Forensicsfuzzyhashingforensicspiecewisematchingsimilarity

ssdeep

ssdeep is a recursive piecewise hashing tool for computing and matching Context Triggered Piecewise Hashes (fuzzy hashes). It compares similar but not identical files, identifying modified versions even with insertions, modifications, or deletions.

Description

ssdeep is useful in forensics investigations for comparing files that are similar but not identical, unlike traditional hashes like md5sum or sha1sum. It employs fuzzy hashing to detect modified versions of known files where data has been inserted, modified, or deleted.

The tool provides multiple packages: ssdeep for the main binary, libfuzzy2 for the library, and libfuzzy-dev for development headers. It supports various modes for matching files or directories against known hashes or signatures.

Key applications include forensic analysis to cluster similar files and perform recursive comparisons, aiding in identifying variants of malware or altered documents.

How It Works

ssdeep computes Context Triggered Piecewise Hashes (fuzzy hashes), a method for comparing similar but not identical files by breaking them into piecewise chunks and generating rolling hashes that capture structural similarities despite changes like insertions, deletions, or modifications.

Installation

bash

sudo apt install ssdeep

Flags

-mMatch FILES against known hashes in file

-kMatch signatures in FILES against signatures in file

-dDirectory mode, compare all files in a directory

-pPretty matching mode. Similar to -d but includes all matches

-gCluster matches together

-vVerbose mode. Displays filename as its being processed

-rRecursive mode

-sSilent mode; all errors are suppressed

-bUses only the bare name of files; all path information omitted

-lUses relative paths for filenames

-cPrints output in CSV format

-xCompare FILES as signature files

-aDisplay all matches, regardless of score

-tOnly displays matches above the given threshold

-hDisplay this help message

-VDisplay version number and exit

Examples

Display the help message with usage and flag descriptions

ssdeep -h

Match files against known hashes in the specified file

ssdeep -m known_hashes.txt file1 file2

Match signatures in input files against signatures in the specified file

ssdeep -k signatures.txt *.sig

Compare all files in a directory using directory mode

ssdeep -d /path/to/directory

Pretty matching mode for directory, including all matches

ssdeep -p /path/to/directory

Cluster matches together for text files

ssdeep -g *.txt

Process directory recursively

ssdeep -r /path/to/dir

Updated 2026-04-16kali.org ↗