Forensicshashingforensicsmd5sha1sha256tigerwhirlpoolpiecewise

hashdeep

Recursively compute hashsums or piecewise hashings for MD5, SHA1, SHA256, tiger, and whirlpool algorithms. Useful for comparing hashes against known lists in forensics investigations.

Description

hashdeep is a set of tools to compute hashsums of arbitrary number of files recursively. It supports MD5, SHA1, SHA256, tiger, and whirlpool algorithms, with features like comparing computed hashes against a list of known hashes, displaying matches or non-matches, estimating processing time for large files, and piecewise hashing in arbitrary sized blocks.

The package includes hashdeep for multi-algorithm support and specialized tools like md5deep, sha1deep, sha256deep, tigerdeep, and whirlpooldeep. It is particularly useful in forensics investigations for auditing file integrity and identifying known or altered files.

Key modes include audit mode to validate files against known hashes, matching mode to find files that match a known hash list, and negative matching to identify files that do not match.

How It Works

hashdeep recursively traverses directories and computes message digests using specified algorithms like MD5, SHA1, SHA256, tiger, or whirlpool. In piecewise mode, files are divided into blocks of specified size for hashing. It compares computed hashes against a known hash file provided via -k, supporting audit (-a), matching (-m), and negative matching (-x) modes. Output can be in DFXML format, with options for threading, verbosity, and filtering by file size or type.

Installation

bash

sudo apt install hashdeep

Flags

-c <alg1,[alg2]>Compute hashes only. Defaults are MD5 and SHA-256. Legal values: md5,sha1,sha256,tiger,whirlpool

-p <size>piecewise mode. Files are broken into blocks for hashing

-rrecursive mode. All subdirectories are traversed

-doutput in DFXML (Digital Forensics XML)

-k <file>add a file of known hashes

-aaudit mode. Validates FILES against known hashes. Requires -k

-mmatching mode. Requires -k

-xnegative matching mode. Requires -k

-win -m mode, displays which known file was matched

-ecompute estimated time remaining for each file

-ssilent mode. Suppress all error messages

-bprints only the bare name of files; all path information is omitted

-lprint relative paths for filenames

-i/-Ionly process files smaller than the given threshold

-oonly process certain types of files. See README/manpage

-vverbose mode. Use again to be more verbose

-j <num>use num threads (default 6)

Examples

Display help for hashdeep

hashdeep -h

Recursively compute MD5 and SHA-256 hashes for files in directory

hashdeep -c md5,sha256 -r /path/to/files

Audit files against known hashes in audit mode

hashdeep -a -k known_hashes.txt /path/to/files

Matching mode to find files matching known hashes

hashdeep -m -k known_hashes.txt /path/to/files

Negative matching mode to find files not matching known hashes

hashdeep -x -k known_hashes.txt /path/to/files

Piecewise hashing with 1KB blocks recursively

hashdeep -p 1024 -r /path/to/files

Display help for md5deep

md5deep -h

MD5 matching mode using md5deep

md5deep -m known_hashes.txt /path/to/files

Updated 2026-04-16kali.org ↗