns zero on success, one on error.
written by Jesse Kornblum, firstname.lastname@example.org, and Simson Garfinkel.
Using the -r flag cannot be used to recursively process all
files of a given extension in a directory. This is a feature, not a bug.
If you need to do this, use the find(1)
The program will fail
if you attempt to compare 2^64 or more input files against a set of known
We take all bug reports very seriously. Any bug that
jeopardizes the forensic integrity of this program could have serious consequences
on people’s lives. When submitting a bug report, please include a description
of the problem, how you found it, and your contact information.
reports to the author at the address above.
This program is a
work of the US Government. In accordance with 17 USC 105, copyright protection
is not available for any work of the US Government. This program is PUBLIC
DOMAIN. Portions of this program contain code that is licensed under the
terms of the General Public License (GPL). Those portions retain their original
copyright and license. See the file COPYING for more details.
There is NO
warranty for this program; not even for MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE.
More information and installation instructions
can be found in the README file. Current versions of both documents can
be found on the project homepage: http://md5deep.sourceforge.net/
specification, RFC 1321, is available at
The SHA-1 specification, RFC 3174, is available
The SHA-256 specification, FIPS 180-2,
is available at
The Tiger specification
is available at
The Whirlpool specification
is available at
Table of Contents